Google Cloud enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations.

There is no quota on the number of KeyRing, CryptoKey, or CryptoKeyVersion resources, only on the number of operations.

Checking your quotas

To check the current quotas for resources in your project, go to the Quotas page in the Google Cloud Console.

Quotas for all Cloud KMS resources

Cloud Key Management Service has quotas for the following:

  • Read requests per minute: A read request is an operation that reads a Cloud KMS resource, such as a KeyRing, CryptoKey, CryptoKeyVersion, or Location.

    The following operations are read requests:

Resource Operations
KeyRing get, getIamPolicy, list, testIamPermissions
CryptoKey get, getIamPolicy, list, testIamPermissions
CryptoKeyVersion get, list
Location get, list
  • Write requests per minute: A write request is an operation that creates or modifies a Cloud KMS resource, such as a such as a KeyRing, CryptoKey, CryptoKeyVersion.

    The following operations are write requests:

Resource Operations
KeyRing create, setIamPolicy
CryptoKey create, patch, setIamPolicy, updatePrimaryVersion
CryptoKeyVersion create, destroy, patch, restore
  • Cryptographic requests per minute: A cryptographic request is an operation that performs an encryption, decryption, digital signature, or retrieval of a public key.

    The following operations are cryptographic requests:

Resource Operations
CryptoKey encrypt, decrypt
CryptoKeyVersion asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify,

Additional quotas for Cloud HSM

A Google Cloud project that makes calls to the Cloud KMS service is limited by the quotas listed above, which apply to both software keys and Cloud HSM keys. For example, if you are calling Cloud KMS using a service account, this is the Google Cloud project that owns the service account.

When used for cryptographic operations, Cloud HSM keys and key versions incur an additional quota limit, for HSM queries per second (QPS). The HSM quota by default is 500 QPS for symmetric cryptographic operations, 50 QPS for asymmetric cryptographic operations, and 50 QPS for GenerateRandomBytes operations. When HSM keys are used, the Google Cloud project that contains the Cloud HSM keys is limited by the HSM quota. This is in addition to any quota usage incurred by the project that made the call to Cloud KMS.

As an example scenario, a customer has two Google Cloud projects:

  • Project A contains the customer's application
  • Project K contains the keys that the customer manages on Cloud KMS

When the application makes an encryption request that uses an HSM key contained in Project K, then Project A incurs cryptographic request quota usage, and Project K incurs HSM quota usage. If Project A and Project K are the same Google Cloud project, the project incurs both the cryptographic request quota usage and the HSM quota usage.

Additional quotas for Cloud External Key Manager

Cloud External Key Manager keys are subject to the same type of additional quota limit as Cloud HSM keys.

All Cloud EKM keys in a single Google Cloud location have a quota of 100 QPS per project for cryptographic operations. When Cloud EKM keys are used, the Google Cloud project that contains the Cloud EKM keys is limited by the Cloud EKM quota. This is in addition to any quota usage incurred by the project that made the call to Cloud KMS.

Quota error information

If you make a call when your quota has been reached, your request results in a RESOURCE_EXHAUSTED error. The HTTP status code is 429. For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping.

If you are within your quota but still receive the RESOURCE_EXHAUSTED error, you may be sending too many cryptographic operation requests per second. This can happen because Cloud KMS quotas are set per minute, but are enforced on a per second scale. To learn more about monitoring metrics, see Monitoring and alerting on quota metrics.

Increasing your quotas

To increase the quota for cryptographic operations (up to 60000 queries per minute), go to the Quotas page in the Cloud Console. You can also request a larger quota increase, and you will be notified about the status of your request. Multiregional and global quotas do not appear in the console. To increase quota for multiregional locations or the global location, make the request for a different region and mention the multiregion in the request description.