Google Cloud enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations.
There is no quota on the number of
resources, only on the number of operations.
Checking your quotas
To check the current quotas for resources in your project, go to the Quotas page in the Google Cloud Console.
Quotas for all Cloud KMS resources
Cloud Key Management Service has quotas for the following:
- Read requests per minute: A read request is an
operation that reads a Cloud KMS resource, such as a
Location. The following operations are read requests:
|KeyRing||get, getIamPolicy, list, testIamPermissions|
|CryptoKey||get, getIamPolicy, list, testIamPermissions|
- Write requests per minute: A write request is
an operation that creates or modifies a Cloud KMS resource, such as
a such as a
CryptoKeyVersion.The following operations are write requests:
|CryptoKey||create, patch, setIamPolicy, updatePrimaryVersion|
|CryptoKeyVersion||create, destroy, patch, restore|
- Cryptographic requests per minute: A cryptographic request is an operation that performs an encryption, decryption, digital signature, or retrieval of a public key.The following operations are cryptographic requests:
|CryptoKeyVersion||asymmetricDecrypt, asymmetricSign, getPublicKey|
Additional quotas for Cloud HSM
A Google Cloud project that makes calls to the Cloud KMS service is limited by the quotas listed above, which apply to both software keys and Cloud HSM keys. For example, if you are calling Cloud KMS using a service account, this is the Google Cloud project that owns the service account.
When used for cryptographic operations, Cloud HSM keys and key versions incur an additional quota limit, for HSM queries per second (QPS). The HSM quota by default is 500 QPS for symmetric cryptographic operations and 50 QPS for asymmetric cryptographic operations. When HSM keys are used, the Google Cloud project that contains the Cloud HSM keys is limited by the HSM quota. This is in addition to any quota usage incurred by the project that made the call to Cloud KMS.
As an example scenario, a customer has two Google Cloud projects:
- Project A contains the customer's application
- Project K contains the keys that the customer manages on Cloud KMS
When the application makes an encryption request that uses an HSM key contained in Project K, then Project A incurs cryptographic request quota usage, and Project K incurs HSM quota usage. If Project A and Project K are the same Google Cloud project, the project incurs both the cryptographic request quota usage and the HSM quota usage.
Additional quotas for Cloud External Key Manager
The quota on cryptographic operations for all Cloud EKM keys in a single Google Cloud location per project is 10 QPS.
Quota error information
If you make a call when your quota has been reached, your request results in a
RESOURCE_EXHAUSTED error. The HTTP status code is
429. For information on
how client libraries surface the
RESOURCE_EXHAUSTED error, see Client library
If you are within your quota but still receive the
you may be sending too many cryptographic operation requests per
second. This can happen because Cloud KMS quotas are set per minute,
but are enforced on a per second scale. The
Peak crypto ops metric helps
diagnose the problem.
Peak crypto ops displays the maximum number of
per-second cryptographic requests over one-minute intervals, which identifies
any spikes in requests that may have prompted the
For more granularity, the
Peak crypto ops metric can also display
cryptographic requests by location and the type of cryptographic operation. To
learn more about monitoring metrics, see
Monitoring and alerting on quota metrics.
Increasing your quotas
To increase the quota for cryptographic operations (up to 60000 queries per minute), go to the Quotas page in the Cloud Console. You can also request a larger quota increase, and you will be notified about the status of your request. Multiregional and global quotas do not appear in the console. To increase quota for multiregional locations or the global location, make the request for a different region and mention the multiregion in the request description.