Cloud KMS V1 Client - Class KeyManagementServiceClient (1.15.3)

Reference documentation and code samples for the Cloud KMS V1 Client class KeyManagementServiceClient.

Service Description: Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:

$keyManagementServiceClient = new KeyManagementServiceClient();
try {
    $formattedName = $keyManagementServiceClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
    $ciphertext = '...';
    $response = $keyManagementServiceClient->asymmetricDecrypt($formattedName, $ciphertext);
} finally {
    $keyManagementServiceClient->close();
}

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parseName method to extract the individual identifiers contained within formatted names that are returned by the API.

Methods

cryptoKeyPathName

Formats a string containing the fully-qualified path to represent a crypto_key_path resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`
`keyRing`	`string`
`cryptoKeyPath`	`string`

Returns
Type	Description
`string`	The formatted crypto_key_path resource.

cryptoKeyName

Formats a string containing the fully-qualified path to represent a crypto_key resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`
`keyRing`	`string`
`cryptoKey`	`string`

Returns
Type	Description
`string`	The formatted crypto_key resource.

cryptoKeyVersionName

Formats a string containing the fully-qualified path to represent a crypto_key_version resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`
`keyRing`	`string`
`cryptoKey`	`string`
`cryptoKeyVersion`	`string`

Returns
Type	Description
`string`	The formatted crypto_key_version resource.

importJobName

Formats a string containing the fully-qualified path to represent a import_job resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`
`keyRing`	`string`
`importJob`	`string`

Returns
Type	Description
`string`	The formatted import_job resource.

keyRingName

Formats a string containing the fully-qualified path to represent a key_ring resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`
`keyRing`	`string`

Returns
Type	Description
`string`	The formatted key_ring resource.

locationName

Formats a string containing the fully-qualified path to represent a location resource.

Parameters
Name	Description
`project`	`string`
`location`	`string`

Returns
Type	Description
`string`	The formatted location resource.

parseName

Parses a formatted name string and returns an associative array of the components in the name.

The following name formats are supported: Template: Pattern

cryptoKey: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}
cryptoKeyVersion: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}
importJob: projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}
keyRing: projects/{project}/locations/{location}/keyRings/{key_ring}
location: projects/{project}/locations/{location}

The optional $template argument can be supplied to specify a particular pattern, and must match one of the templates listed above. If no $template argument is provided, or if the $template argument does not match one of the templates listed, then parseName will check each of the supported templates, and return the first match.

Parameters
Name	Description
`formattedName`	`string` The formatted name string
`template`	`string` Optional name of template to match

Returns
Type	Description
`array`	An associative array from name component IDs to component values.

__construct

Constructor.

Parameters
Name	Description
`options`	`array` Optional. Options for configuring the service API wrapper.
`↳ apiEndpoint`	`string` The address of the API remote host. May optionally include the port, formatted as "
`↳ credentials`	`string\|array\|FetchAuthTokenInterface\|CredentialsWrapper` The credentials to be used by the client to authorize API calls. This option accepts either a path to a credentials file, or a decoded credentials file as a PHP array. Advanced usage: In addition, this option can also accept a pre-constructed Google\Auth\FetchAuthTokenInterface object or Google\ApiCore\CredentialsWrapper object. Note that when one of these objects are provided, any settings in $credentialsConfig will be ignored.
`↳ credentialsConfig`	`array` Options used to configure credentials, including auth token caching, for the client. For a full list of supporting configuration options, see Google\ApiCore\CredentialsWrapper::build() .
`↳ disableRetries`	`bool` Determines whether or not retries defined by the client configuration should be disabled. Defaults to `false`.
`↳ clientConfig`	`string\|array` Client method configuration, including retry settings. This option can be either a path to a JSON file, or a PHP array containing the decoded JSON data. By default this settings points to the default client config file, which is provided in the resources folder.
`↳ transport`	`string\|TransportInterface` The transport used for executing network requests. May be either the string `rest` or `grpc`. Defaults to `grpc` if gRPC support is detected on the system. Advanced usage: Additionally, it is possible to pass in an already instantiated Google\ApiCore\Transport\TransportInterface object. Note that when this object is provided, any settings in $transportConfig, and any $apiEndpoint setting, will be ignored.
`↳ transportConfig`	`array` Configuration options that will be used to construct the transport. Options for each supported transport type should be passed in a key for that transport. For example: $transportConfig = [ 'grpc' => [...], 'rest' => [...], ]; See the Google\ApiCore\Transport\GrpcTransport::build() and Google\ApiCore\Transport\RestTransport::build() methods for the supported options.
`↳ clientCertSource`	`callable` A callable which returns the client cert as a string. This can be used to provide a certificate and private key to the transport layer for mTLS.

asymmetricDecrypt

Decrypts data that was encrypted with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to use for decryption.
`ciphertext`	`string` Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP.
`optionalArgs`	`array` Optional.
`↳ ciphertextCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the AsymmetricDecryptRequest.ciphertext. If specified, KeyManagementService will verify the integrity of the received AsymmetricDecryptRequest.ciphertext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricDecryptRequest.ciphertext) is equal to AsymmetricDecryptRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\AsymmetricDecryptResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\AsymmetricDecryptResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
 *                              decryption. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 * @param string $ciphertext    The data encrypted with the named
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
 *                              OAEP.
 */
function asymmetric_decrypt_sample(string $formattedName, string $ciphertext): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var AsymmetricDecryptResponse $response */
        $response = $keyManagementServiceClient->asymmetricDecrypt($formattedName, $ciphertext);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );
    $ciphertext = '...';

    asymmetric_decrypt_sample($formattedName, $ciphertext);
}

asymmetricSign

Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from GetPublicKey.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to use for signing.
`digest`	`Google\Cloud\Kms\V1\Digest` Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm. This field may not be supplied if AsymmetricSignRequest.data is supplied.
`optionalArgs`	`array` Optional.
`↳ digestCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the AsymmetricSignRequest.digest. If specified, KeyManagementService will verify the integrity of the received AsymmetricSignRequest.digest using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.digest) is equal to AsymmetricSignRequest.digest_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ data`	`string` Optional. The data to sign. It can't be supplied if AsymmetricSignRequest.digest is supplied.
`↳ dataCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the AsymmetricSignRequest.data. If specified, KeyManagementService will verify the integrity of the received AsymmetricSignRequest.data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.data) is equal to AsymmetricSignRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\AsymmetricSignResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\AsymmetricSignResponse;
use Google\Cloud\Kms\V1\Digest;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
 *                              signing. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 */
function asymmetric_sign_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $digest = new Digest();

    // Call the API and handle any network failures.
    try {
        /** @var AsymmetricSignResponse $response */
        $response = $keyManagementServiceClient->asymmetricSign($formattedName, $digest);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );

    asymmetric_sign_sample($formattedName);
}

createCryptoKey

Create a new CryptoKey within a KeyRing.

CryptoKey.purpose and CryptoKey.version_template.algorithm are required.

Parameters
Name	Description
`parent`	`string` Required. The name of the KeyRing associated with the CryptoKeys.
`cryptoKeyId`	`string` Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
`cryptoKey`	`Google\Cloud\Kms\V1\CryptoKey` Required. A CryptoKey with initial field values.
`optionalArgs`	`array` Optional.
`↳ skipInitialVersionCreation`	`bool` If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKey`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
 *                                associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. Please see
 *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
 * @param string $cryptoKeyId     It must be unique within a KeyRing and match the regular
 *                                expression `[a-zA-Z0-9_-]{1,63}`
 */
function create_crypto_key_sample(string $formattedParent, string $cryptoKeyId): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $cryptoKey = new CryptoKey();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKey $response */
        $response = $keyManagementServiceClient->createCryptoKey(
            $formattedParent,
            $cryptoKeyId,
            $cryptoKey
        );
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
    $cryptoKeyId = '[CRYPTO_KEY_ID]';

    create_crypto_key_sample($formattedParent, $cryptoKeyId);
}

createCryptoKeyVersion

Create a new CryptoKeyVersion in a CryptoKey.

The server will assign the next sequential id. If unset, state will be set to ENABLED.

Parameters
Name	Description
`parent`	`string` Required. The name of the CryptoKey associated with the CryptoKeyVersions.
`cryptoKeyVersion`	`Google\Cloud\Kms\V1\CryptoKeyVersion` Required. A CryptoKeyVersion with initial field values.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The [name][google.cloud.kms.v1.CryptoKey.name] of the
 *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
 *                                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. Please see
 *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 */
function create_crypto_key_version_sample(string $formattedParent): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $cryptoKeyVersion = new CryptoKeyVersion();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->createCryptoKeyVersion(
            $formattedParent,
            $cryptoKeyVersion
        );
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );

    create_crypto_key_version_sample($formattedParent);
}

createImportJob

Create a new ImportJob within a KeyRing.

ImportJob.import_method is required.

Parameters
Name	Description
`parent`	`string` Required. The name of the KeyRing associated with the ImportJobs.
`importJobId`	`string` Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
`importJob`	`Google\Cloud\Kms\V1\ImportJob` Required. An ImportJob with initial field values.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\ImportJob`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\ImportJob;
use Google\Cloud\Kms\V1\ImportJob\ImportMethod;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\ProtectionLevel;

/**
 * @param string $formattedParent          The [name][google.cloud.kms.v1.KeyRing.name] of the
 *                                         [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
 *                                         [ImportJobs][google.cloud.kms.v1.ImportJob]. Please see
 *                                         {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
 * @param string $importJobId              It must be unique within a KeyRing and match the regular
 *                                         expression `[a-zA-Z0-9_-]{1,63}`
 * @param int    $importJobImportMethod    Immutable. The wrapping method to be used for incoming key
 *                                         material.
 * @param int    $importJobProtectionLevel Immutable. The protection level of the
 *                                         [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
 *                                         [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
 *                                         of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
 *                                         on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
 *                                         into.
 */
function create_import_job_sample(
    string $formattedParent,
    string $importJobId,
    int $importJobImportMethod,
    int $importJobProtectionLevel
): void {
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $importJob = (new ImportJob())
        ->setImportMethod($importJobImportMethod)
        ->setProtectionLevel($importJobProtectionLevel);

    // Call the API and handle any network failures.
    try {
        /** @var ImportJob $response */
        $response = $keyManagementServiceClient->createImportJob(
            $formattedParent,
            $importJobId,
            $importJob
        );
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
    $importJobId = '[IMPORT_JOB_ID]';
    $importJobImportMethod = ImportMethod::IMPORT_METHOD_UNSPECIFIED;
    $importJobProtectionLevel = ProtectionLevel::PROTECTION_LEVEL_UNSPECIFIED;

    create_import_job_sample(
        $formattedParent,
        $importJobId,
        $importJobImportMethod,
        $importJobProtectionLevel
    );
}

createKeyRing

Create a new KeyRing in a given Project and Location.

Parameters
Name	Description
`parent`	`string` Required. The resource name of the location associated with the KeyRings, in the format `projects//locations/`.
`keyRingId`	`string` Required. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
`keyRing`	`Google\Cloud\Kms\V1\KeyRing` Required. A KeyRing with initial field values.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\KeyRing`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\KeyRing;

/**
 * @param string $formattedParent The resource name of the location associated with the
 *                                [KeyRings][google.cloud.kms.v1.KeyRing], in the format
 *                                `projects/&#42;/locations/*`. Please see
 *                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
 * @param string $keyRingId       It must be unique within a location and match the regular
 *                                expression `[a-zA-Z0-9_-]{1,63}`
 */
function create_key_ring_sample(string $formattedParent, string $keyRingId): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $keyRing = new KeyRing();

    // Call the API and handle any network failures.
    try {
        /** @var KeyRing $response */
        $response = $keyManagementServiceClient->createKeyRing($formattedParent, $keyRingId, $keyRing);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::locationName('[PROJECT]', '[LOCATION]');
    $keyRingId = '[KEY_RING_ID]';

    create_key_ring_sample($formattedParent, $keyRingId);
}

decrypt

Decrypts data that was protected by Encrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version.
`ciphertext`	`string` Required. The encrypted data originally returned in EncryptResponse.ciphertext.
`optionalArgs`	`array` Optional.
`↳ additionalAuthenticatedData`	`string` Optional. Optional data that must match the data originally supplied in EncryptRequest.additional_authenticated_data.
`↳ ciphertextCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the DecryptRequest.ciphertext. If specified, KeyManagementService will verify the integrity of the received DecryptRequest.ciphertext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecryptRequest.ciphertext) is equal to DecryptRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ additionalAuthenticatedDataCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the DecryptRequest.additional_authenticated_data. If specified, KeyManagementService will verify the integrity of the received DecryptRequest.additional_authenticated_data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecryptRequest.additional_authenticated_data) is equal to DecryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\DecryptResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\DecryptResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
 *                              server will choose the appropriate version. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 * @param string $ciphertext    The encrypted data originally returned in
 *                              [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
 */
function decrypt_sample(string $formattedName, string $ciphertext): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var DecryptResponse $response */
        $response = $keyManagementServiceClient->decrypt($formattedName, $ciphertext);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );
    $ciphertext = '...';

    decrypt_sample($formattedName, $ciphertext);
}

destroyCryptoKeyVersion

Schedule a CryptoKeyVersion for destruction.

Upon calling this method, CryptoKeyVersion.state will be set to DESTROY_SCHEDULED, and destroy_time will be set to the time destroy_scheduled_duration in the future. At that time, the state will automatically change to DESTROYED, and the key material will be irrevocably destroyed.

Before the destroy_time is reached, RestoreCryptoKeyVersion may be called to reverse the process.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to destroy.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 */
function destroy_crypto_key_version_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->destroyCryptoKeyVersion($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );

    destroy_crypto_key_version_sample($formattedName);
}

encrypt

Encrypts data, so that it can only be recovered by a call to Decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption. If a CryptoKey is specified, the server will use its primary version.
`plaintext`	`string` Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's protection_level. For SOFTWARE, EXTERNAL, and EXTERNAL_VPC keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
`optionalArgs`	`array` Optional.
`↳ additionalAuthenticatedData`	`string` Optional. Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data. The maximum size depends on the key version's protection_level. For SOFTWARE, EXTERNAL, and EXTERNAL_VPC keys the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
`↳ plaintextCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the EncryptRequest.plaintext. If specified, KeyManagementService will verify the integrity of the received EncryptRequest.plaintext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.plaintext) is equal to EncryptRequest.plaintext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ additionalAuthenticatedDataCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the EncryptRequest.additional_authenticated_data. If specified, KeyManagementService will verify the integrity of the received EncryptRequest.additional_authenticated_data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.additional_authenticated_data) is equal to EncryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\EncryptResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\EncryptResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $name      The resource name of the
 *                          [CryptoKey][google.cloud.kms.v1.CryptoKey] or
 *                          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
 *                          encryption.
 *
 *                          If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
 *                          will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
 * @param string $plaintext The data to encrypt. Must be no larger than 64KiB.
 *
 *                          The maximum size depends on the key version's
 *                          [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
 *                          For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
 *                          [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
 *                          [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
 *                          plaintext must be no larger than 64KiB. For
 *                          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
 *                          the plaintext and additional_authenticated_data fields must be no larger
 *                          than 8KiB.
 */
function encrypt_sample(string $name, string $plaintext): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var EncryptResponse $response */
        $response = $keyManagementServiceClient->encrypt($name, $plaintext);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $name = '[NAME]';
    $plaintext = '...';

    encrypt_sample($name, $plaintext);
}

generateRandomBytes

Generate random bytes using the Cloud KMS randomness source in the provided location.

Parameters
Name	Description
`optionalArgs`	`array` Optional.
`↳ location`	`string` The project-specific location in which to generate random bytes. For example, "projects/my-project/locations/us-central1".
`↳ lengthBytes`	`int` The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.
`↳ protectionLevel`	`int` The ProtectionLevel to use when generating the random data. Currently, only HSM protection level is supported. For allowed values, use constants defined on Google\Cloud\Kms\V1\ProtectionLevel
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\GenerateRandomBytesResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\GenerateRandomBytesResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function generate_random_bytes_sample(): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var GenerateRandomBytesResponse $response */
        $response = $keyManagementServiceClient->generateRandomBytes();
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

getCryptoKey

Returns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.

Parameters
Name	Description
`name`	`string` Required. The name of the CryptoKey to get.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKey`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKey.name] of the
 *                              [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 */
function get_crypto_key_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKey $response */
        $response = $keyManagementServiceClient->getCryptoKey($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );

    get_crypto_key_sample($formattedName);
}

getCryptoKeyVersion

Returns metadata for a given CryptoKeyVersion.

Parameters
Name	Description
`name`	`string` Required. The name of the CryptoKeyVersion to get.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 */
function get_crypto_key_version_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->getCryptoKeyVersion($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );

    get_crypto_key_version_sample($formattedName);
}

getImportJob

Returns metadata for a given ImportJob.

Parameters
Name	Description
`name`	`string` Required. The name of the ImportJob to get.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\ImportJob`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\ImportJob;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The [name][google.cloud.kms.v1.ImportJob.name] of the
 *                              [ImportJob][google.cloud.kms.v1.ImportJob] to get. Please see
 *                              {@see KeyManagementServiceClient::importJobName()} for help formatting this field.
 */
function get_import_job_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var ImportJob $response */
        $response = $keyManagementServiceClient->getImportJob($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::importJobName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[IMPORT_JOB]'
    );

    get_import_job_sample($formattedName);
}

getKeyRing

Returns metadata for a given KeyRing.

Parameters
Name	Description
`name`	`string` Required. The name of the KeyRing to get.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\KeyRing`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\KeyRing;

/**
 * @param string $formattedName The [name][google.cloud.kms.v1.KeyRing.name] of the
 *                              [KeyRing][google.cloud.kms.v1.KeyRing] to get. Please see
 *                              {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
 */
function get_key_ring_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var KeyRing $response */
        $response = $keyManagementServiceClient->getKeyRing($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');

    get_key_ring_sample($formattedName);
}

getPublicKey

Returns the public key for the given CryptoKeyVersion. The CryptoKey.purpose must be ASYMMETRIC_SIGN or ASYMMETRIC_DECRYPT.

Parameters
Name	Description
`name`	`string` Required. The name of the CryptoKeyVersion public key to get.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\PublicKey`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\PublicKey;

/**
 * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 */
function get_public_key_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PublicKey $response */
        $response = $keyManagementServiceClient->getPublicKey($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );

    get_public_key_sample($formattedName);
}

importCryptoKeyVersion

Import wrapped key material into a CryptoKeyVersion.

All requests must specify a CryptoKey. If a CryptoKeyVersion is additionally specified in the request, key material will be reimported into that version. Otherwise, a new version will be created, and will be assigned the next sequential id within the CryptoKey.

Parameters
Name	Description
`parent`	`string` Required. The name of the CryptoKey to be imported into. The create permission is only required on this key when creating a new CryptoKeyVersion.
`algorithm`	`int` Required. The algorithm of the key being imported. This does not need to match the version_template of the CryptoKey this version imports into. For allowed values, use constants defined on {@see \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm}
`importJob`	`string` Required. The name of the ImportJob that was used to wrap this key material.
`optionalArgs`	`array` Optional.
`↳ cryptoKeyVersion`	`string` Optional. The optional name of an existing CryptoKeyVersion to target for an import operation. If this field is not present, a new CryptoKeyVersion containing the supplied key material is created. If this field is present, the supplied key material is imported into the existing CryptoKeyVersion. To import into an existing CryptoKeyVersion, the CryptoKeyVersion must be a child of ImportCryptoKeyVersionRequest.parent, have been previously created via ImportCryptoKeyVersion, and be in DESTROYED or IMPORT_FAILED state. The key material and algorithm must match the previous CryptoKeyVersion exactly if the CryptoKeyVersion has ever contained key material.
`↳ wrappedKey`	`string` Optional. The wrapped key material to import. Before wrapping, key material must be formatted. If importing symmetric key material, the expected key material format is plain bytes. If importing asymmetric key material, the expected key material format is PKCS#8-encoded DER (the PrivateKeyInfo structure from RFC 5208). When wrapping with import methods ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] or [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256] or [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256] or [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]), this field must contain the concatenation of: An ephemeral AES-256 wrapping key wrapped with the public_key using RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty label. The formatted key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP. When wrapping with import methods ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256] or [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]), this field must contain the formatted key to be imported, wrapped with the public_key using RSAES-OAEP with SHA-256, MGF1 with SHA-256, and an empty label.
`↳ rsaAesWrappedKey`	`string` Optional. This field has the same meaning as wrapped_key. Prefer to use that field in new work. Either that field or this field (but not both) must be specified.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The [name][google.cloud.kms.v1.CryptoKey.name] of the
 *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
 *
 *                                The create permission is only required on this key when creating a new
 *                                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Please see
 *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 * @param int    $algorithm       The
 *                                [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
 *                                of the key being imported. This does not need to match the
 *                                [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
 *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
 * @param string $importJob       The [name][google.cloud.kms.v1.ImportJob.name] of the
 *                                [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
 *                                material.
 */
function import_crypto_key_version_sample(
    string $formattedParent,
    int $algorithm,
    string $importJob
): void {
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->importCryptoKeyVersion(
            $formattedParent,
            $algorithm,
            $importJob
        );
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );
    $algorithm = CryptoKeyVersionAlgorithm::CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED;
    $importJob = '[IMPORT_JOB]';

    import_crypto_key_version_sample($formattedParent, $algorithm, $importJob);
}

listCryptoKeyVersions

Lists CryptoKeyVersions.

Parameters
Name	Description
`parent`	`string` Required. The resource name of the CryptoKey to list, in the format `projects//locations//keyRings//cryptoKeys/`.
`optionalArgs`	`array` Optional.
`↳ pageSize`	`int` The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved.
`↳ pageToken`	`string` A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API.
`↳ view`	`int` The fields to include in the response. For allowed values, use constants defined on Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionView
`↳ filter`	`string` Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.
`↳ orderBy`	`string` Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\ApiCore\PagedListResponse`

Example

use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The resource name of the
 *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
 *                                `projects/&#42;/locations/&#42;/keyRings/&#42;/cryptoKeys/*`. Please see
 *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 */
function list_crypto_key_versions_sample(string $formattedParent): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PagedListResponse $response */
        $response = $keyManagementServiceClient->listCryptoKeyVersions($formattedParent);

        /** @var CryptoKeyVersion $element */
        foreach ($response as $element) {
            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
        }
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );

    list_crypto_key_versions_sample($formattedParent);
}

listCryptoKeys

Lists CryptoKeys.

Parameters
Name	Description
`parent`	`string` Required. The resource name of the KeyRing to list, in the format `projects//locations//keyRings/*`.
`optionalArgs`	`array` Optional.
`↳ pageSize`	`int` The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved.
`↳ pageToken`	`string` A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API.
`↳ versionView`	`int` The fields of the primary version to include in the response. For allowed values, use constants defined on Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionView
`↳ filter`	`string` Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.
`↳ orderBy`	`string` Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\ApiCore\PagedListResponse`

Example

use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
 *                                to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
 *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
 */
function list_crypto_keys_sample(string $formattedParent): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PagedListResponse $response */
        $response = $keyManagementServiceClient->listCryptoKeys($formattedParent);

        /** @var CryptoKey $element */
        foreach ($response as $element) {
            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
        }
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');

    list_crypto_keys_sample($formattedParent);
}

listImportJobs

Lists ImportJobs.

Parameters
Name	Description
`parent`	`string` Required. The resource name of the KeyRing to list, in the format `projects//locations//keyRings/*`.
`optionalArgs`	`array` Optional.
`↳ pageSize`	`int` The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved.
`↳ pageToken`	`string` A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API.
`↳ filter`	`string` Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.
`↳ orderBy`	`string` Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\ApiCore\PagedListResponse`

Example

use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\Kms\V1\ImportJob;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedParent The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
 *                                to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
 *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
 */
function list_import_jobs_sample(string $formattedParent): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PagedListResponse $response */
        $response = $keyManagementServiceClient->listImportJobs($formattedParent);

        /** @var ImportJob $element */
        foreach ($response as $element) {
            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
        }
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');

    list_import_jobs_sample($formattedParent);
}

listKeyRings

Lists KeyRings.

Parameters
Name	Description
`parent`	`string` Required. The resource name of the location associated with the KeyRings, in the format `projects//locations/`.
`optionalArgs`	`array` Optional.
`↳ pageSize`	`int` The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved.
`↳ pageToken`	`string` A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API.
`↳ filter`	`string` Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.
`↳ orderBy`	`string` Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\ApiCore\PagedListResponse`

Example

use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\KeyRing;

/**
 * @param string $formattedParent The resource name of the location associated with the
 *                                [KeyRings][google.cloud.kms.v1.KeyRing], in the format
 *                                `projects/&#42;/locations/*`. Please see
 *                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
 */
function list_key_rings_sample(string $formattedParent): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PagedListResponse $response */
        $response = $keyManagementServiceClient->listKeyRings($formattedParent);

        /** @var KeyRing $element */
        foreach ($response as $element) {
            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
        }
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedParent = KeyManagementServiceClient::locationName('[PROJECT]', '[LOCATION]');

    list_key_rings_sample($formattedParent);
}

macSign

Signs data using a CryptoKeyVersion with CryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to use for signing.
`data`	`string` Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.
`optionalArgs`	`array` Optional.
`↳ dataCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the MacSignRequest.data. If specified, KeyManagementService will verify the integrity of the received MacSignRequest.data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacSignRequest.data) is equal to MacSignRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\MacSignResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\MacSignResponse;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
 *                              signing. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 * @param string $data          The data to sign. The MAC tag is computed over this data field
 *                              based on the specific algorithm.
 */
function mac_sign_sample(string $formattedName, string $data): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var MacSignResponse $response */
        $response = $keyManagementServiceClient->macSign($formattedName, $data);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );
    $data = '...';

    mac_sign_sample($formattedName, $data);
}

macVerify

Verifies MAC tag using a CryptoKeyVersion with CryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to use for verification.
`data`	`string` Required. The data used previously as a MacSignRequest.data to generate the MAC tag.
`mac`	`string` Required. The signature to verify.
`optionalArgs`	`array` Optional.
`↳ dataCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the MacVerifyRequest.data. If specified, KeyManagementService will verify the integrity of the received MacVerifyRequest.data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacVerifyRequest.data) is equal to MacVerifyRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ macCrc32c`	`Int64Value` Optional. An optional CRC32C checksum of the MacVerifyRequest.mac. If specified, KeyManagementService will verify the integrity of the received MacVerifyRequest.mac using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacVerifyRequest.tag) is equal to MacVerifyRequest.mac_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\MacVerifyResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\MacVerifyResponse;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
 *                              verification. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 * @param string $data          The data used previously as a
 *                              [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
 *                              the MAC tag.
 * @param string $mac           The signature to verify.
 */
function mac_verify_sample(string $formattedName, string $data, string $mac): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var MacVerifyResponse $response */
        $response = $keyManagementServiceClient->macVerify($formattedName, $data, $mac);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );
    $data = '...';
    $mac = '...';

    mac_verify_sample($formattedName, $data, $mac);
}

restoreCryptoKeyVersion

Restore a CryptoKeyVersion in the DESTROY_SCHEDULED state.

Upon restoration of the CryptoKeyVersion, state will be set to DISABLED, and destroy_time will be cleared.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKeyVersion to restore.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName The resource name of the
 *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. Please see
 *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
 */
function restore_crypto_key_version_sample(string $formattedName): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->restoreCryptoKeyVersion($formattedName);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]',
        '[CRYPTO_KEY_VERSION]'
    );

    restore_crypto_key_version_sample($formattedName);
}

updateCryptoKey

Update a CryptoKey.

Parameters
Name	Description
`cryptoKey`	`Google\Cloud\Kms\V1\CryptoKey` Required. CryptoKey with updated values.
`updateMask`	`Google\Protobuf\FieldMask` Required. List of fields to be updated in this request.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKey`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Protobuf\FieldMask;

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function update_crypto_key_sample(): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $cryptoKey = new CryptoKey();
    $updateMask = new FieldMask();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKey $response */
        $response = $keyManagementServiceClient->updateCryptoKey($cryptoKey, $updateMask);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

updateCryptoKeyPrimaryVersion

Update the version of a CryptoKey that will be used in Encrypt.

Returns an error if called on a key whose purpose is not ENCRYPT_DECRYPT.

Parameters
Name	Description
`name`	`string` Required. The resource name of the CryptoKey to update.
`cryptoKeyVersionId`	`string` Required. The id of the child CryptoKeyVersion to use as primary.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKey`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $formattedName      The resource name of the
 *                                   [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. Please see
 *                                   {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
 * @param string $cryptoKeyVersionId The id of the child
 *                                   [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
 */
function update_crypto_key_primary_version_sample(
    string $formattedName,
    string $cryptoKeyVersionId
): void {
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKey $response */
        $response = $keyManagementServiceClient->updateCryptoKeyPrimaryVersion(
            $formattedName,
            $cryptoKeyVersionId
        );
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = KeyManagementServiceClient::cryptoKeyName(
        '[PROJECT]',
        '[LOCATION]',
        '[KEY_RING]',
        '[CRYPTO_KEY]'
    );
    $cryptoKeyVersionId = '[CRYPTO_KEY_VERSION_ID]';

    update_crypto_key_primary_version_sample($formattedName, $cryptoKeyVersionId);
}

updateCryptoKeyVersion

Update a CryptoKeyVersion's metadata.

state may be changed between ENABLED and DISABLED using this method. See DestroyCryptoKeyVersion and RestoreCryptoKeyVersion to move between other states.

Parameters
Name	Description
`cryptoKeyVersion`	`Google\Cloud\Kms\V1\CryptoKeyVersion` Required. CryptoKeyVersion with updated values.
`updateMask`	`Google\Protobuf\FieldMask` Required. List of fields to be updated in this request.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Kms\V1\CryptoKeyVersion`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\CryptoKeyVersion;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Protobuf\FieldMask;

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function update_crypto_key_version_sample(): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $cryptoKeyVersion = new CryptoKeyVersion();
    $updateMask = new FieldMask();

    // Call the API and handle any network failures.
    try {
        /** @var CryptoKeyVersion $response */
        $response = $keyManagementServiceClient->updateCryptoKeyVersion($cryptoKeyVersion, $updateMask);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

getLocation

Gets information about a location.

Parameters
Name	Description
`optionalArgs`	`array` Optional.
`↳ name`	`string` Resource name for the location.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Location\Location`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Location\Location;

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function get_location_sample(): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var Location $response */
        $response = $keyManagementServiceClient->getLocation();
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

listLocations

Lists information about the supported locations for this service.

Parameters
Name	Description
`optionalArgs`	`array` Optional.
`↳ name`	`string` The resource that owns the locations collection, if applicable.
`↳ filter`	`string` The standard list filter.
`↳ pageSize`	`int` The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved.
`↳ pageToken`	`string` A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\ApiCore\PagedListResponse`

Example

use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;
use Google\Cloud\Location\Location;

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function list_locations_sample(): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var PagedListResponse $response */
        $response = $keyManagementServiceClient->listLocations();

        /** @var Location $element */
        foreach ($response as $element) {
            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
        }
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

getIamPolicy

Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.

Parameters
Name	Description
`resource`	`string` REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.
`optionalArgs`	`array` Optional.
`↳ options`	`GetPolicyOptions` OPTIONAL: A `GetPolicyOptions` object for specifying options to `GetIamPolicy`.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Iam\V1\Policy`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Iam\V1\Policy;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $resource REQUIRED: The resource for which the policy is being requested.
 *                         See the operation documentation for the appropriate value for this field.
 */
function get_iam_policy_sample(string $resource): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Call the API and handle any network failures.
    try {
        /** @var Policy $response */
        $response = $keyManagementServiceClient->getIamPolicy($resource);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $resource = '[RESOURCE]';

    get_iam_policy_sample($resource);
}

setIamPolicy

Sets the access control policy on the specified resource. Replaces any existing policy.

Can return NOT_FOUND, INVALID_ARGUMENT, and PERMISSION_DENIED errors.

Parameters
Name	Description
`resource`	`string` REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.
`policy`	`Google\Cloud\Iam\V1\Policy` REQUIRED: The complete policy to be applied to the `resource`. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.
`optionalArgs`	`array` Optional.
`↳ updateMask`	`FieldMask` OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: `paths: "bindings, etag"`
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Iam\V1\Policy`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Iam\V1\Policy;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $resource REQUIRED: The resource for which the policy is being specified.
 *                         See the operation documentation for the appropriate value for this field.
 */
function set_iam_policy_sample(string $resource): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $policy = new Policy();

    // Call the API and handle any network failures.
    try {
        /** @var Policy $response */
        $response = $keyManagementServiceClient->setIamPolicy($resource, $policy);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $resource = '[RESOURCE]';

    set_iam_policy_sample($resource);
}

testIamPermissions

Returns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Parameters
Name	Description
`resource`	`string` REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.
`permissions`	`string[]` The set of permissions to check for the `resource`. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview.
`optionalArgs`	`array` Optional.
`↳ retrySettings`	`RetrySettings\|array` Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
Type	Description
`Google\Cloud\Iam\V1\TestIamPermissionsResponse`

Example

use Google\ApiCore\ApiException;
use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/**
 * @param string $resource           REQUIRED: The resource for which the policy detail is being requested.
 *                                   See the operation documentation for the appropriate value for this field.
 * @param string $permissionsElement The set of permissions to check for the `resource`. Permissions with
 *                                   wildcards (such as '*' or 'storage.*') are not allowed. For more
 *                                   information see
 *                                   [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
 */
function test_iam_permissions_sample(string $resource, string $permissionsElement): void
{
    // Create a client.
    $keyManagementServiceClient = new KeyManagementServiceClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $permissions = [$permissionsElement,];

    // Call the API and handle any network failures.
    try {
        /** @var TestIamPermissionsResponse $response */
        $response = $keyManagementServiceClient->testIamPermissions($resource, $permissions);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $resource = '[RESOURCE]';
    $permissionsElement = '[PERMISSIONS]';

    test_iam_permissions_sample($resource, $permissionsElement);
}

Constants

SERVICE_NAME

Value: 'google.cloud.kms.v1.KeyManagementService'

The name of the service.

SERVICE_ADDRESS

Value: 'cloudkms.googleapis.com'

The default address of the service.

DEFAULT_SERVICE_PORT

Value: 443

The default port of the service.

CODEGEN_NAME

Value: 'gapic'

The name of the code generator, to be included in the agent header.