Class KeyManagementServiceClient (1.4.2)

KeyManagementServiceClient(
    transport=None,
    channel=None,
    credentials=None,
    client_config=None,
    client_info=None,
    client_options=None,
)

Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • KeyRing
  • CryptoKey
  • CryptoKeyVersion
  • ImportJob

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS <https://cloud.google.com/kms/docs/grpc>__.

Methods

KeyManagementServiceClient

KeyManagementServiceClient(
    transport=None,
    channel=None,
    credentials=None,
    client_config=None,
    client_info=None,
    client_options=None,
)

Constructor.

Parameters
NameDescription
channel grpc.Channel

DEPRECATED. A Channel instance through which to make calls. This argument is mutually exclusive with credentials; providing both will raise an exception.

credentials google.auth.credentials.Credentials

The authorization credentials to attach to requests. These credentials identify this application to the service. If none are specified, the client will attempt to ascertain the credentials from the environment. This argument is mutually exclusive with providing a transport instance to transport; doing so will raise an exception.

client_config dict

DEPRECATED. A dictionary of call options for each method. If not specified, the default configuration is used.

client_info google.api_core.gapic_v1.client_info.ClientInfo

The client info used to send a user-agent string along with API requests. If None, then default info will be used. Generally, you only need to set this if you're developing your own client library.

client_options Union[dict, google.api_core.client_options.ClientOptions]

Client options used to set user options on the client. API Endpoint should be set through client_options.

asymmetric_decrypt

asymmetric_decrypt(name, ciphertext, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Decrypts data that was encrypted with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

TODO: Initialize ciphertext:

ciphertext = b''

response = client.asymmetric_decrypt(name, ciphertext)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKeyVersion to use for decryption.

ciphertext bytes

Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

asymmetric_sign

asymmetric_sign(name, digest, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from GetPublicKey.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

TODO: Initialize digest:

digest = {}

response = client.asymmetric_sign(name, digest)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKeyVersion to use for signing.

digest Union[dict, Digest]

Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm. If a dict is provided, it must be of the same form as the protobuf message Digest

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

create_crypto_key

create_crypto_key(parent, crypto_key_id, crypto_key, skip_initial_version_creation=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Create a new CryptoKey within a KeyRing.

CryptoKey.purpose and CryptoKey.version_template.algorithm are required.

.. rubric:: Example

from google.cloud import kms_v1 from google.cloud.kms_v1 import enums

client = kms_v1.KeyManagementServiceClient()

parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]') crypto_key_id = 'my-app-key' purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT seconds = 2147483647 next_rotation_time = {'seconds': seconds} seconds_2 = 604800 rotation_period = {'seconds': seconds_2} crypto_key = {'purpose': purpose, 'next_rotation_time': next_rotation_time, 'rotation_period': rotation_period}

response = client.create_crypto_key(parent, crypto_key_id, crypto_key)

Parameters
NameDescription
parent str

Required. The name of the KeyRing associated with the CryptoKeys.

crypto_key_id str

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

crypto_key Union[dict, CryptoKey]

Required. A CryptoKey with initial field values. If a dict is provided, it must be of the same form as the protobuf message CryptoKey

skip_initial_version_creation bool

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

create_crypto_key_version

create_crypto_key_version(parent, crypto_key_version, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Create a new CryptoKeyVersion in a CryptoKey.

The server will assign the next sequential id. If unset, state will be set to ENABLED.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

TODO: Initialize crypto_key_version:

crypto_key_version = {}

response = client.create_crypto_key_version(parent, crypto_key_version)

Parameters
NameDescription
parent str

Required. The name of the CryptoKey associated with the CryptoKeyVersions.

crypto_key_version Union[dict, CryptoKeyVersion]

Required. A CryptoKeyVersion with initial field values. If a dict is provided, it must be of the same form as the protobuf message CryptoKeyVersion

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

create_import_job

create_import_job(parent, import_job_id, import_job, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Create a new ImportJob within a KeyRing.

ImportJob.import_method is required.

.. rubric:: Example

from google.cloud import kms_v1 from google.cloud.kms_v1 import enums

client = kms_v1.KeyManagementServiceClient()

parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]') import_job_id = 'my-import-job' import_method = enums.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256 protection_level = enums.ProtectionLevel.HSM import_job = {'import_method': import_method, 'protection_level': protection_level}

response = client.create_import_job(parent, import_job_id, import_job)

Parameters
NameDescription
parent str

Required. The name of the KeyRing associated with the ImportJobs.

import_job_id str

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

import_job Union[dict, ImportJob]

Required. An ImportJob with initial field values. If a dict is provided, it must be of the same form as the protobuf message ImportJob

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

create_key_ring

create_key_ring(parent, key_ring_id, key_ring, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Create a new KeyRing in a given Project and Location.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.location_path('[PROJECT]', '[LOCATION]')

TODO: Initialize key_ring_id:

key_ring_id = ''

TODO: Initialize key_ring:

key_ring = {}

response = client.create_key_ring(parent, key_ring_id, key_ring)

Parameters
NameDescription
parent str

Required. The resource name of the location associated with the KeyRings, in the format projects//locations/.

key_ring_id str

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

key_ring Union[dict, KeyRing]

Required. A KeyRing with initial field values. If a dict is provided, it must be of the same form as the protobuf message KeyRing

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

crypto_key_path

crypto_key_path(project, location, key_ring, crypto_key)

Return a fully-qualified crypto_key string.

crypto_key_path_path

crypto_key_path_path(project, location, key_ring, crypto_key_path)

Return a fully-qualified crypto_key_path string.

crypto_key_version_path

crypto_key_version_path(
    project, location, key_ring, crypto_key, crypto_key_version
)

Return a fully-qualified crypto_key_version string.

decrypt

decrypt(name, ciphertext, additional_authenticated_data=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Decrypts data that was protected by Encrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

TODO: Initialize ciphertext:

ciphertext = b''

response = client.decrypt(name, ciphertext)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version.

ciphertext bytes

Required. The encrypted data originally returned in EncryptResponse.ciphertext.

additional_authenticated_data bytes

Optional. Optional data that must match the data originally supplied in EncryptRequest.additional_authenticated_data.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

destroy_crypto_key_version

destroy_crypto_key_version(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Schedule a CryptoKeyVersion for destruction.

Upon calling this method, CryptoKeyVersion.state will be set to DESTROY_SCHEDULED and destroy_time will be set to a time 24 hours in the future, at which point the state will be changed to DESTROYED, and the key material will be irrevocably destroyed.

Before the destroy_time is reached, RestoreCryptoKeyVersion may be called to reverse the process.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

response = client.destroy_crypto_key_version(name)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKeyVersion to destroy.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

encrypt

encrypt(name, plaintext, additional_authenticated_data=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Encrypts data, so that it can only be recovered by a call to Decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize name:

name = ''

TODO: Initialize plaintext:

plaintext = b''

response = client.encrypt(name, plaintext)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption. If a CryptoKey is specified, the server will use its primary version.

plaintext bytes

Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's protection_level. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

additional_authenticated_data bytes

Optional. Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data. The maximum size depends on the key version's protection_level. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

from_service_account_file

from_service_account_file(filename, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter
NameDescription
filename str

The path to the service account private key json file.

Returns
TypeDescription
KeyManagementServiceClientThe constructed client.

from_service_account_json

from_service_account_json(filename, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter
NameDescription
filename str

The path to the service account private key json file.

Returns
TypeDescription
KeyManagementServiceClientThe constructed client.

get_crypto_key

get_crypto_key(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

response = client.get_crypto_key(name)

Parameters
NameDescription
name str

Required. The name of the CryptoKey to get.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

get_crypto_key_version

get_crypto_key_version(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns metadata for a given CryptoKeyVersion.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

response = client.get_crypto_key_version(name)

Parameters
NameDescription
name str

Required. The name of the CryptoKeyVersion to get.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

get_iam_policy

get_iam_policy(resource, options_=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize resource:

resource = ''

response = client.get_iam_policy(resource)

Parameters
NameDescription
resource str

REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.

options_ Union[dict, GetPolicyOptions]

OPTIONAL: A GetPolicyOptions object for specifying options to GetIamPolicy. This field is only used by Cloud IAM. If a dict is provided, it must be of the same form as the protobuf message GetPolicyOptions

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

get_import_job

get_import_job(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns metadata for a given ImportJob.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.import_job_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[IMPORT_JOB]')

response = client.get_import_job(name)

Parameters
NameDescription
name str

Required. The name of the ImportJob to get.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

get_key_ring

get_key_ring(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns metadata for a given KeyRing.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')

response = client.get_key_ring(name)

Parameters
NameDescription
name str

Required. The name of the KeyRing to get.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

get_public_key

get_public_key(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns the public key for the given CryptoKeyVersion. The CryptoKey.purpose must be ASYMMETRIC_SIGN or ASYMMETRIC_DECRYPT.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

response = client.get_public_key(name)

Parameters
NameDescription
name str

Required. The name of the CryptoKeyVersion public key to get.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

import_crypto_key_version

import_crypto_key_version(parent, algorithm, import_job, rsa_aes_wrapped_key=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Imports a new CryptoKeyVersion into an existing CryptoKey using the wrapped key material provided in the request.

The version ID will be assigned the next sequential id within the CryptoKey.

.. rubric:: Example

from google.cloud import kms_v1 from google.cloud.kms_v1 import enums

client = kms_v1.KeyManagementServiceClient()

parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

TODO: Initialize algorithm:

algorithm = enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED

TODO: Initialize import_job:

import_job = ''

response = client.import_crypto_key_version(parent, algorithm, import_job)

Parameters
NameDescription
parent str

Required. The name of the CryptoKey to be imported into.

algorithm CryptoKeyVersionAlgorithm

Required. The algorithm of the key being imported. This does not need to match the version_template of the CryptoKey this version imports into.

import_job str

Required. The name of the ImportJob that was used to wrap this key material.

rsa_aes_wrapped_key bytes

Wrapped key material produced with RSA_OAEP_3072_SHA1_AES_256 or RSA_OAEP_4096_SHA1_AES_256. This field contains the concatenation of two wrapped keys: .. raw:: html

  1. An ephemeral AES-256 wrapping key wrapped with the public_key using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label.
  2. The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649).
If importing symmetric key material, it is expected that the unwrapped key contains plain bytes. If importing asymmetric key material, it is expected that the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208). This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

import_job_path

import_job_path(project, location, key_ring, import_job)

Return a fully-qualified import_job string.

key_ring_path

key_ring_path(project, location, key_ring)

Return a fully-qualified key_ring string.

list_crypto_key_versions

list_crypto_key_versions(parent, page_size=None, view=None, filter_=None, order_by=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Lists CryptoKeyVersions.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

Iterate over all results

for element in client.list_crypto_key_versions(parent): ... # process element ... pass

Alternatively:

Iterate over results one page at a time

for page in client.list_crypto_key_versions(parent).pages: ... for element in page: ... # process element ... pass

Parameters
NameDescription
parent str

Required. The resource name of the CryptoKey to list, in the format projects//locations//keyRings//cryptoKeys/.

page_size int

The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

view CryptoKeyVersionView

The fields to include in the response.

filter_ str

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

order_by str

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

list_crypto_keys

list_crypto_keys(parent, page_size=None, version_view=None, filter_=None, order_by=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Lists CryptoKeys.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')

Iterate over all results

for element in client.list_crypto_keys(parent): ... # process element ... pass

Alternatively:

Iterate over results one page at a time

for page in client.list_crypto_keys(parent).pages: ... for element in page: ... # process element ... pass

Parameters
NameDescription
parent str

Required. The resource name of the KeyRing to list, in the format projects//locations//keyRings/*.

page_size int

The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

version_view CryptoKeyVersionView

The fields of the primary version to include in the response.

filter_ str

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

order_by str

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

list_import_jobs

list_import_jobs(parent, page_size=None, filter_=None, order_by=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Lists ImportJobs.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')

Iterate over all results

for element in client.list_import_jobs(parent): ... # process element ... pass

Alternatively:

Iterate over results one page at a time

for page in client.list_import_jobs(parent).pages: ... for element in page: ... # process element ... pass

Parameters
NameDescription
parent str

Required. The resource name of the KeyRing to list, in the format projects//locations//keyRings/*.

page_size int

The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

filter_ str

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

order_by str

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

list_key_rings

list_key_rings(parent, page_size=None, filter_=None, order_by=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Lists KeyRings.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

parent = client.location_path('[PROJECT]', '[LOCATION]')

Iterate over all results

for element in client.list_key_rings(parent): ... # process element ... pass

Alternatively:

Iterate over results one page at a time

for page in client.list_key_rings(parent).pages: ... for element in page: ... # process element ... pass

Parameters
NameDescription
parent str

Required. The resource name of the location associated with the KeyRings, in the format projects//locations/.

page_size int

The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

filter_ str

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

order_by str

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results https://cloud.google.com/kms/docs/sorting-and-filtering__.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

location_path

location_path(project, location)

Return a fully-qualified location string.

restore_crypto_key_version

restore_crypto_key_version(name, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Restore a CryptoKeyVersion in the DESTROY_SCHEDULED state.

Upon restoration of the CryptoKeyVersion, state will be set to DISABLED, and destroy_time will be cleared.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')

response = client.restore_crypto_key_version(name)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKeyVersion to restore.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

set_iam_policy

set_iam_policy(resource, policy, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Sets the access control policy on the specified resource. Replaces any existing policy.

Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and PERMISSION_DENIED

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize resource:

resource = ''

TODO: Initialize policy:

policy = {}

response = client.set_iam_policy(resource, policy)

Parameters
NameDescription
resource str

REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.

policy Union[dict, Policy]

REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them. If a dict is provided, it must be of the same form as the protobuf message Policy

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

test_iam_permissions

test_iam_permissions(resource, permissions, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Returns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize resource:

resource = ''

TODO: Initialize permissions:

permissions = []

response = client.test_iam_permissions(resource, permissions)

Parameters
NameDescription
resource str

REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.

permissions list[str]

The set of permissions to check for the resource. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview https://cloud.google.com/iam/docs/overview#permissions__.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

update_crypto_key

update_crypto_key(crypto_key, update_mask, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Update a CryptoKey.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize crypto_key:

crypto_key = {}

TODO: Initialize update_mask:

update_mask = {}

response = client.update_crypto_key(crypto_key, update_mask)

Parameters
NameDescription
crypto_key Union[dict, CryptoKey]

Required. CryptoKey with updated values. If a dict is provided, it must be of the same form as the protobuf message CryptoKey

update_mask Union[dict, FieldMask]

Required. List of fields to be updated in this request. If a dict is provided, it must be of the same form as the protobuf message FieldMask

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

update_crypto_key_primary_version

update_crypto_key_primary_version(name, crypto_key_version_id, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Update the version of a CryptoKey that will be used in Encrypt.

Returns an error if called on an asymmetric key.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')

TODO: Initialize crypto_key_version_id:

crypto_key_version_id = ''

response = client.update_crypto_key_primary_version(name, crypto_key_version_id)

Parameters
NameDescription
name str

Required. The resource name of the CryptoKey to update.

crypto_key_version_id str

Required. The id of the child CryptoKeyVersion to use as primary.

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.

update_crypto_key_version

update_crypto_key_version(crypto_key_version, update_mask, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)

Update a CryptoKeyVersion's metadata.

state may be changed between ENABLED and DISABLED using this method. See DestroyCryptoKeyVersion and RestoreCryptoKeyVersion to move between other states.

.. rubric:: Example

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

TODO: Initialize crypto_key_version:

crypto_key_version = {}

TODO: Initialize update_mask:

update_mask = {}

response = client.update_crypto_key_version(crypto_key_version, update_mask)

Parameters
NameDescription
crypto_key_version Union[dict, CryptoKeyVersion]

Required. CryptoKeyVersion with updated values. If a dict is provided, it must be of the same form as the protobuf message CryptoKeyVersion

update_mask Union[dict, FieldMask]

Required. List of fields to be updated in this request. If a dict is provided, it must be of the same form as the protobuf message FieldMask

retry Optional[google.api_core.retry.Retry]

A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

timeout Optional[float]

The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

metadata Optional[Sequence[Tuple[str, str]]]

Additional metadata that is provided to the method.

Exceptions
TypeDescription
google.api_core.exceptions.GoogleAPICallErrorIf the request failed for any reason.
google.api_core.exceptions.RetryErrorIf the request failed due to a retryable error and retry attempts failed.
ValueErrorIf the parameters are invalid.