EkmServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.ekm_service.transports.base.EkmServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)
Google Cloud Key Management EKM Service
Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:
- EkmConnection
Inheritance
builtins.object > EkmServiceClientProperties
transport
Returns the transport used by the client instance.
Type | Description |
EkmServiceTransport | The transport used by the client instance. |
Methods
EkmServiceClient
EkmServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.ekm_service.transports.base.EkmServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)
Instantiates the ekm service client.
Name | Description |
credentials |
Optional[google.auth.credentials.Credentials]
The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. |
transport |
Union[str, EkmServiceTransport]
The transport to use. If set to None, a transport is chosen automatically. |
client_options |
google.api_core.client_options.ClientOptions
Custom options for the client. It won't take effect if a |
client_info |
google.api_core.gapic_v1.client_info.ClientInfo
The client info used to send a user-agent string along with API requests. If |
Type | Description |
google.auth.exceptions.MutualTLSChannelError | If mutual TLS transport creation failed for any reason. |
__exit__
__exit__(type, value, traceback)
Releases underlying transport's resources.
.. warning:: ONLY use as a context manager if the transport is NOT shared with other clients! Exiting the with block will CLOSE the transport and may cause errors in other clients!
common_billing_account_path
common_billing_account_path(billing_account: str)
Returns a fully-qualified billing_account string.
common_folder_path
common_folder_path(folder: str)
Returns a fully-qualified folder string.
common_location_path
common_location_path(project: str, location: str)
Returns a fully-qualified location string.
common_organization_path
common_organization_path(organization: str)
Returns a fully-qualified organization string.
common_project_path
common_project_path(project: str)
Returns a fully-qualified project string.
create_ekm_connection
create_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.CreateEkmConnectionRequest, dict]] = None, *, parent: Optional[str] = None, ekm_connection_id: Optional[str] = None, ekm_connection: Optional[google.cloud.kms_v1.types.ekm_service.EkmConnection] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Creates a new xref_EkmConnection in a given Project and Location.
Name | Description |
request |
Union[google.cloud.kms_v1.types.CreateEkmConnectionRequest, dict]
The request object. Request message for [KeyManagementService.CreateEkmConnection][]. |
parent |
str
Required. The resource name of the location associated with the EkmConnection, in the format |
ekm_connection_id |
str
Required. It must be unique within a location and match the regular expression |
ekm_connection |
google.cloud.kms_v1.types.EkmConnection
Required. An EkmConnection with initial field values. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.EkmConnection | An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of `EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC]`, as well as performing cryptographic operations using keys created within the EkmConnection. |
ekm_connection_path
ekm_connection_path(project: str, location: str, ekm_connection: str)
Returns a fully-qualified ekm_connection string.
from_service_account_file
from_service_account_file(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Name | Description |
filename |
str
The path to the service account private key json file. |
Type | Description |
EkmServiceClient | The constructed client. |
from_service_account_info
from_service_account_info(info: dict, *args, **kwargs)
Creates an instance of this client using the provided credentials info.
Name | Description |
info |
dict
The service account private key info. |
Type | Description |
EkmServiceClient | The constructed client. |
from_service_account_json
from_service_account_json(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Name | Description |
filename |
str
The path to the service account private key json file. |
Type | Description |
EkmServiceClient | The constructed client. |
get_ekm_connection
get_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.GetEkmConnectionRequest, dict]] = None, *, name: Optional[str] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns metadata for a given xref_EkmConnection.
Name | Description |
request |
Union[google.cloud.kms_v1.types.GetEkmConnectionRequest, dict]
The request object. Request message for [KeyManagementService.GetEkmConnection][]. |
name |
str
Required. The name of the EkmConnection to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.EkmConnection | An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of `EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC]`, as well as performing cryptographic operations using keys created within the EkmConnection. |
get_iam_policy
get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Gets the IAM access control policy for a function.
Returns an empty policy if the function exists and does not have a policy set.
Name | Description |
request |
`.iam_policy_pb2.GetIamPolicyRequest`
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
`.policy_pb2.Policy` | Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A ``Policy`` is a collection of ``bindings``. A ``binding`` binds one or more ``members`` to a single ``role``. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A ``role`` is a named list of permissions (defined by IAM or configured by users). A ``binding`` can optionally specify a ``condition``, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020-10-01t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="" `iam="" developer's="" guide=""> |
get_mtls_endpoint_and_cert_source
get_mtls_endpoint_and_cert_source(
client_options: Optional[google.api_core.client_options.ClientOptions] = None,
)
Return the API endpoint and client cert source for mutual TLS.
The client cert source is determined in the following order:
(1) if GOOGLE_API_USE_CLIENT_CERTIFICATE
environment variable is not "true", the
client cert source is None.
(2) if client_options.client_cert_source
is provided, use the provided one; if the
default client cert source exists, use the default one; otherwise the client cert
source is None.
The API endpoint is determined in the following order:
(1) if client_options.api_endpoint
if provided, use the provided one.
(2) if GOOGLE_API_USE_CLIENT_CERTIFICATE
environment variable is "always", use the
default mTLS endpoint; if the environment variabel is "never", use the default API
endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise
use the default API endpoint.
More details can be found at https://google.aip.dev/auth/4114.
Name | Description |
client_options |
google.api_core.client_options.ClientOptions
Custom options for the client. Only the |
Type | Description |
google.auth.exceptions.MutualTLSChannelError | If any errors happen. |
Type | Description |
Tuple[str, Callable[[], Tuple[bytes, bytes]]] | returns the API endpoint and the client cert source to use. |
list_ekm_connections
list_ekm_connections(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.ListEkmConnectionsRequest, dict]] = None, *, parent: Optional[str] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Lists xref_EkmConnections.
Name | Description |
request |
Union[google.cloud.kms_v1.types.ListEkmConnectionsRequest, dict]
The request object. Request message for [KeyManagementService.ListEkmConnections][]. |
parent |
str
Required. The resource name of the location associated with the EkmConnections to list, in the format |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.services.ekm_service.pagers.ListEkmConnectionsPager | Response message for [KeyManagementService.ListEkmConnections][]. Iterating over this object will yield results and resolve additional pages automatically. |
parse_common_billing_account_path
parse_common_billing_account_path(path: str)
Parse a billing_account path into its component segments.
parse_common_folder_path
parse_common_folder_path(path: str)
Parse a folder path into its component segments.
parse_common_location_path
parse_common_location_path(path: str)
Parse a location path into its component segments.
parse_common_organization_path
parse_common_organization_path(path: str)
Parse a organization path into its component segments.
parse_common_project_path
parse_common_project_path(path: str)
Parse a project path into its component segments.
parse_ekm_connection_path
parse_ekm_connection_path(path: str)
Parses a ekm_connection path into its component segments.
parse_service_path
parse_service_path(path: str)
Parses a service path into its component segments.
service_path
service_path(project: str, location: str, namespace: str, service: str)
Returns a fully-qualified service string.
set_iam_policy
set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Sets the IAM access control policy on the specified function.
Replaces any existing policy.
Name | Description |
request |
`.iam_policy_pb2.SetIamPolicyRequest`
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
`.policy_pb2.Policy` | Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A ``Policy`` is a collection of ``bindings``. A ``binding`` binds one or more ``members`` to a single ``role``. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A ``role`` is a named list of permissions (defined by IAM or configured by users). A ``binding`` can optionally specify a ``condition``, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020-10-01t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="" `iam="" developer's="" guide=""> |
test_iam_permissions
test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Tests the specified IAM permissions against the IAM access control policy for a function.
If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.
Name | Description |
request |
`.iam_policy_pb2.TestIamPermissionsRequest`
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
`.iam_policy_pb2.TestIamPermissionsResponse` | Response message for ``TestIamPermissions`` method. |
update_ekm_connection
update_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.UpdateEkmConnectionRequest, dict]] = None, *, ekm_connection: Optional[google.cloud.kms_v1.types.ekm_service.EkmConnection] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Updates an xref_EkmConnection's metadata.
Name | Description |
request |
Union[google.cloud.kms_v1.types.UpdateEkmConnectionRequest, dict]
The request object. Request message for [KeyManagementService.UpdateEkmConnection][]. |
ekm_connection |
google.cloud.kms_v1.types.EkmConnection
Required. EkmConnection with updated values. This corresponds to the |
update_mask |
google.protobuf.field_mask_pb2.FieldMask
Required. List of fields to be updated in this request. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.EkmConnection | An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of `EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC]`, as well as performing cryptographic operations using keys created within the EkmConnection. |