EkmConnection(mapping=None, *, ignore_unknown_fields=False, **kwargs)
An EkmConnection represents an
individual EKM connection. It can be used for creating
CryptoKeys and
CryptoKeyVersions with a
ProtectionLevel of
EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC]
, as
well as performing cryptographic operations using keys created
within the EkmConnection.
Attributes |
|
---|---|
Name | Description |
name |
str
Output only. The resource name for the EkmConnection in the format projects/*/locations/*/ekmConnections/* .
|
create_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which the EkmConnection was created. |
service_resolvers |
MutableSequence[google.cloud.kms_v1.types.EkmConnection.ServiceResolver]
A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported. |
etag |
str
Optional. Etag of the currently stored EkmConnection. |
key_management_mode |
google.cloud.kms_v1.types.EkmConnection.KeyManagementMode
Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL. |
crypto_space_path |
str
Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS. |
Classes
KeyManagementMode
KeyManagementMode(value)
KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.
Values: KEY_MANAGEMENT_MODE_UNSPECIFIED (0): Not specified. MANUAL (1): EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that:
- When creating a
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
caller must supply the key path of pre-existing external
key material that will be linked to the
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
- Destruction of external key material cannot be requested
via the Cloud KMS API and must be performed directly in
the EKM.
- Automatic rotation of key material is not supported.
CLOUD_KMS (2):
All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
EKM-side key management operations initiated from Cloud KMS.
This means that:
- When a
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
created, the EKM automatically generates new key material
and a new key path. The caller cannot supply the key path
of pre-existing external key material.
- Destruction of external key material associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
requested by calling
`DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion]`.
- Automatic rotation of key material is supported.
ServiceResolver
ServiceResolver(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A ServiceResolver represents an EKM replica that can be reached within an EkmConnection.