Class EkmConnection (3.6.0)

EkmConnection(mapping=None, *, ignore_unknown_fields=False, **kwargs)

An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC, as well as performing cryptographic operations using keys created within the EkmConnection.

Attributes

Name Description
name str
Output only. The resource name for the EkmConnection in the format projects/*/locations/*/ekmConnections/*.
create_time google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which the EkmConnection was created.
service_resolvers MutableSequence[google.cloud.kms_v1.types.EkmConnection.ServiceResolver]
Optional. A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported.
etag str
Optional. Etag of the currently stored EkmConnection.
key_management_mode google.cloud.kms_v1.types.EkmConnection.KeyManagementMode
Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL.
crypto_space_path str
Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.

Classes

KeyManagementMode

KeyManagementMode(value)

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

    - When creating a
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
      associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
      caller must supply the key path of pre-existing external
      key material that will be linked to the
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
    - Destruction of external key material cannot be requested
      via the Cloud KMS API and must be performed directly in
      the EKM.
    - Automatic rotation of key material is not supported.
CLOUD_KMS (2):
    All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
    this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
    EKM-side key management operations initiated from Cloud KMS.
    This means that:

    - When a
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
      associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
      created, the EKM automatically generates new key material
      and a new key path. The caller cannot supply the key path
      of pre-existing external key material.
    - Destruction of external key material associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
      requested by calling
      <xref uid="google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion">DestroyCryptoKeyVersion</xref>.
    - Automatic rotation of key material is supported.

ServiceResolver

ServiceResolver(mapping=None, *, ignore_unknown_fields=False, **kwargs)

A ServiceResolver represents an EKM replica that can be reached within an EkmConnection.