Reference documentation and code samples for the KMS Inventory V1 API class Google::Cloud::Kms::V1::CryptoKey.
A CryptoKey represents a logical key that can be used for cryptographic operations.
A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#create_time
def create_time() -> ::Google::Protobuf::Timestamp
- (::Google::Protobuf::Timestamp) — Output only. The time at which this CryptoKey was created.
#crypto_key_backend
def crypto_key_backend() -> ::String
-
(::String) — Immutable. The resource name of the backend environment where the key
material for all CryptoKeyVersions
associated with this CryptoKey reside and
where all related cryptographic operations are performed. Only applicable
if CryptoKeyVersions have a
ProtectionLevel of
[EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
#crypto_key_backend=
def crypto_key_backend=(value) -> ::String
-
value (::String) — Immutable. The resource name of the backend environment where the key
material for all CryptoKeyVersions
associated with this CryptoKey reside and
where all related cryptographic operations are performed. Only applicable
if CryptoKeyVersions have a
ProtectionLevel of
[EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
-
(::String) — Immutable. The resource name of the backend environment where the key
material for all CryptoKeyVersions
associated with this CryptoKey reside and
where all related cryptographic operations are performed. Only applicable
if CryptoKeyVersions have a
ProtectionLevel of
[EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
#destroy_scheduled_duration
def destroy_scheduled_duration() -> ::Google::Protobuf::Duration
- (::Google::Protobuf::Duration) — Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
#destroy_scheduled_duration=
def destroy_scheduled_duration=(value) -> ::Google::Protobuf::Duration
- value (::Google::Protobuf::Duration) — Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- (::Google::Protobuf::Duration) — Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
#import_only
def import_only() -> ::Boolean
- (::Boolean) — Immutable. Whether this key may contain imported versions only.
#import_only=
def import_only=(value) -> ::Boolean
- value (::Boolean) — Immutable. Whether this key may contain imported versions only.
- (::Boolean) — Immutable. Whether this key may contain imported versions only.
#key_access_justifications_policy
def key_access_justifications_policy() -> ::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy
- (::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy) — Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
#key_access_justifications_policy=
def key_access_justifications_policy=(value) -> ::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy
- value (::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy) — Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
- (::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy) — Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
#labels
def labels() -> ::Google::Protobuf::Map{::String => ::String}
- (::Google::Protobuf::Map{::String => ::String}) — Labels with user-defined metadata. For more information, see Labeling Keys.
#labels=
def labels=(value) -> ::Google::Protobuf::Map{::String => ::String}
- value (::Google::Protobuf::Map{::String => ::String}) — Labels with user-defined metadata. For more information, see Labeling Keys.
- (::Google::Protobuf::Map{::String => ::String}) — Labels with user-defined metadata. For more information, see Labeling Keys.
#name
def name() -> ::String
-
(::String) — Output only. The resource name for this
CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
.
#next_rotation_time
def next_rotation_time() -> ::Google::Protobuf::Timestamp
-
(::Google::Protobuf::Timestamp) — At next_rotation_time,
the Key Management Service will automatically:
- Create a new version of this CryptoKey.
- Mark the new version as primary.
Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect next_rotation_time.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
#next_rotation_time=
def next_rotation_time=(value) -> ::Google::Protobuf::Timestamp
-
value (::Google::Protobuf::Timestamp) — At next_rotation_time,
the Key Management Service will automatically:
- Create a new version of this CryptoKey.
- Mark the new version as primary.
Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect next_rotation_time.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
-
(::Google::Protobuf::Timestamp) — At next_rotation_time,
the Key Management Service will automatically:
- Create a new version of this CryptoKey.
- Mark the new version as primary.
Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect next_rotation_time.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
#primary
def primary() -> ::Google::Cloud::Kms::V1::CryptoKeyVersion
-
(::Google::Cloud::Kms::V1::CryptoKeyVersion) — Output only. A copy of the "primary"
CryptoKeyVersion that will be used
by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this
CryptoKey is given in
[EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
The CryptoKey's primary version can be updated via [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
#purpose
def purpose() -> ::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose
- (::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose) — Immutable. The immutable purpose of this CryptoKey.
#purpose=
def purpose=(value) -> ::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose
- value (::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose) — Immutable. The immutable purpose of this CryptoKey.
- (::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose) — Immutable. The immutable purpose of this CryptoKey.
#rotation_period
def rotation_period() -> ::Google::Protobuf::Duration
-
(::Google::Protobuf::Duration) — next_rotation_time
will be advanced by this period when the service automatically rotates a
key. Must be at least 24 hours and at most 876,000 hours.
If rotation_period is set, next_rotation_time must also be set.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
#rotation_period=
def rotation_period=(value) -> ::Google::Protobuf::Duration
-
value (::Google::Protobuf::Duration) — next_rotation_time
will be advanced by this period when the service automatically rotates a
key. Must be at least 24 hours and at most 876,000 hours.
If rotation_period is set, next_rotation_time must also be set.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
-
(::Google::Protobuf::Duration) — next_rotation_time
will be advanced by this period when the service automatically rotates a
key. Must be at least 24 hours and at most 876,000 hours.
If rotation_period is set, next_rotation_time must also be set.
Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
#version_template
def version_template() -> ::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate
- (::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate) — A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.
#version_template=
def version_template=(value) -> ::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate
- value (::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate) — A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.
- (::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate) — A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.