docs: docs update (#911)
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/google-api-python-client/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
- [ ] Ensure the tests and linter pass
- [ ] Code coverage does not decrease (if any source code was changed)
- [ ] Appropriate docs were updated (if necessary)
Fixes #<issue_number_goes_here> 🦕
diff --git a/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html b/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
index f7fb34d..773b300 100644
--- a/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
+++ b/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
@@ -80,7 +80,7 @@
<p class="firstline">Returns the cryptoKeyVersions Resource.</p>
<p class="toc_element">
- <code><a href="#create">create(parent, body=None, skipInitialVersionCreation=None, cryptoKeyId=None, x__xgafv=None)</a></code></p>
+ <code><a href="#create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</a></code></p>
<p class="firstline">Create a new CryptoKey within a KeyRing.</p>
<p class="toc_element">
<code><a href="#decrypt">decrypt(name, body=None, x__xgafv=None)</a></code></p>
@@ -95,7 +95,7 @@
<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
<p class="firstline">Gets the access control policy for a resource.</p>
<p class="toc_element">
- <code><a href="#list">list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None, versionView=None, filter=None)</a></code></p>
+ <code><a href="#list">list(parent, filter=None, pageToken=None, pageSize=None, orderBy=None, versionView=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists CryptoKeys.</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
@@ -114,7 +114,7 @@
<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt.</p>
<h3>Method Details</h3>
<div class="method">
- <code class="details" id="create">create(parent, body=None, skipInitialVersionCreation=None, cryptoKeyId=None, x__xgafv=None)</code>
+ <code class="details" id="create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</code>
<pre>Create a new CryptoKey within a KeyRing.
CryptoKey.purpose and
@@ -128,161 +128,26 @@
The object takes the form of:
{ # A CryptoKey represents a logical key that can be used for cryptographic
- # operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
- # by Encrypt when this CryptoKey is given
- # in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
- # UpdateCryptoKeyPrimaryVersion.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT may have a
- # primary. For other keys, this field will be omitted.
- # associated key material.
- #
- # An ENABLED version can be
- # used for cryptographic operations.
- #
- # For security reasons, the raw cryptographic key material represented by a
- # CryptoKeyVersion can never be viewed or exported. It can only be used to
- # encrypt, decrypt, or sign data when an authorized user or application invokes
- # Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
- # state is
- # IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
- # creation time. Use this statement to verify attributes of the key as stored
- # on the HSM, independently of Google. Only provided for key versions with
- # protection_level HSM.
- # information, see [Verifying attestations]
- # (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
- # operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
- },
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
- },
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
- # The properties of new CryptoKeyVersion instances created by either
- # CreateCryptoKeyVersion or
- # auto-rotation are controlled by this template.
- # a new CryptoKeyVersion, either manually with
- # CreateCryptoKeyVersion or
- # automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
- # when creating a CryptoKeyVersion based on this template.
- #
- # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
- # this field is omitted and CryptoKey.purpose is
- # ENCRYPT_DECRYPT.
- },
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
-}
-
- skipInitialVersionCreation: boolean, If set to true, the request will create a CryptoKey without any
-CryptoKeyVersions. You must manually call
-CreateCryptoKeyVersion or
-ImportCryptoKeyVersion
-before you can use this CryptoKey.
- cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
-expression `[a-zA-Z0-9_-]{1,63}`
- x__xgafv: string, V1 error format.
- Allowed values
- 1 - v1 error format
- 2 - v2 error format
-
-Returns:
- An object of the form:
-
- { # A CryptoKey represents a logical key that can be used for cryptographic
# operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ #
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
# automatically rotates a key. Must be at least 24 hours and at most
# 876,000 hours.
- #
+ #
# If rotation_period is set, next_rotation_time must also be set.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT support
# automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
+ #
+ # The CryptoKey's primary version can be updated via
# UpdateCryptoKeyPrimaryVersion.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT may have a
# primary. For other keys, this field will be omitted.
@@ -295,80 +160,215 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
# for destruction. Only present if state is
# DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
# protection_level HSM.
# information, see [Verifying attestations]
# (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
},
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
# CryptoKeyVersion. Only present if the underlying key material was
# imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
# configuring a CryptoKeyVersion that are specific to the
# EXTERNAL protection level.
# configuring a CryptoKeyVersion that are specific to the
# EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
},
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
},
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
# auto-rotation are controlled by this template.
# a new CryptoKeyVersion, either manually with
# CreateCryptoKeyVersion or
# automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
+ "algorithm": "A String", # Required. Algorithm to use
# when creating a CryptoKeyVersion based on this template.
#
# For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
# this field is omitted and CryptoKey.purpose is
# ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
# 1. Create a new version of this CryptoKey.
# 2. Mark the new version as primary.
- #
+ #
# Key rotations performed manually via
# CreateCryptoKeyVersion and
# UpdateCryptoKeyPrimaryVersion
# do not affect next_rotation_time.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT support
# automatic rotation. For other keys, this field must be omitted.
- }</pre>
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }
+
+ cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
+expression `[a-zA-Z0-9_-]{1,63}`
+ skipInitialVersionCreation: boolean, If set to true, the request will create a CryptoKey without any
+CryptoKeyVersions. You must manually call
+CreateCryptoKeyVersion or
+ImportCryptoKeyVersion
+before you can use this CryptoKey.
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A CryptoKey represents a logical key that can be used for cryptographic
+ # operations.
+ #
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ # by Encrypt when this CryptoKey is given
+ # in EncryptRequest.name.
+ #
+ # The CryptoKey's primary version can be updated via
+ # UpdateCryptoKeyPrimaryVersion.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT may have a
+ # primary. For other keys, this field will be omitted.
+ # associated key material.
+ #
+ # An ENABLED version can be
+ # used for cryptographic operations.
+ #
+ # For security reasons, the raw cryptographic key material represented by a
+ # CryptoKeyVersion can never be viewed or exported. It can only be used to
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
+ # Cloud KMS.
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ # state is
+ # IMPORT_FAILED.
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ # creation time. Use this statement to verify attributes of the key as stored
+ # on the HSM, independently of Google. Only provided for key versions with
+ # protection_level HSM.
+ # information, see [Verifying attestations]
+ # (https://cloud.google.com/kms/docs/attest-key).
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ # operation was performed.
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ # The properties of new CryptoKeyVersion instances created by either
+ # CreateCryptoKeyVersion or
+ # auto-rotation are controlled by this template.
+ # a new CryptoKeyVersion, either manually with
+ # CreateCryptoKeyVersion or
+ # automatically as a result of auto-rotation.
+ "algorithm": "A String", # Required. Algorithm to use
+ # when creating a CryptoKeyVersion based on this template.
+ #
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+ # this field is omitted and CryptoKey.purpose is
+ # ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
+ },
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }</pre>
</div>
<div class="method">
@@ -383,9 +383,9 @@
The object takes the form of:
{ # Request message for KeyManagementService.Decrypt.
- "ciphertext": "A String", # Required. The encrypted data originally returned in
+ "ciphertext": "A String", # Required. The encrypted data originally returned in
# EncryptResponse.ciphertext.
- "additionalAuthenticatedData": "A String", # Optional. Optional data that must match the data originally supplied in
+ "additionalAuthenticatedData": "A String", # Optional. Optional data that must match the data originally supplied in
# EncryptRequest.additional_authenticated_data.
}
@@ -398,7 +398,7 @@
An object of the form:
{ # Response message for KeyManagementService.Decrypt.
- "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext.
+ "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext.
}</pre>
</div>
@@ -418,18 +418,18 @@
The object takes the form of:
{ # Request message for KeyManagementService.Encrypt.
- "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB.
+ "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB.
#
- # The maximum size depends on the key version's
+ # The maximum size depends on the key version's
# protection_level. For
# SOFTWARE keys, the plaintext must be no larger
# than 64KiB. For HSM keys, the combined length of the
# plaintext and additional_authenticated_data fields must be no larger than
# 8KiB.
- "additionalAuthenticatedData": "A String", # Optional. Optional data that, if specified, must also be provided during decryption
+ "additionalAuthenticatedData": "A String", # Optional. Optional data that, if specified, must also be provided during decryption
# through DecryptRequest.additional_authenticated_data.
#
- # The maximum size depends on the key version's
+ # The maximum size depends on the key version's
# protection_level. For
# SOFTWARE keys, the AAD must be no larger than
# 64KiB. For HSM keys, the combined length of the
@@ -446,9 +446,9 @@
An object of the form:
{ # Response message for KeyManagementService.Encrypt.
- "ciphertext": "A String", # The encrypted data.
- "name": "A String", # The resource name of the CryptoKeyVersion used in encryption. Check
+ "name": "A String", # The resource name of the CryptoKeyVersion used in encryption. Check
# this field to verify that the intended resource was used for encryption.
+ "ciphertext": "A String", # The encrypted data.
}</pre>
</div>
@@ -468,118 +468,118 @@
An object of the form:
{ # A CryptoKey represents a logical key that can be used for cryptographic
- # operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
+ # operations.
#
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
- # by Encrypt when this CryptoKey is given
- # in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
- # UpdateCryptoKeyPrimaryVersion.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT may have a
- # primary. For other keys, this field will be omitted.
- # associated key material.
- #
- # An ENABLED version can be
- # used for cryptographic operations.
- #
- # For security reasons, the raw cryptographic key material represented by a
- # CryptoKeyVersion can never be viewed or exported. It can only be used to
- # encrypt, decrypt, or sign data when an authorized user or application invokes
- # Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
- # state is
- # IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
- # creation time. Use this statement to verify attributes of the key as stored
- # on the HSM, independently of Google. Only provided for key versions with
- # protection_level HSM.
- # information, see [Verifying attestations]
- # (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
- # operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
- },
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
- },
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
- # The properties of new CryptoKeyVersion instances created by either
- # CreateCryptoKeyVersion or
- # auto-rotation are controlled by this template.
- # a new CryptoKeyVersion, either manually with
- # CreateCryptoKeyVersion or
- # automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
- # when creating a CryptoKeyVersion based on this template.
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
#
- # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
- # this field is omitted and CryptoKey.purpose is
- # ENCRYPT_DECRYPT.
- },
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- }</pre>
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ # by Encrypt when this CryptoKey is given
+ # in EncryptRequest.name.
+ #
+ # The CryptoKey's primary version can be updated via
+ # UpdateCryptoKeyPrimaryVersion.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT may have a
+ # primary. For other keys, this field will be omitted.
+ # associated key material.
+ #
+ # An ENABLED version can be
+ # used for cryptographic operations.
+ #
+ # For security reasons, the raw cryptographic key material represented by a
+ # CryptoKeyVersion can never be viewed or exported. It can only be used to
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
+ # Cloud KMS.
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ # state is
+ # IMPORT_FAILED.
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ # creation time. Use this statement to verify attributes of the key as stored
+ # on the HSM, independently of Google. Only provided for key versions with
+ # protection_level HSM.
+ # information, see [Verifying attestations]
+ # (https://cloud.google.com/kms/docs/attest-key).
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ # operation was performed.
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ # The properties of new CryptoKeyVersion instances created by either
+ # CreateCryptoKeyVersion or
+ # auto-rotation are controlled by this template.
+ # a new CryptoKeyVersion, either manually with
+ # CreateCryptoKeyVersion or
+ # automatically as a result of auto-rotation.
+ "algorithm": "A String", # Required. Algorithm to use
+ # when creating a CryptoKeyVersion based on this template.
+ #
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+ # this field is omitted and CryptoKey.purpose is
+ # ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
+ },
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }</pre>
</div>
<div class="method">
@@ -599,6 +599,10 @@
Requests for policies with any conditional bindings must specify version 3.
Policies without any conditional bindings may specify any valid value or
leave the field unset.
+
+To learn which resources support conditions in their IAM policies, see the
+[IAM
+documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
@@ -617,36 +621,40 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
# {
- # "bindings": [
+ # "bindings": [
# {
- # "role": "roles/resourcemanager.organizationAdmin",
- # "members": [
- # "user:mike@example.com",
- # "group:admins@example.com",
- # "domain:google.com",
- # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+ # "role": "roles/resourcemanager.organizationAdmin",
+ # "members": [
+ # "user:mike@example.com",
+ # "group:admins@example.com",
+ # "domain:google.com",
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
- # "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
- # "condition": {
- # "title": "expirable access",
- # "description": "Does not grant access after Sep 2020",
- # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
+ # "role": "roles/resourcemanager.organizationViewer",
+ # "members": [
+ # "user:eve@example.com"
+ # ],
+ # "condition": {
+ # "title": "expirable access",
+ # "description": "Does not grant access after Sep 2020",
+ # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
- # "etag": "BwWWja0YfJA=",
- # "version": 3
+ # "etag": "BwWWja0YfJA=",
+ # "version": 3
# }
#
# **YAML example:**
@@ -664,63 +672,126 @@
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
- # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+ # are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version
+ # `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding
+ # * Adding a conditional role binding to a policy
+ # * Changing a conditional role binding in a policy
+ # * Removing any role binding, with or without a condition, from a policy
+ # that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+ # you to overwrite a version `3` policy with a version `1` policy, and all of
+ # the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may
+ # specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # },
+ # {
+ # "log_type": "ADMIN_READ",
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- },
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
@@ -763,96 +834,65 @@
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
- "A String",
+ "A String",
],
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ },
},
],
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
@@ -864,179 +904,158 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
- # are rejected.
- #
- # Any operation that affects conditional role bindings must specify version
- # `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding
- # * Adding a conditional role binding to a policy
- # * Changing a conditional role binding in a policy
- # * Removing any role binding, with or without a condition, from a policy
- # that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field
- # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
- # you to overwrite a version `3` policy with a version `1` policy, and all of
- # the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may
- # specify any valid version or leave the field unset.
}</pre>
</div>
<div class="method">
- <code class="details" id="list">list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None, versionView=None, filter=None)</code>
+ <code class="details" id="list">list(parent, filter=None, pageToken=None, pageSize=None, orderBy=None, versionView=None, x__xgafv=None)</code>
<pre>Lists CryptoKeys.
Args:
parent: string, Required. The resource name of the KeyRing to list, in the format
`projects/*/locations/*/keyRings/*`. (required)
- orderBy: string, Optional. Specify how the results should be sorted. If not specified, the
-results will be sorted in the default order. For more information, see
-[Sorting and filtering list
-results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
-response. Further CryptoKeys can subsequently be obtained by
-including the ListCryptoKeysResponse.next_page_token in a subsequent
-request. If unspecified, the server will pick an appropriate default.
- pageToken: string, Optional. Optional pagination token, returned earlier via
-ListCryptoKeysResponse.next_page_token.
- x__xgafv: string, V1 error format.
- Allowed values
- 1 - v1 error format
- 2 - v2 error format
- versionView: string, The fields of the primary version to include in the response.
filter: string, Optional. Only include resources that match the filter in the response. For
more information, see
[Sorting and filtering list
results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+ pageToken: string, Optional. Optional pagination token, returned earlier via
+ListCryptoKeysResponse.next_page_token.
+ pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
+response. Further CryptoKeys can subsequently be obtained by
+including the ListCryptoKeysResponse.next_page_token in a subsequent
+request. If unspecified, the server will pick an appropriate default.
+ orderBy: string, Optional. Specify how the results should be sorted. If not specified, the
+results will be sorted in the default order. For more information, see
+[Sorting and filtering list
+results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+ versionView: string, The fields of the primary version to include in the response.
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
Returns:
An object of the form:
{ # Response message for KeyManagementService.ListCryptoKeys.
- "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
+ "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
# ListCryptoKeysRequest.page_token to retrieve the next page of results.
- "cryptoKeys": [ # The list of CryptoKeys.
+ "cryptoKeys": [ # The list of CryptoKeys.
{ # A CryptoKey represents a logical key that can be used for cryptographic
- # operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
+ # operations.
#
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
- # by Encrypt when this CryptoKey is given
- # in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
- # UpdateCryptoKeyPrimaryVersion.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT may have a
- # primary. For other keys, this field will be omitted.
- # associated key material.
- #
- # An ENABLED version can be
- # used for cryptographic operations.
- #
- # For security reasons, the raw cryptographic key material represented by a
- # CryptoKeyVersion can never be viewed or exported. It can only be used to
- # encrypt, decrypt, or sign data when an authorized user or application invokes
- # Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
- # state is
- # IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
- # creation time. Use this statement to verify attributes of the key as stored
- # on the HSM, independently of Google. Only provided for key versions with
- # protection_level HSM.
- # information, see [Verifying attestations]
- # (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
- # operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
- },
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
- },
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
- # The properties of new CryptoKeyVersion instances created by either
- # CreateCryptoKeyVersion or
- # auto-rotation are controlled by this template.
- # a new CryptoKeyVersion, either manually with
- # CreateCryptoKeyVersion or
- # automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
- # when creating a CryptoKeyVersion based on this template.
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
#
- # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
- # this field is omitted and CryptoKey.purpose is
- # ENCRYPT_DECRYPT.
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ # by Encrypt when this CryptoKey is given
+ # in EncryptRequest.name.
+ #
+ # The CryptoKey's primary version can be updated via
+ # UpdateCryptoKeyPrimaryVersion.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT may have a
+ # primary. For other keys, this field will be omitted.
+ # associated key material.
+ #
+ # An ENABLED version can be
+ # used for cryptographic operations.
+ #
+ # For security reasons, the raw cryptographic key material represented by a
+ # CryptoKeyVersion can never be viewed or exported. It can only be used to
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
+ # Cloud KMS.
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ # state is
+ # IMPORT_FAILED.
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ # creation time. Use this statement to verify attributes of the key as stored
+ # on the HSM, independently of Google. Only provided for key versions with
+ # protection_level HSM.
+ # information, see [Verifying attestations]
+ # (https://cloud.google.com/kms/docs/attest-key).
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ # operation was performed.
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ # The properties of new CryptoKeyVersion instances created by either
+ # CreateCryptoKeyVersion or
+ # auto-rotation are controlled by this template.
+ # a new CryptoKeyVersion, either manually with
+ # CreateCryptoKeyVersion or
+ # automatically as a result of auto-rotation.
+ "algorithm": "A String", # Required. Algorithm to use
+ # when creating a CryptoKeyVersion based on this template.
+ #
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+ # this field is omitted and CryptoKey.purpose is
+ # ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
+ },
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- },
],
- "totalSize": 42, # The total number of CryptoKeys that matched the query.
+ "totalSize": 42, # The total number of CryptoKeys that matched the query.
}</pre>
</div>
@@ -1049,7 +1068,7 @@
previous_response: The response from the request for the previous page. (required)
Returns:
- A request object that you can call 'execute()' on to request the next
+ A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
</pre>
</div>
@@ -1065,155 +1084,26 @@
The object takes the form of:
{ # A CryptoKey represents a logical key that can be used for cryptographic
- # operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
- # by Encrypt when this CryptoKey is given
- # in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
- # UpdateCryptoKeyPrimaryVersion.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT may have a
- # primary. For other keys, this field will be omitted.
- # associated key material.
- #
- # An ENABLED version can be
- # used for cryptographic operations.
- #
- # For security reasons, the raw cryptographic key material represented by a
- # CryptoKeyVersion can never be viewed or exported. It can only be used to
- # encrypt, decrypt, or sign data when an authorized user or application invokes
- # Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
- # state is
- # IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
- # creation time. Use this statement to verify attributes of the key as stored
- # on the HSM, independently of Google. Only provided for key versions with
- # protection_level HSM.
- # information, see [Verifying attestations]
- # (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
- # operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
- },
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
- },
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
- # The properties of new CryptoKeyVersion instances created by either
- # CreateCryptoKeyVersion or
- # auto-rotation are controlled by this template.
- # a new CryptoKeyVersion, either manually with
- # CreateCryptoKeyVersion or
- # automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
- # when creating a CryptoKeyVersion based on this template.
- #
- # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
- # this field is omitted and CryptoKey.purpose is
- # ENCRYPT_DECRYPT.
- },
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
-}
-
- updateMask: string, Required. List of fields to be updated in this request.
- x__xgafv: string, V1 error format.
- Allowed values
- 1 - v1 error format
- 2 - v2 error format
-
-Returns:
- An object of the form:
-
- { # A CryptoKey represents a logical key that can be used for cryptographic
# operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ #
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
# automatically rotates a key. Must be at least 24 hours and at most
# 876,000 hours.
- #
+ #
# If rotation_period is set, next_rotation_time must also be set.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT support
# automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
+ #
+ # The CryptoKey's primary version can be updated via
# UpdateCryptoKeyPrimaryVersion.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT may have a
# primary. For other keys, this field will be omitted.
@@ -1226,80 +1116,209 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
# for destruction. Only present if state is
# DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
# protection_level HSM.
# information, see [Verifying attestations]
# (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
},
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
# CryptoKeyVersion. Only present if the underlying key material was
# imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
# configuring a CryptoKeyVersion that are specific to the
# EXTERNAL protection level.
# configuring a CryptoKeyVersion that are specific to the
# EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
},
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
},
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
# auto-rotation are controlled by this template.
# a new CryptoKeyVersion, either manually with
# CreateCryptoKeyVersion or
# automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
+ "algorithm": "A String", # Required. Algorithm to use
# when creating a CryptoKeyVersion based on this template.
#
# For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
# this field is omitted and CryptoKey.purpose is
# ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
# 1. Create a new version of this CryptoKey.
# 2. Mark the new version as primary.
- #
+ #
# Key rotations performed manually via
# CreateCryptoKeyVersion and
# UpdateCryptoKeyPrimaryVersion
# do not affect next_rotation_time.
- #
+ #
# Keys with purpose
# ENCRYPT_DECRYPT support
# automatic rotation. For other keys, this field must be omitted.
- }</pre>
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }
+
+ updateMask: string, Required. List of fields to be updated in this request.
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A CryptoKey represents a logical key that can be used for cryptographic
+ # operations.
+ #
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ # by Encrypt when this CryptoKey is given
+ # in EncryptRequest.name.
+ #
+ # The CryptoKey's primary version can be updated via
+ # UpdateCryptoKeyPrimaryVersion.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT may have a
+ # primary. For other keys, this field will be omitted.
+ # associated key material.
+ #
+ # An ENABLED version can be
+ # used for cryptographic operations.
+ #
+ # For security reasons, the raw cryptographic key material represented by a
+ # CryptoKeyVersion can never be viewed or exported. It can only be used to
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
+ # Cloud KMS.
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ # state is
+ # IMPORT_FAILED.
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ # creation time. Use this statement to verify attributes of the key as stored
+ # on the HSM, independently of Google. Only provided for key versions with
+ # protection_level HSM.
+ # information, see [Verifying attestations]
+ # (https://cloud.google.com/kms/docs/attest-key).
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ # operation was performed.
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ # The properties of new CryptoKeyVersion instances created by either
+ # CreateCryptoKeyVersion or
+ # auto-rotation are controlled by this template.
+ # a new CryptoKeyVersion, either manually with
+ # CreateCryptoKeyVersion or
+ # automatically as a result of auto-rotation.
+ "algorithm": "A String", # Required. Algorithm to use
+ # when creating a CryptoKeyVersion based on this template.
+ #
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+ # this field is omitted and CryptoKey.purpose is
+ # ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
+ },
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }</pre>
</div>
<div class="method">
@@ -1307,7 +1326,7 @@
<pre>Sets the access control policy on the specified resource. Replaces any
existing policy.
-Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and PERMISSION_DENIED
+Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
Args:
resource: string, REQUIRED: The resource for which the policy is being specified.
@@ -1316,7 +1335,7 @@
The object takes the form of:
{ # Request message for `SetIamPolicy` method.
- "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
+ "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
# the policy is limited to a few 10s of KB. An empty policy is a
# valid policy but certain Cloud Platform services (such as Projects)
# might reject them.
@@ -1329,36 +1348,40 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
# {
- # "bindings": [
+ # "bindings": [
# {
- # "role": "roles/resourcemanager.organizationAdmin",
- # "members": [
- # "user:mike@example.com",
- # "group:admins@example.com",
- # "domain:google.com",
- # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+ # "role": "roles/resourcemanager.organizationAdmin",
+ # "members": [
+ # "user:mike@example.com",
+ # "group:admins@example.com",
+ # "domain:google.com",
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
- # "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
- # "condition": {
- # "title": "expirable access",
- # "description": "Does not grant access after Sep 2020",
- # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
+ # "role": "roles/resourcemanager.organizationViewer",
+ # "members": [
+ # "user:eve@example.com"
+ # ],
+ # "condition": {
+ # "title": "expirable access",
+ # "description": "Does not grant access after Sep 2020",
+ # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
- # "etag": "BwWWja0YfJA=",
- # "version": 3
+ # "etag": "BwWWja0YfJA=",
+ # "version": 3
# }
#
# **YAML example:**
@@ -1376,63 +1399,126 @@
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
- # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+ # are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version
+ # `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding
+ # * Adding a conditional role binding to a policy
+ # * Changing a conditional role binding in a policy
+ # * Removing any role binding, with or without a condition, from a policy
+ # that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+ # you to overwrite a version `3` policy with a version `1` policy, and all of
+ # the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may
+ # specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # },
+ # {
+ # "log_type": "ADMIN_READ",
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- },
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
@@ -1475,96 +1561,65 @@
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
- "A String",
+ "A String",
],
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ },
},
],
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
@@ -1576,33 +1631,12 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
- # are rejected.
- #
- # Any operation that affects conditional role bindings must specify version
- # `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding
- # * Adding a conditional role binding to a policy
- # * Changing a conditional role binding in a policy
- # * Removing any role binding, with or without a condition, from a policy
- # that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field
- # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
- # you to overwrite a version `3` policy with a version `1` policy, and all of
- # the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may
- # specify any valid version or leave the field unset.
},
- "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+ "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
# the fields in the mask will be modified. If no mask is provided, the
# following default mask is used:
- # paths: "bindings, etag"
- # This field is only used by Cloud IAM.
+ #
+ # `paths: "bindings, etag"`
}
x__xgafv: string, V1 error format.
@@ -1623,36 +1657,40 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
# {
- # "bindings": [
+ # "bindings": [
# {
- # "role": "roles/resourcemanager.organizationAdmin",
- # "members": [
- # "user:mike@example.com",
- # "group:admins@example.com",
- # "domain:google.com",
- # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+ # "role": "roles/resourcemanager.organizationAdmin",
+ # "members": [
+ # "user:mike@example.com",
+ # "group:admins@example.com",
+ # "domain:google.com",
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
- # "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
- # "condition": {
- # "title": "expirable access",
- # "description": "Does not grant access after Sep 2020",
- # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
+ # "role": "roles/resourcemanager.organizationViewer",
+ # "members": [
+ # "user:eve@example.com"
+ # ],
+ # "condition": {
+ # "title": "expirable access",
+ # "description": "Does not grant access after Sep 2020",
+ # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
- # "etag": "BwWWja0YfJA=",
- # "version": 3
+ # "etag": "BwWWja0YfJA=",
+ # "version": 3
# }
#
# **YAML example:**
@@ -1670,63 +1708,126 @@
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
- # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+ # are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version
+ # `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding
+ # * Adding a conditional role binding to a policy
+ # * Changing a conditional role binding in a policy
+ # * Removing any role binding, with or without a condition, from a policy
+ # that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+ # you to overwrite a version `3` policy with a version `1` policy, and all of
+ # the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may
+ # specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # },
+ # {
+ # "log_type": "ADMIN_READ",
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com"
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- },
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
@@ -1769,96 +1870,65 @@
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
- "A String",
+ "A String",
],
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ },
},
],
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
@@ -1870,27 +1940,6 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
- # are rejected.
- #
- # Any operation that affects conditional role bindings must specify version
- # `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding
- # * Adding a conditional role binding to a policy
- # * Changing a conditional role binding in a policy
- # * Removing any role binding, with or without a condition, from a policy
- # that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field
- # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
- # you to overwrite a version `3` policy with a version `1` policy, and all of
- # the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may
- # specify any valid version or leave the field unset.
}</pre>
</div>
@@ -1898,11 +1947,11 @@
<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>
<pre>Returns permissions that a caller has on the specified resource.
If the resource does not exist, this will return an empty set of
-permissions, not a NOT_FOUND error.
+permissions, not a `NOT_FOUND` error.
Note: This operation is designed to be used for building permission-aware
UIs and command-line tools, not for authorization checking. This operation
-may "fail open" without warning.
+may "fail open" without warning.
Args:
resource: string, REQUIRED: The resource for which the policy detail is being requested.
@@ -1911,11 +1960,11 @@
The object takes the form of:
{ # Request message for `TestIamPermissions` method.
- "permissions": [ # The set of permissions to check for the `resource`. Permissions with
- # wildcards (such as '*' or 'storage.*') are not allowed. For more
+ "permissions": [ # The set of permissions to check for the `resource`. Permissions with
+ # wildcards (such as '*' or 'storage.*') are not allowed. For more
# information see
# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
- "A String",
+ "A String",
],
}
@@ -1928,9 +1977,9 @@
An object of the form:
{ # Response message for `TestIamPermissions` method.
- "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
+ "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
# allowed.
- "A String",
+ "A String",
],
}</pre>
</div>
@@ -1947,7 +1996,7 @@
The object takes the form of:
{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
- "cryptoKeyVersionId": "A String", # Required. The id of the child CryptoKeyVersion to use as primary.
+ "cryptoKeyVersionId": "A String", # Required. The id of the child CryptoKeyVersion to use as primary.
}
x__xgafv: string, V1 error format.
@@ -1959,118 +2008,118 @@
An object of the form:
{ # A CryptoKey represents a logical key that can be used for cryptographic
- # operations.
- #
- # A CryptoKey is made up of one or more versions, which
- # represent the actual key material used in cryptographic operations.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
+ # operations.
#
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- "labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
- "a_key": "A String",
- },
- "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
- # by Encrypt when this CryptoKey is given
- # in EncryptRequest.name.
- #
- # The CryptoKey's primary version can be updated via
- # UpdateCryptoKeyPrimaryVersion.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT may have a
- # primary. For other keys, this field will be omitted.
- # associated key material.
- #
- # An ENABLED version can be
- # used for cryptographic operations.
- #
- # For security reasons, the raw cryptographic key material represented by a
- # CryptoKeyVersion can never be viewed or exported. It can only be used to
- # encrypt, decrypt, or sign data when an authorized user or application invokes
- # Cloud KMS.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
- "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
- # state is
- # IMPORT_FAILED.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
- "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
- # performed with this CryptoKeyVersion.
- "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
- # creation time. Use this statement to verify attributes of the key as stored
- # on the HSM, independently of Google. Only provided for key versions with
- # protection_level HSM.
- # information, see [Verifying attestations]
- # (https://cloud.google.com/kms/docs/attest-key).
- "content": "A String", # Output only. The attestation data provided by the HSM when the key
- # operation was performed.
- "format": "A String", # Output only. The format of the attestation data.
- },
- "state": "A String", # The current state of the CryptoKeyVersion.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
- "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
- # was imported.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
- },
- "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
- # The properties of new CryptoKeyVersion instances created by either
- # CreateCryptoKeyVersion or
- # auto-rotation are controlled by this template.
- # a new CryptoKeyVersion, either manually with
- # CreateCryptoKeyVersion or
- # automatically as a result of auto-rotation.
- "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
- # this template. Immutable. Defaults to SOFTWARE.
- "algorithm": "A String", # Required. Algorithm to use
- # when creating a CryptoKeyVersion based on this template.
+ # A CryptoKey is made up of zero or more versions,
+ # which represent the actual key material used in cryptographic operations.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
#
- # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
- # this field is omitted and CryptoKey.purpose is
- # ENCRYPT_DECRYPT.
- },
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
- "createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
- }</pre>
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
+ # by Encrypt when this CryptoKey is given
+ # in EncryptRequest.name.
+ #
+ # The CryptoKey's primary version can be updated via
+ # UpdateCryptoKeyPrimaryVersion.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT may have a
+ # primary. For other keys, this field will be omitted.
+ # associated key material.
+ #
+ # An ENABLED version can be
+ # used for cryptographic operations.
+ #
+ # For security reasons, the raw cryptographic key material represented by a
+ # CryptoKeyVersion can never be viewed or exported. It can only be used to
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
+ # Cloud KMS.
+ "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
+ # was imported.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
+ # state is
+ # IMPORT_FAILED.
+ "state": "A String", # The current state of the CryptoKeyVersion.
+ "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
+ # creation time. Use this statement to verify attributes of the key as stored
+ # on the HSM, independently of Google. Only provided for key versions with
+ # protection_level HSM.
+ # information, see [Verifying attestations]
+ # (https://cloud.google.com/kms/docs/attest-key).
+ "format": "A String", # Output only. The format of the attestation data.
+ "content": "A String", # Output only. The attestation data provided by the HSM when the key
+ # operation was performed.
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
+ # performed with this CryptoKeyVersion.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ },
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+ "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
+ # The properties of new CryptoKeyVersion instances created by either
+ # CreateCryptoKeyVersion or
+ # auto-rotation are controlled by this template.
+ # a new CryptoKeyVersion, either manually with
+ # CreateCryptoKeyVersion or
+ # automatically as a result of auto-rotation.
+ "algorithm": "A String", # Required. Algorithm to use
+ # when creating a CryptoKeyVersion based on this template.
+ #
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+ # this field is omitted and CryptoKey.purpose is
+ # ENCRYPT_DECRYPT.
+ "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
+ # this template. Immutable. Defaults to SOFTWARE.
+ },
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "labels": { # Labels with user-defined metadata. For more information, see
+ # [Labeling Keys](/kms/docs/labeling-keys).
+ "a_key": "A String",
+ },
+ "createTime": "A String", # Output only. The time at which this CryptoKey was created.
+ }</pre>
</div>
</body></html>
\ No newline at end of file