docs: update generated docs (#981)
diff --git a/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html b/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
index 5124453..db59a1a 100644
--- a/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
+++ b/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
@@ -95,7 +95,7 @@
<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
<p class="firstline">Gets the access control policy for a resource.</p>
<p class="toc_element">
- <code><a href="#list">list(parent, orderBy=None, versionView=None, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>
+ <code><a href="#list">list(parent, orderBy=None, pageToken=None, pageSize=None, versionView=None, filter=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists CryptoKeys.</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
@@ -132,33 +132,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -178,33 +159,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -215,13 +179,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -238,7 +217,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}
cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
@@ -261,33 +261,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -307,33 +288,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -344,13 +308,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -367,7 +346,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}</pre>
</div>
@@ -383,10 +383,41 @@
The object takes the form of:
{ # Request message for KeyManagementService.Decrypt.
- "ciphertext": "A String", # Required. The encrypted data originally returned in
- # EncryptResponse.ciphertext.
+ "ciphertextCrc32c": "A String", # Optional. An optional CRC32C checksum of the DecryptRequest.ciphertext. If
+ # specified, KeyManagementService will verify the integrity of the
+ # received DecryptRequest.ciphertext using this checksum.
+ # KeyManagementService will report an error if the checksum verification
+ # fails. If you receive a checksum error, your client should verify that
+ # CRC32C(DecryptRequest.ciphertext) is equal to
+ # DecryptRequest.ciphertext_crc32c, and if so, perform a limited number
+ # of retries. A persistent mismatch may indicate an issue in your computation
+ # of the CRC32C checksum.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
"additionalAuthenticatedData": "A String", # Optional. Optional data that must match the data originally supplied in
# EncryptRequest.additional_authenticated_data.
+ "ciphertext": "A String", # Required. The encrypted data originally returned in
+ # EncryptResponse.ciphertext.
+ "additionalAuthenticatedDataCrc32c": "A String", # Optional. An optional CRC32C checksum of the
+ # DecryptRequest.additional_authenticated_data. If specified,
+ # KeyManagementService will verify the integrity of the received
+ # DecryptRequest.additional_authenticated_data using this checksum.
+ # KeyManagementService will report an error if the checksum verification
+ # fails. If you receive a checksum error, your client should verify that
+ # CRC32C(DecryptRequest.additional_authenticated_data) is equal to
+ # DecryptRequest.additional_authenticated_data_crc32c, and if so, perform
+ # a limited number of retries. A persistent mismatch may indicate an issue in
+ # your computation of the CRC32C checksum.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
}
x__xgafv: string, V1 error format.
@@ -398,6 +429,21 @@
An object of the form:
{ # Response message for KeyManagementService.Decrypt.
+ "plaintextCrc32c": "A String", # Integrity verification field. A CRC32C checksum of the returned
+ # DecryptResponse.plaintext. An integrity check of
+ # DecryptResponse.plaintext can be performed by computing the CRC32C
+ # checksum of DecryptResponse.plaintext and comparing your results to
+ # this field. Discard the response in case of non-matching checksum values,
+ # and perform a limited number of retries. A persistent mismatch may indicate
+ # an issue in your computation of the CRC32C checksum. Note: receiving this
+ # response message indicates that KeyManagementService is able to
+ # successfully decrypt the ciphertext.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
"plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext.
}</pre>
</div>
@@ -418,6 +464,21 @@
The object takes the form of:
{ # Request message for KeyManagementService.Encrypt.
+ "plaintextCrc32c": "A String", # Optional. An optional CRC32C checksum of the EncryptRequest.plaintext. If
+ # specified, KeyManagementService will verify the integrity of the
+ # received EncryptRequest.plaintext using this checksum.
+ # KeyManagementService will report an error if the checksum verification
+ # fails. If you receive a checksum error, your client should verify that
+ # CRC32C(EncryptRequest.plaintext) is equal to
+ # EncryptRequest.plaintext_crc32c, and if so, perform a limited number of
+ # retries. A persistent mismatch may indicate an issue in your computation of
+ # the CRC32C checksum.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
"plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB.
#
# The maximum size depends on the key version's
@@ -435,6 +496,22 @@
# 64KiB. For HSM keys, the combined length of the
# plaintext and additional_authenticated_data fields must be no larger than
# 8KiB.
+ "additionalAuthenticatedDataCrc32c": "A String", # Optional. An optional CRC32C checksum of the
+ # EncryptRequest.additional_authenticated_data. If specified,
+ # KeyManagementService will verify the integrity of the received
+ # EncryptRequest.additional_authenticated_data using this checksum.
+ # KeyManagementService will report an error if the checksum verification
+ # fails. If you receive a checksum error, your client should verify that
+ # CRC32C(EncryptRequest.additional_authenticated_data) is equal to
+ # EncryptRequest.additional_authenticated_data_crc32c, and if so, perform
+ # a limited number of retries. A persistent mismatch may indicate an issue in
+ # your computation of the CRC32C checksum.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
}
x__xgafv: string, V1 error format.
@@ -446,6 +523,40 @@
An object of the form:
{ # Response message for KeyManagementService.Encrypt.
+ "verifiedAdditionalAuthenticatedDataCrc32c": True or False, # Integrity verification field. A flag indicating whether
+ # EncryptRequest.additional_authenticated_data_crc32c was received by
+ # KeyManagementService and used for the integrity verification of the
+ # AAD. A false value of this
+ # field indicates either that
+ # EncryptRequest.additional_authenticated_data_crc32c was left unset or
+ # that it was not delivered to KeyManagementService. If you've set
+ # EncryptRequest.additional_authenticated_data_crc32c but this field is
+ # still false, discard the response and perform a limited number of retries.
+ #
+ # NOTE: This field is in Beta.
+ "ciphertextCrc32c": "A String", # Integrity verification field. A CRC32C checksum of the returned
+ # EncryptResponse.ciphertext. An integrity check of
+ # EncryptResponse.ciphertext can be performed by computing the CRC32C
+ # checksum of EncryptResponse.ciphertext and comparing your results to
+ # this field. Discard the response in case of non-matching checksum values,
+ # and perform a limited number of retries. A persistent mismatch may indicate
+ # an issue in your computation of the CRC32C checksum.
+ # Note: This field is defined as int64 for reasons of compatibility across
+ # different languages. However, it is a non-negative integer, which will
+ # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+ # that support this type.
+ #
+ # NOTE: This field is in Beta.
+ "verifiedPlaintextCrc32c": True or False, # Integrity verification field. A flag indicating whether
+ # EncryptRequest.plaintext_crc32c was received by
+ # KeyManagementService and used for the integrity verification of the
+ # plaintext. A false value of this field
+ # indicates either that EncryptRequest.plaintext_crc32c was left unset or
+ # that it was not delivered to KeyManagementService. If you've set
+ # EncryptRequest.plaintext_crc32c but this field is still false, discard
+ # the response and perform a limited number of retries.
+ #
+ # NOTE: This field is in Beta.
"ciphertext": "A String", # The encrypted data.
"name": "A String", # The resource name of the CryptoKeyVersion used in encryption. Check
# this field to verify that the intended resource was used for encryption.
@@ -472,33 +583,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -518,33 +610,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -555,13 +630,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -578,7 +668,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}</pre>
</div>
@@ -714,95 +825,12 @@
#
# To learn which resources support conditions in their IAM policies, see the
# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
#
# If the condition evaluates to `true`, then this binding applies to the
@@ -845,15 +873,15 @@
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
},
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
@@ -900,15 +928,98 @@
#
"A String",
],
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ },
+ ],
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
},
],
}</pre>
</div>
<div class="method">
- <code class="details" id="list">list(parent, orderBy=None, versionView=None, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</code>
+ <code class="details" id="list">list(parent, orderBy=None, pageToken=None, pageSize=None, versionView=None, filter=None, x__xgafv=None)</code>
<pre>Lists CryptoKeys.
Args:
@@ -918,17 +1029,17 @@
results will be sorted in the default order. For more information, see
[Sorting and filtering list
results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- versionView: string, The fields of the primary version to include in the response.
- filter: string, Optional. Only include resources that match the filter in the response. For
-more information, see
-[Sorting and filtering list
-results](https://cloud.google.com/kms/docs/sorting-and-filtering).
pageToken: string, Optional. Optional pagination token, returned earlier via
ListCryptoKeysResponse.next_page_token.
pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
response. Further CryptoKeys can subsequently be obtained by
including the ListCryptoKeysResponse.next_page_token in a subsequent
request. If unspecified, the server will pick an appropriate default.
+ versionView: string, The fields of the primary version to include in the response.
+ filter: string, Optional. Only include resources that match the filter in the response. For
+more information, see
+[Sorting and filtering list
+results](https://cloud.google.com/kms/docs/sorting-and-filtering).
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
@@ -940,39 +1051,21 @@
{ # Response message for KeyManagementService.ListCryptoKeys.
"nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
# ListCryptoKeysRequest.page_token to retrieve the next page of results.
+ "totalSize": 42, # The total number of CryptoKeys that matched the query.
"cryptoKeys": [ # The list of CryptoKeys.
{ # A CryptoKey represents a logical key that can be used for cryptographic
# operations.
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -992,33 +1085,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -1029,13 +1105,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -1052,10 +1143,30 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
},
],
- "totalSize": 42, # The total number of CryptoKeys that matched the query.
}</pre>
</div>
@@ -1088,33 +1199,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -1134,33 +1226,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -1171,13 +1246,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -1194,7 +1284,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}
updateMask: string, Required. List of fields to be updated in this request.
@@ -1211,33 +1322,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -1257,33 +1349,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -1294,13 +1369,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -1317,7 +1407,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}</pre>
</div>
@@ -1335,6 +1446,11 @@
The object takes the form of:
{ # Request message for `SetIamPolicy` method.
+ "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+ # the fields in the mask will be modified. If no mask is provided, the
+ # following default mask is used:
+ #
+ # `paths: "bindings, etag"`
"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
# the policy is limited to a few 10s of KB. An empty policy is a
# valid policy but certain Cloud Platform services (such as Projects)
@@ -1441,95 +1557,12 @@
#
# To learn which resources support conditions in their IAM policies, see the
# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
#
# If the condition evaluates to `true`, then this binding applies to the
@@ -1572,15 +1605,15 @@
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
},
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
@@ -1627,16 +1660,94 @@
#
"A String",
],
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ },
+ ],
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
},
],
},
- "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
- # the fields in the mask will be modified. If no mask is provided, the
- # following default mask is used:
- #
- # `paths: "bindings, etag"`
}
x__xgafv: string, V1 error format.
@@ -1750,95 +1861,12 @@
#
# To learn which resources support conditions in their IAM policies, see the
# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- },
- ],
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
+ "role": "A String", # Role that is assigned to `members`.
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
#
# If the condition evaluates to `true`, then this binding applies to the
@@ -1881,15 +1909,15 @@
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
},
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
@@ -1936,8 +1964,91 @@
#
"A String",
],
- "role": "A String", # Role that is assigned to `members`.
- # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ },
+ ],
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ "logType": "A String", # The log type that this config enables.
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
},
],
}</pre>
@@ -2012,33 +2123,14 @@
#
# A CryptoKey is made up of zero or more versions,
# which represent the actual key material used in cryptographic operations.
- "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
- #
- # 1. Create a new version of this CryptoKey.
- # 2. Mark the new version as primary.
- #
- # Key rotations performed manually via
- # CreateCryptoKeyVersion and
- # UpdateCryptoKeyPrimaryVersion
- # do not affect next_rotation_time.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
"labels": { # Labels with user-defined metadata. For more information, see
- # [Labeling Keys](/kms/docs/labeling-keys).
+ # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
"a_key": "A String",
},
+ "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
"createTime": "A String", # Output only. The time at which this CryptoKey was created.
- "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
- # automatically rotates a key. Must be at least 24 hours and at most
- # 876,000 hours.
- #
- # If rotation_period is set, next_rotation_time must also be set.
- #
- # Keys with purpose
- # ENCRYPT_DECRYPT support
- # automatic rotation. For other keys, this field must be omitted.
+ "name": "A String", # Output only. The resource name for this CryptoKey in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
# by Encrypt when this CryptoKey is given
# in EncryptRequest.name.
@@ -2058,33 +2150,16 @@
# CryptoKeyVersion can never be viewed or exported. It can only be used to
# encrypt, decrypt, or sign data when an authorized user or application invokes
# Cloud KMS.
- "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
- "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
- # CryptoKeyVersion supports.
- "importJob": "A String", # Output only. The name of the ImportJob used to import this
- # CryptoKeyVersion. Only present if the underlying key material was
- # imported.
- "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- # configuring a CryptoKeyVersion that are specific to the
- # EXTERNAL protection level.
- "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
- },
- "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # destroyed. Only present if state is
- # DESTROYED.
+ "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # generated.
+ "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
# was imported.
- "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
- # for destruction. Only present if state is
- # DESTROY_SCHEDULED.
"importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
# state is
# IMPORT_FAILED.
"state": "A String", # The current state of the CryptoKeyVersion.
- "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
"attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
# creation time. Use this statement to verify attributes of the key as stored
# on the HSM, independently of Google. Only provided for key versions with
@@ -2095,13 +2170,28 @@
"content": "A String", # Output only. The attestation data provided by the HSM when the key
# operation was performed.
},
- "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
- # generated.
+ "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
+ "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
+ # for destruction. Only present if state is
+ # DESTROY_SCHEDULED.
+ "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
+ # destroyed. Only present if state is
+ # DESTROYED.
"protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
# performed with this CryptoKeyVersion.
+ "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ # configuring a CryptoKeyVersion that are specific to the
+ # EXTERNAL protection level.
+ "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
+ },
+ "importJob": "A String", # Output only. The name of the ImportJob used to import this
+ # CryptoKeyVersion. Only present if the underlying key material was
+ # imported.
+ "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
+ # CryptoKeyVersion supports.
},
- "name": "A String", # Output only. The resource name for this CryptoKey in the format
- # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
"versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
# The properties of new CryptoKeyVersion instances created by either
# CreateCryptoKeyVersion or
@@ -2118,7 +2208,28 @@
"protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
# this template. Immutable. Defaults to SOFTWARE.
},
- "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
+ "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
+ # automatically rotates a key. Must be at least 24 hours and at most
+ # 876,000 hours.
+ #
+ # If rotation_period is set, next_rotation_time must also be set.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
+ "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
+ #
+ # 1. Create a new version of this CryptoKey.
+ # 2. Mark the new version as primary.
+ #
+ # Key rotations performed manually via
+ # CreateCryptoKeyVersion and
+ # UpdateCryptoKeyPrimaryVersion
+ # do not affect next_rotation_time.
+ #
+ # Keys with purpose
+ # ENCRYPT_DECRYPT support
+ # automatic rotation. For other keys, this field must be omitted.
}</pre>
</div>