blob: 51244539ee94edc8a0f256dee2e18ffe2cd04713 [file] [log] [blame]
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070075<h1><a href="cloudkms_v1.html">Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040076<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code>
79</p>
80<p class="firstline">Returns the cryptoKeyVersions Resource.</p>
81
82<p class="toc_element">
Bu Sun Kim65020912020-05-20 12:08:20 -070083 <code><a href="#create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040084<p class="firstline">Create a new CryptoKey within a KeyRing.</p>
85<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070086 <code><a href="#decrypt">decrypt(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070087<p class="firstline">Decrypts data that was protected by Encrypt. The CryptoKey.purpose</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040088<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070089 <code><a href="#encrypt">encrypt(name, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -040090<p class="firstline">Encrypts data, so that it can only be recovered by a call to Decrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040091<p class="toc_element">
92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p>
94<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070095 <code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040096<p class="firstline">Gets the access control policy for a resource.</p>
97<p class="toc_element">
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070098 <code><a href="#list">list(parent, orderBy=None, versionView=None, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040099<p class="firstline">Lists CryptoKeys.</p>
100<p class="toc_element">
101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
102<p class="firstline">Retrieves the next page of results.</p>
103<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700104 <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400105<p class="firstline">Update a CryptoKey.</p>
106<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700107 <code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
109<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700110 <code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400111<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
112<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400115<h3>Method Details</h3>
116<div class="method">
Bu Sun Kim65020912020-05-20 12:08:20 -0700117 <code class="details" id="create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400118 <pre>Create a new CryptoKey within a KeyRing.
119
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700120CryptoKey.purpose and
121CryptoKey.version_template.algorithm
122are required.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400123
124Args:
125 parent: string, Required. The name of the KeyRing associated with the
126CryptoKeys. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700127 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400128 The object takes the form of:
129
130{ # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700131 # operations.
132 #
133 # A CryptoKey is made up of zero or more versions,
134 # which represent the actual key material used in cryptographic operations.
135 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
Bu Sun Kim65020912020-05-20 12:08:20 -0700136 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700137 # 1. Create a new version of this CryptoKey.
138 # 2. Mark the new version as primary.
139 #
140 # Key rotations performed manually via
141 # CreateCryptoKeyVersion and
142 # UpdateCryptoKeyPrimaryVersion
143 # do not affect next_rotation_time.
144 #
145 # Keys with purpose
146 # ENCRYPT_DECRYPT support
147 # automatic rotation. For other keys, this field must be omitted.
148 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
149 # [Labeling Keys](/kms/docs/labeling-keys).
150 &quot;a_key&quot;: &quot;A String&quot;,
151 },
152 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
153 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
154 # automatically rotates a key. Must be at least 24 hours and at most
155 # 876,000 hours.
156 #
157 # If rotation_period is set, next_rotation_time must also be set.
158 #
159 # Keys with purpose
160 # ENCRYPT_DECRYPT support
161 # automatic rotation. For other keys, this field must be omitted.
162 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
163 # by Encrypt when this CryptoKey is given
164 # in EncryptRequest.name.
165 #
166 # The CryptoKey&#x27;s primary version can be updated via
167 # UpdateCryptoKeyPrimaryVersion.
168 #
169 # Keys with purpose
170 # ENCRYPT_DECRYPT may have a
171 # primary. For other keys, this field will be omitted.
172 # associated key material.
173 #
174 # An ENABLED version can be
175 # used for cryptographic operations.
176 #
177 # For security reasons, the raw cryptographic key material represented by a
178 # CryptoKeyVersion can never be viewed or exported. It can only be used to
179 # encrypt, decrypt, or sign data when an authorized user or application invokes
180 # Cloud KMS.
181 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
182 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
183 # CryptoKeyVersion supports.
184 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
185 # CryptoKeyVersion. Only present if the underlying key material was
186 # imported.
187 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
188 # configuring a CryptoKeyVersion that are specific to the
189 # EXTERNAL protection level.
190 # configuring a CryptoKeyVersion that are specific to the
191 # EXTERNAL protection level.
192 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
193 },
194 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
195 # destroyed. Only present if state is
196 # DESTROYED.
197 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
198 # was imported.
199 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
200 # for destruction. Only present if state is
201 # DESTROY_SCHEDULED.
202 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
203 # state is
204 # IMPORT_FAILED.
205 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
206 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
207 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
208 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
209 # creation time. Use this statement to verify attributes of the key as stored
210 # on the HSM, independently of Google. Only provided for key versions with
211 # protection_level HSM.
212 # information, see [Verifying attestations]
213 # (https://cloud.google.com/kms/docs/attest-key).
214 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
215 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
216 # operation was performed.
217 },
218 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
219 # generated.
220 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
221 # performed with this CryptoKeyVersion.
222 },
223 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
224 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
225 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
226 # The properties of new CryptoKeyVersion instances created by either
227 # CreateCryptoKeyVersion or
228 # auto-rotation are controlled by this template.
229 # a new CryptoKeyVersion, either manually with
230 # CreateCryptoKeyVersion or
231 # automatically as a result of auto-rotation.
232 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
233 # when creating a CryptoKeyVersion based on this template.
234 #
235 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
236 # this field is omitted and CryptoKey.purpose is
237 # ENCRYPT_DECRYPT.
238 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
239 # this template. Immutable. Defaults to SOFTWARE.
240 },
241 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
242}
243
244 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
245expression `[a-zA-Z0-9_-]{1,63}`
246 skipInitialVersionCreation: boolean, If set to true, the request will create a CryptoKey without any
247CryptoKeyVersions. You must manually call
248CreateCryptoKeyVersion or
249ImportCryptoKeyVersion
250before you can use this CryptoKey.
251 x__xgafv: string, V1 error format.
252 Allowed values
253 1 - v1 error format
254 2 - v2 error format
255
256Returns:
257 An object of the form:
258
259 { # A CryptoKey represents a logical key that can be used for cryptographic
260 # operations.
261 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700262 # A CryptoKey is made up of zero or more versions,
263 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700264 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
265 #
266 # 1. Create a new version of this CryptoKey.
267 # 2. Mark the new version as primary.
268 #
269 # Key rotations performed manually via
270 # CreateCryptoKeyVersion and
271 # UpdateCryptoKeyPrimaryVersion
272 # do not affect next_rotation_time.
273 #
274 # Keys with purpose
275 # ENCRYPT_DECRYPT support
276 # automatic rotation. For other keys, this field must be omitted.
277 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
278 # [Labeling Keys](/kms/docs/labeling-keys).
279 &quot;a_key&quot;: &quot;A String&quot;,
280 },
281 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kim65020912020-05-20 12:08:20 -0700282 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -0700283 # automatically rotates a key. Must be at least 24 hours and at most
284 # 876,000 hours.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700285 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400286 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700287 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700288 # Keys with purpose
289 # ENCRYPT_DECRYPT support
290 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim65020912020-05-20 12:08:20 -0700291 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400292 # by Encrypt when this CryptoKey is given
293 # in EncryptRequest.name.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700294 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700295 # The CryptoKey&#x27;s primary version can be updated via
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400296 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700297 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700298 # Keys with purpose
299 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700300 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400301 # associated key material.
302 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700303 # An ENABLED version can be
304 # used for cryptographic operations.
305 #
306 # For security reasons, the raw cryptographic key material represented by a
307 # CryptoKeyVersion can never be viewed or exported. It can only be used to
308 # encrypt, decrypt, or sign data when an authorized user or application invokes
309 # Cloud KMS.
Bu Sun Kim65020912020-05-20 12:08:20 -0700310 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
311 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
312 # CryptoKeyVersion supports.
313 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
Dan O'Mearadd494642020-05-01 07:42:23 -0700314 # CryptoKeyVersion. Only present if the underlying key material was
315 # imported.
Bu Sun Kim65020912020-05-20 12:08:20 -0700316 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
Dan O'Mearadd494642020-05-01 07:42:23 -0700317 # configuring a CryptoKeyVersion that are specific to the
318 # EXTERNAL protection level.
319 # configuring a CryptoKeyVersion that are specific to the
320 # EXTERNAL protection level.
Bu Sun Kim65020912020-05-20 12:08:20 -0700321 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
Dan O'Mearadd494642020-05-01 07:42:23 -0700322 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700323 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
324 # destroyed. Only present if state is
325 # DESTROYED.
326 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
327 # was imported.
328 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
329 # for destruction. Only present if state is
330 # DESTROY_SCHEDULED.
331 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
332 # state is
333 # IMPORT_FAILED.
334 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
335 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
336 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
337 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
338 # creation time. Use this statement to verify attributes of the key as stored
339 # on the HSM, independently of Google. Only provided for key versions with
340 # protection_level HSM.
341 # information, see [Verifying attestations]
342 # (https://cloud.google.com/kms/docs/attest-key).
343 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
344 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
345 # operation was performed.
346 },
347 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
348 # generated.
349 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
350 # performed with this CryptoKeyVersion.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400351 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700352 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
353 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
354 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700355 # The properties of new CryptoKeyVersion instances created by either
356 # CreateCryptoKeyVersion or
357 # auto-rotation are controlled by this template.
358 # a new CryptoKeyVersion, either manually with
359 # CreateCryptoKeyVersion or
360 # automatically as a result of auto-rotation.
Bu Sun Kim65020912020-05-20 12:08:20 -0700361 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700362 # when creating a CryptoKeyVersion based on this template.
363 #
364 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
365 # this field is omitted and CryptoKey.purpose is
366 # ENCRYPT_DECRYPT.
Bu Sun Kim65020912020-05-20 12:08:20 -0700367 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
368 # this template. Immutable. Defaults to SOFTWARE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700369 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700370 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700371 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400372</div>
373
374<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700375 <code class="details" id="decrypt">decrypt(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700376 <pre>Decrypts data that was protected by Encrypt. The CryptoKey.purpose
377must be ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400378
379Args:
380 name: string, Required. The resource name of the CryptoKey to use for decryption.
381The server will choose the appropriate version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700382 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400383 The object takes the form of:
384
385{ # Request message for KeyManagementService.Decrypt.
Bu Sun Kim65020912020-05-20 12:08:20 -0700386 &quot;ciphertext&quot;: &quot;A String&quot;, # Required. The encrypted data originally returned in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400387 # EncryptResponse.ciphertext.
Bu Sun Kim65020912020-05-20 12:08:20 -0700388 &quot;additionalAuthenticatedData&quot;: &quot;A String&quot;, # Optional. Optional data that must match the data originally supplied in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400389 # EncryptRequest.additional_authenticated_data.
390 }
391
392 x__xgafv: string, V1 error format.
393 Allowed values
394 1 - v1 error format
395 2 - v2 error format
396
397Returns:
398 An object of the form:
399
400 { # Response message for KeyManagementService.Decrypt.
Bu Sun Kim65020912020-05-20 12:08:20 -0700401 &quot;plaintext&quot;: &quot;A String&quot;, # The decrypted data originally supplied in EncryptRequest.plaintext.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400402 }</pre>
403</div>
404
405<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700406 <code class="details" id="encrypt">encrypt(name, body=None, x__xgafv=None)</code>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400407 <pre>Encrypts data, so that it can only be recovered by a call to Decrypt.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700408The CryptoKey.purpose must be
409ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400410
411Args:
412 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion
413to use for encryption.
414
415If a CryptoKey is specified, the server will use its
416primary version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700417 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400418 The object takes the form of:
419
420{ # Request message for KeyManagementService.Encrypt.
Bu Sun Kim65020912020-05-20 12:08:20 -0700421 &quot;plaintext&quot;: &quot;A String&quot;, # Required. The data to encrypt. Must be no larger than 64KiB.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700422 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700423 # The maximum size depends on the key version&#x27;s
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700424 # protection_level. For
425 # SOFTWARE keys, the plaintext must be no larger
426 # than 64KiB. For HSM keys, the combined length of the
427 # plaintext and additional_authenticated_data fields must be no larger than
428 # 8KiB.
Bu Sun Kim65020912020-05-20 12:08:20 -0700429 &quot;additionalAuthenticatedData&quot;: &quot;A String&quot;, # Optional. Optional data that, if specified, must also be provided during decryption
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700430 # through DecryptRequest.additional_authenticated_data.
431 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700432 # The maximum size depends on the key version&#x27;s
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700433 # protection_level. For
434 # SOFTWARE keys, the AAD must be no larger than
435 # 64KiB. For HSM keys, the combined length of the
436 # plaintext and additional_authenticated_data fields must be no larger than
437 # 8KiB.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400438 }
439
440 x__xgafv: string, V1 error format.
441 Allowed values
442 1 - v1 error format
443 2 - v2 error format
444
445Returns:
446 An object of the form:
447
448 { # Response message for KeyManagementService.Encrypt.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700449 &quot;ciphertext&quot;: &quot;A String&quot;, # The encrypted data.
Bu Sun Kim65020912020-05-20 12:08:20 -0700450 &quot;name&quot;: &quot;A String&quot;, # The resource name of the CryptoKeyVersion used in encryption. Check
Dan O'Mearadd494642020-05-01 07:42:23 -0700451 # this field to verify that the intended resource was used for encryption.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400452 }</pre>
453</div>
454
455<div class="method">
456 <code class="details" id="get">get(name, x__xgafv=None)</code>
457 <pre>Returns metadata for a given CryptoKey, as well as its
458primary CryptoKeyVersion.
459
460Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700461 name: string, Required. The name of the CryptoKey to get. (required)
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400462 x__xgafv: string, V1 error format.
463 Allowed values
464 1 - v1 error format
465 2 - v2 error format
466
467Returns:
468 An object of the form:
469
470 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700471 # operations.
472 #
473 # A CryptoKey is made up of zero or more versions,
474 # which represent the actual key material used in cryptographic operations.
475 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400476 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700477 # 1. Create a new version of this CryptoKey.
478 # 2. Mark the new version as primary.
479 #
480 # Key rotations performed manually via
481 # CreateCryptoKeyVersion and
482 # UpdateCryptoKeyPrimaryVersion
483 # do not affect next_rotation_time.
484 #
485 # Keys with purpose
486 # ENCRYPT_DECRYPT support
487 # automatic rotation. For other keys, this field must be omitted.
488 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
489 # [Labeling Keys](/kms/docs/labeling-keys).
490 &quot;a_key&quot;: &quot;A String&quot;,
491 },
492 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
493 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
494 # automatically rotates a key. Must be at least 24 hours and at most
495 # 876,000 hours.
496 #
497 # If rotation_period is set, next_rotation_time must also be set.
498 #
499 # Keys with purpose
500 # ENCRYPT_DECRYPT support
501 # automatic rotation. For other keys, this field must be omitted.
502 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
503 # by Encrypt when this CryptoKey is given
504 # in EncryptRequest.name.
505 #
506 # The CryptoKey&#x27;s primary version can be updated via
507 # UpdateCryptoKeyPrimaryVersion.
508 #
509 # Keys with purpose
510 # ENCRYPT_DECRYPT may have a
511 # primary. For other keys, this field will be omitted.
512 # associated key material.
513 #
514 # An ENABLED version can be
515 # used for cryptographic operations.
516 #
517 # For security reasons, the raw cryptographic key material represented by a
518 # CryptoKeyVersion can never be viewed or exported. It can only be used to
519 # encrypt, decrypt, or sign data when an authorized user or application invokes
520 # Cloud KMS.
521 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
522 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
523 # CryptoKeyVersion supports.
524 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
525 # CryptoKeyVersion. Only present if the underlying key material was
526 # imported.
527 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
528 # configuring a CryptoKeyVersion that are specific to the
529 # EXTERNAL protection level.
530 # configuring a CryptoKeyVersion that are specific to the
531 # EXTERNAL protection level.
532 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
Bu Sun Kim65020912020-05-20 12:08:20 -0700533 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700534 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
535 # destroyed. Only present if state is
536 # DESTROYED.
537 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
538 # was imported.
539 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
540 # for destruction. Only present if state is
541 # DESTROY_SCHEDULED.
542 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
543 # state is
544 # IMPORT_FAILED.
545 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
546 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
547 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
548 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
549 # creation time. Use this statement to verify attributes of the key as stored
550 # on the HSM, independently of Google. Only provided for key versions with
551 # protection_level HSM.
552 # information, see [Verifying attestations]
553 # (https://cloud.google.com/kms/docs/attest-key).
554 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
555 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
556 # operation was performed.
Bu Sun Kim65020912020-05-20 12:08:20 -0700557 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700558 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
559 # generated.
560 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
561 # performed with this CryptoKeyVersion.
562 },
563 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
564 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
565 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
566 # The properties of new CryptoKeyVersion instances created by either
567 # CreateCryptoKeyVersion or
568 # auto-rotation are controlled by this template.
569 # a new CryptoKeyVersion, either manually with
570 # CreateCryptoKeyVersion or
571 # automatically as a result of auto-rotation.
572 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
573 # when creating a CryptoKeyVersion based on this template.
Bu Sun Kim65020912020-05-20 12:08:20 -0700574 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700575 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
576 # this field is omitted and CryptoKey.purpose is
577 # ENCRYPT_DECRYPT.
578 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
579 # this template. Immutable. Defaults to SOFTWARE.
580 },
581 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
582 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400583</div>
584
585<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700586 <code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400587 <pre>Gets the access control policy for a resource.
588Returns an empty policy if the resource exists and does not have a policy
589set.
590
591Args:
592 resource: string, REQUIRED: The resource for which the policy is being requested.
593See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700594 options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.
595
596Valid values are 0, 1, and 3. Requests specifying an invalid value will be
597rejected.
598
599Requests for policies with any conditional bindings must specify version 3.
600Policies without any conditional bindings may specify any valid value or
601leave the field unset.
Bu Sun Kim65020912020-05-20 12:08:20 -0700602
603To learn which resources support conditions in their IAM policies, see the
604[IAM
605documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400606 x__xgafv: string, V1 error format.
607 Allowed values
608 1 - v1 error format
609 2 - v2 error format
610
611Returns:
612 An object of the form:
613
Dan O'Mearadd494642020-05-01 07:42:23 -0700614 { # An Identity and Access Management (IAM) policy, which specifies access
615 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400616 #
617 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700618 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
619 # `members` to a single `role`. Members can be user accounts, service accounts,
620 # Google groups, and domains (such as G Suite). A `role` is a named list of
621 # permissions; each `role` can be an IAM predefined role or a user-created
622 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400623 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700624 # For some types of Google Cloud resources, a `binding` can also specify a
625 # `condition`, which is a logical expression that allows access to a resource
626 # only if the expression evaluates to `true`. A condition can add constraints
627 # based on attributes of the request, the resource, or both. To learn which
628 # resources support conditions in their IAM policies, see the
629 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -0700630 #
631 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400632 #
633 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700634 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400635 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700636 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
637 # &quot;members&quot;: [
638 # &quot;user:mike@example.com&quot;,
639 # &quot;group:admins@example.com&quot;,
640 # &quot;domain:google.com&quot;,
641 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400642 # ]
643 # },
644 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700645 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
646 # &quot;members&quot;: [
647 # &quot;user:eve@example.com&quot;
648 # ],
649 # &quot;condition&quot;: {
650 # &quot;title&quot;: &quot;expirable access&quot;,
651 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
652 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -0700653 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400654 # }
Dan O'Mearadd494642020-05-01 07:42:23 -0700655 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700656 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
657 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400658 # }
659 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700660 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700661 #
662 # bindings:
663 # - members:
664 # - user:mike@example.com
665 # - group:admins@example.com
666 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -0700667 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
668 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700669 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -0700670 # - user:eve@example.com
671 # role: roles/resourcemanager.organizationViewer
672 # condition:
673 # title: expirable access
674 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -0700675 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -0700676 # - etag: BwWWja0YfJA=
677 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700678 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400679 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -0700680 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700681 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
682 # prevent simultaneous updates of a policy from overwriting each other.
683 # It is strongly suggested that systems make use of the `etag` in the
684 # read-modify-write cycle to perform policy updates in order to avoid race
685 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
686 # systems are expected to put that etag in the request to `setIamPolicy` to
687 # ensure that their change will be applied to the same version of the policy.
688 #
689 # **Important:** If you use IAM Conditions, you must include the `etag` field
690 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
691 # you to overwrite a version `3` policy with a version `1` policy, and all of
692 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -0700693 &quot;version&quot;: 42, # Specifies the format of the policy.
694 #
695 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
696 # are rejected.
697 #
698 # Any operation that affects conditional role bindings must specify version
699 # `3`. This requirement applies to the following operations:
700 #
701 # * Getting a policy that includes a conditional role binding
702 # * Adding a conditional role binding to a policy
703 # * Changing a conditional role binding in a policy
704 # * Removing any role binding, with or without a condition, from a policy
705 # that includes conditions
706 #
707 # **Important:** If you use IAM Conditions, you must include the `etag` field
708 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
709 # you to overwrite a version `3` policy with a version `1` policy, and all of
710 # the conditions in the version `3` policy are lost.
711 #
712 # If a policy does not include any conditions, operations on that policy may
713 # specify any valid version or leave the field unset.
714 #
715 # To learn which resources support conditions in their IAM policies, see the
716 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
717 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
718 { # Specifies the audit configuration for a service.
719 # The configuration determines which permission types are logged, and what
720 # identities, if any, are exempted from logging.
721 # An AuditConfig must have one or more AuditLogConfigs.
722 #
723 # If there are AuditConfigs for both `allServices` and a specific service,
724 # the union of the two AuditConfigs is used for that service: the log_types
725 # specified in each AuditConfig are enabled, and the exempted_members in each
726 # AuditLogConfig are exempted.
727 #
728 # Example Policy with multiple AuditConfigs:
729 #
730 # {
731 # &quot;audit_configs&quot;: [
732 # {
733 # &quot;service&quot;: &quot;allServices&quot;
734 # &quot;audit_log_configs&quot;: [
735 # {
736 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
737 # &quot;exempted_members&quot;: [
738 # &quot;user:jose@example.com&quot;
739 # ]
740 # },
741 # {
742 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
743 # },
744 # {
745 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;,
746 # }
747 # ]
748 # },
749 # {
750 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;
751 # &quot;audit_log_configs&quot;: [
752 # {
753 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
754 # },
755 # {
756 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
757 # &quot;exempted_members&quot;: [
758 # &quot;user:aliya@example.com&quot;
759 # ]
760 # }
761 # ]
762 # }
763 # ]
764 # }
765 #
766 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
767 # logging. It also exempts jose@example.com from DATA_READ logging, and
768 # aliya@example.com from DATA_WRITE logging.
769 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
770 { # Provides the configuration for logging a type of permissions.
771 # Example:
772 #
773 # {
774 # &quot;audit_log_configs&quot;: [
775 # {
776 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
777 # &quot;exempted_members&quot;: [
778 # &quot;user:jose@example.com&quot;
779 # ]
780 # },
781 # {
782 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
783 # }
784 # ]
785 # }
786 #
787 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
788 # jose@example.com from DATA_READ logging.
789 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
790 # permission.
791 # Follows the same format of Binding.members.
792 &quot;A String&quot;,
793 ],
794 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
795 },
796 ],
797 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
798 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
799 # `allServices` is a special value that covers all services.
800 },
801 ],
802 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -0700803 # `condition` that determines how and when the `bindings` are applied. Each
804 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700805 { # Associates `members` with a `role`.
Bu Sun Kim65020912020-05-20 12:08:20 -0700806 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
807 #
808 # If the condition evaluates to `true`, then this binding applies to the
809 # current request.
810 #
811 # If the condition evaluates to `false`, then this binding does not apply to
812 # the current request. However, a different role binding might grant the same
813 # role to one or more of the members in this binding.
814 #
815 # To learn which resources support conditions in their IAM policies, see the
816 # [IAM
817 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
818 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
819 # are documented at https://github.com/google/cel-spec.
820 #
821 # Example (Comparison):
822 #
823 # title: &quot;Summary size limit&quot;
824 # description: &quot;Determines if a summary is less than 100 chars&quot;
825 # expression: &quot;document.summary.size() &lt; 100&quot;
826 #
827 # Example (Equality):
828 #
829 # title: &quot;Requestor is owner&quot;
830 # description: &quot;Determines if requestor is the document owner&quot;
831 # expression: &quot;document.owner == request.auth.claims.email&quot;
832 #
833 # Example (Logic):
834 #
835 # title: &quot;Public documents&quot;
836 # description: &quot;Determine whether the document should be publicly visible&quot;
837 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
838 #
839 # Example (Data Manipulation):
840 #
841 # title: &quot;Notification string&quot;
842 # description: &quot;Create a notification string with a timestamp.&quot;
843 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
844 #
845 # The exact variables and functions that may be referenced within an expression
846 # are determined by the service that evaluates it. See the service
847 # documentation for additional information.
848 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
849 # its purpose. This can be used e.g. in UIs which allow to enter the
850 # expression.
851 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
852 # reporting, e.g. a file name and a position in the file.
853 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
854 # describes the expression, e.g. when hovered over it in a UI.
855 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
856 # syntax.
857 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700858 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
859 # `members` can have the following values:
860 #
861 # * `allUsers`: A special identifier that represents anyone who is
862 # on the internet; with or without a Google account.
863 #
864 # * `allAuthenticatedUsers`: A special identifier that represents anyone
865 # who is authenticated with a Google account or a service account.
866 #
867 # * `user:{emailid}`: An email address that represents a specific Google
868 # account. For example, `alice@example.com` .
869 #
870 #
871 # * `serviceAccount:{emailid}`: An email address that represents a service
872 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
873 #
874 # * `group:{emailid}`: An email address that represents a Google group.
875 # For example, `admins@example.com`.
876 #
877 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
878 # identifier) representing a user that has been recently deleted. For
879 # example, `alice@example.com?uid=123456789012345678901`. If the user is
880 # recovered, this value reverts to `user:{emailid}` and the recovered user
881 # retains the role in the binding.
882 #
883 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
884 # unique identifier) representing a service account that has been recently
885 # deleted. For example,
886 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
887 # If the service account is undeleted, this value reverts to
888 # `serviceAccount:{emailid}` and the undeleted service account retains the
889 # role in the binding.
890 #
891 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
892 # identifier) representing a Google group that has been recently
893 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
894 # the group is recovered, this value reverts to `group:{emailid}` and the
895 # recovered group retains the role in the binding.
896 #
897 #
898 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
899 # users of that domain. For example, `google.com` or `example.com`.
900 #
901 &quot;A String&quot;,
902 ],
903 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
904 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700905 },
906 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400907 }</pre>
908</div>
909
910<div class="method">
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700911 <code class="details" id="list">list(parent, orderBy=None, versionView=None, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400912 <pre>Lists CryptoKeys.
913
914Args:
915 parent: string, Required. The resource name of the KeyRing to list, in the format
916`projects/*/locations/*/keyRings/*`. (required)
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700917 orderBy: string, Optional. Specify how the results should be sorted. If not specified, the
918results will be sorted in the default order. For more information, see
919[Sorting and filtering list
920results](https://cloud.google.com/kms/docs/sorting-and-filtering).
921 versionView: string, The fields of the primary version to include in the response.
Dan O'Mearadd494642020-05-01 07:42:23 -0700922 filter: string, Optional. Only include resources that match the filter in the response. For
923more information, see
924[Sorting and filtering list
925results](https://cloud.google.com/kms/docs/sorting-and-filtering).
Bu Sun Kim65020912020-05-20 12:08:20 -0700926 pageToken: string, Optional. Optional pagination token, returned earlier via
927ListCryptoKeysResponse.next_page_token.
928 pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
929response. Further CryptoKeys can subsequently be obtained by
930including the ListCryptoKeysResponse.next_page_token in a subsequent
931request. If unspecified, the server will pick an appropriate default.
Bu Sun Kim65020912020-05-20 12:08:20 -0700932 x__xgafv: string, V1 error format.
933 Allowed values
934 1 - v1 error format
935 2 - v2 error format
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400936
937Returns:
938 An object of the form:
939
940 { # Response message for KeyManagementService.ListCryptoKeys.
Bu Sun Kim65020912020-05-20 12:08:20 -0700941 &quot;nextPageToken&quot;: &quot;A String&quot;, # A token to retrieve next page of results. Pass this value in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400942 # ListCryptoKeysRequest.page_token to retrieve the next page of results.
Bu Sun Kim65020912020-05-20 12:08:20 -0700943 &quot;cryptoKeys&quot;: [ # The list of CryptoKeys.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400944 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700945 # operations.
946 #
947 # A CryptoKey is made up of zero or more versions,
948 # which represent the actual key material used in cryptographic operations.
949 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400950 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700951 # 1. Create a new version of this CryptoKey.
952 # 2. Mark the new version as primary.
953 #
954 # Key rotations performed manually via
955 # CreateCryptoKeyVersion and
956 # UpdateCryptoKeyPrimaryVersion
957 # do not affect next_rotation_time.
958 #
959 # Keys with purpose
960 # ENCRYPT_DECRYPT support
961 # automatic rotation. For other keys, this field must be omitted.
962 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
963 # [Labeling Keys](/kms/docs/labeling-keys).
964 &quot;a_key&quot;: &quot;A String&quot;,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700965 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700966 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
967 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
968 # automatically rotates a key. Must be at least 24 hours and at most
969 # 876,000 hours.
970 #
971 # If rotation_period is set, next_rotation_time must also be set.
972 #
973 # Keys with purpose
974 # ENCRYPT_DECRYPT support
975 # automatic rotation. For other keys, this field must be omitted.
976 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
977 # by Encrypt when this CryptoKey is given
978 # in EncryptRequest.name.
979 #
980 # The CryptoKey&#x27;s primary version can be updated via
981 # UpdateCryptoKeyPrimaryVersion.
982 #
983 # Keys with purpose
984 # ENCRYPT_DECRYPT may have a
985 # primary. For other keys, this field will be omitted.
986 # associated key material.
987 #
988 # An ENABLED version can be
989 # used for cryptographic operations.
990 #
991 # For security reasons, the raw cryptographic key material represented by a
992 # CryptoKeyVersion can never be viewed or exported. It can only be used to
993 # encrypt, decrypt, or sign data when an authorized user or application invokes
994 # Cloud KMS.
995 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
996 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
997 # CryptoKeyVersion supports.
998 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
999 # CryptoKeyVersion. Only present if the underlying key material was
1000 # imported.
1001 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1002 # configuring a CryptoKeyVersion that are specific to the
1003 # EXTERNAL protection level.
1004 # configuring a CryptoKeyVersion that are specific to the
1005 # EXTERNAL protection level.
1006 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
1007 },
1008 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1009 # destroyed. Only present if state is
1010 # DESTROYED.
1011 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1012 # was imported.
1013 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1014 # for destruction. Only present if state is
1015 # DESTROY_SCHEDULED.
1016 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1017 # state is
1018 # IMPORT_FAILED.
1019 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
1020 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1021 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
1022 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1023 # creation time. Use this statement to verify attributes of the key as stored
1024 # on the HSM, independently of Google. Only provided for key versions with
1025 # protection_level HSM.
1026 # information, see [Verifying attestations]
1027 # (https://cloud.google.com/kms/docs/attest-key).
1028 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1029 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1030 # operation was performed.
1031 },
1032 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1033 # generated.
1034 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1035 # performed with this CryptoKeyVersion.
1036 },
1037 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1038 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1039 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1040 # The properties of new CryptoKeyVersion instances created by either
1041 # CreateCryptoKeyVersion or
1042 # auto-rotation are controlled by this template.
1043 # a new CryptoKeyVersion, either manually with
1044 # CreateCryptoKeyVersion or
1045 # automatically as a result of auto-rotation.
1046 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
1047 # when creating a CryptoKeyVersion based on this template.
1048 #
1049 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1050 # this field is omitted and CryptoKey.purpose is
1051 # ENCRYPT_DECRYPT.
1052 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1053 # this template. Immutable. Defaults to SOFTWARE.
1054 },
1055 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
1056 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001057 ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001058 &quot;totalSize&quot;: 42, # The total number of CryptoKeys that matched the query.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001059 }</pre>
1060</div>
1061
1062<div class="method">
1063 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
1064 <pre>Retrieves the next page of results.
1065
1066Args:
1067 previous_request: The request for the previous page. (required)
1068 previous_response: The response from the request for the previous page. (required)
1069
1070Returns:
Bu Sun Kim65020912020-05-20 12:08:20 -07001071 A request object that you can call &#x27;execute()&#x27; on to request the next
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001072 page. Returns None if there are no more items in the collection.
1073 </pre>
1074</div>
1075
1076<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001077 <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001078 <pre>Update a CryptoKey.
1079
1080Args:
1081 name: string, Output only. The resource name for this CryptoKey in the format
1082`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001083 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001084 The object takes the form of:
1085
1086{ # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001087 # operations.
1088 #
1089 # A CryptoKey is made up of zero or more versions,
1090 # which represent the actual key material used in cryptographic operations.
1091 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
Bu Sun Kim65020912020-05-20 12:08:20 -07001092 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001093 # 1. Create a new version of this CryptoKey.
1094 # 2. Mark the new version as primary.
1095 #
1096 # Key rotations performed manually via
1097 # CreateCryptoKeyVersion and
1098 # UpdateCryptoKeyPrimaryVersion
1099 # do not affect next_rotation_time.
1100 #
1101 # Keys with purpose
1102 # ENCRYPT_DECRYPT support
1103 # automatic rotation. For other keys, this field must be omitted.
1104 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
1105 # [Labeling Keys](/kms/docs/labeling-keys).
1106 &quot;a_key&quot;: &quot;A String&quot;,
1107 },
1108 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
1109 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
1110 # automatically rotates a key. Must be at least 24 hours and at most
1111 # 876,000 hours.
1112 #
1113 # If rotation_period is set, next_rotation_time must also be set.
1114 #
1115 # Keys with purpose
1116 # ENCRYPT_DECRYPT support
1117 # automatic rotation. For other keys, this field must be omitted.
1118 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
1119 # by Encrypt when this CryptoKey is given
1120 # in EncryptRequest.name.
1121 #
1122 # The CryptoKey&#x27;s primary version can be updated via
1123 # UpdateCryptoKeyPrimaryVersion.
1124 #
1125 # Keys with purpose
1126 # ENCRYPT_DECRYPT may have a
1127 # primary. For other keys, this field will be omitted.
1128 # associated key material.
1129 #
1130 # An ENABLED version can be
1131 # used for cryptographic operations.
1132 #
1133 # For security reasons, the raw cryptographic key material represented by a
1134 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1135 # encrypt, decrypt, or sign data when an authorized user or application invokes
1136 # Cloud KMS.
1137 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
1138 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
1139 # CryptoKeyVersion supports.
1140 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
1141 # CryptoKeyVersion. Only present if the underlying key material was
1142 # imported.
1143 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1144 # configuring a CryptoKeyVersion that are specific to the
1145 # EXTERNAL protection level.
1146 # configuring a CryptoKeyVersion that are specific to the
1147 # EXTERNAL protection level.
1148 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
1149 },
1150 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1151 # destroyed. Only present if state is
1152 # DESTROYED.
1153 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1154 # was imported.
1155 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1156 # for destruction. Only present if state is
1157 # DESTROY_SCHEDULED.
1158 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1159 # state is
1160 # IMPORT_FAILED.
1161 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
1162 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1163 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
1164 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1165 # creation time. Use this statement to verify attributes of the key as stored
1166 # on the HSM, independently of Google. Only provided for key versions with
1167 # protection_level HSM.
1168 # information, see [Verifying attestations]
1169 # (https://cloud.google.com/kms/docs/attest-key).
1170 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1171 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1172 # operation was performed.
1173 },
1174 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1175 # generated.
1176 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1177 # performed with this CryptoKeyVersion.
1178 },
1179 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1180 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1181 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1182 # The properties of new CryptoKeyVersion instances created by either
1183 # CreateCryptoKeyVersion or
1184 # auto-rotation are controlled by this template.
1185 # a new CryptoKeyVersion, either manually with
1186 # CreateCryptoKeyVersion or
1187 # automatically as a result of auto-rotation.
1188 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
1189 # when creating a CryptoKeyVersion based on this template.
1190 #
1191 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1192 # this field is omitted and CryptoKey.purpose is
1193 # ENCRYPT_DECRYPT.
1194 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1195 # this template. Immutable. Defaults to SOFTWARE.
1196 },
1197 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
1198}
1199
1200 updateMask: string, Required. List of fields to be updated in this request.
1201 x__xgafv: string, V1 error format.
1202 Allowed values
1203 1 - v1 error format
1204 2 - v2 error format
1205
1206Returns:
1207 An object of the form:
1208
1209 { # A CryptoKey represents a logical key that can be used for cryptographic
1210 # operations.
1211 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001212 # A CryptoKey is made up of zero or more versions,
1213 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001214 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
1215 #
1216 # 1. Create a new version of this CryptoKey.
1217 # 2. Mark the new version as primary.
1218 #
1219 # Key rotations performed manually via
1220 # CreateCryptoKeyVersion and
1221 # UpdateCryptoKeyPrimaryVersion
1222 # do not affect next_rotation_time.
1223 #
1224 # Keys with purpose
1225 # ENCRYPT_DECRYPT support
1226 # automatic rotation. For other keys, this field must be omitted.
1227 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
1228 # [Labeling Keys](/kms/docs/labeling-keys).
1229 &quot;a_key&quot;: &quot;A String&quot;,
1230 },
1231 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kim65020912020-05-20 12:08:20 -07001232 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -07001233 # automatically rotates a key. Must be at least 24 hours and at most
1234 # 876,000 hours.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001235 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001236 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001237 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001238 # Keys with purpose
1239 # ENCRYPT_DECRYPT support
1240 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim65020912020-05-20 12:08:20 -07001241 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001242 # by Encrypt when this CryptoKey is given
1243 # in EncryptRequest.name.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001244 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001245 # The CryptoKey&#x27;s primary version can be updated via
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001246 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001247 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001248 # Keys with purpose
1249 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001250 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001251 # associated key material.
1252 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001253 # An ENABLED version can be
1254 # used for cryptographic operations.
1255 #
1256 # For security reasons, the raw cryptographic key material represented by a
1257 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1258 # encrypt, decrypt, or sign data when an authorized user or application invokes
1259 # Cloud KMS.
Bu Sun Kim65020912020-05-20 12:08:20 -07001260 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
1261 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
1262 # CryptoKeyVersion supports.
1263 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
Dan O'Mearadd494642020-05-01 07:42:23 -07001264 # CryptoKeyVersion. Only present if the underlying key material was
1265 # imported.
Bu Sun Kim65020912020-05-20 12:08:20 -07001266 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
Dan O'Mearadd494642020-05-01 07:42:23 -07001267 # configuring a CryptoKeyVersion that are specific to the
1268 # EXTERNAL protection level.
1269 # configuring a CryptoKeyVersion that are specific to the
1270 # EXTERNAL protection level.
Bu Sun Kim65020912020-05-20 12:08:20 -07001271 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
Dan O'Mearadd494642020-05-01 07:42:23 -07001272 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001273 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1274 # destroyed. Only present if state is
1275 # DESTROYED.
1276 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1277 # was imported.
1278 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1279 # for destruction. Only present if state is
1280 # DESTROY_SCHEDULED.
1281 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1282 # state is
1283 # IMPORT_FAILED.
1284 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
1285 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1286 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
1287 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1288 # creation time. Use this statement to verify attributes of the key as stored
1289 # on the HSM, independently of Google. Only provided for key versions with
1290 # protection_level HSM.
1291 # information, see [Verifying attestations]
1292 # (https://cloud.google.com/kms/docs/attest-key).
1293 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1294 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1295 # operation was performed.
1296 },
1297 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1298 # generated.
1299 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1300 # performed with this CryptoKeyVersion.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001301 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001302 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1303 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1304 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001305 # The properties of new CryptoKeyVersion instances created by either
1306 # CreateCryptoKeyVersion or
1307 # auto-rotation are controlled by this template.
1308 # a new CryptoKeyVersion, either manually with
1309 # CreateCryptoKeyVersion or
1310 # automatically as a result of auto-rotation.
Bu Sun Kim65020912020-05-20 12:08:20 -07001311 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001312 # when creating a CryptoKeyVersion based on this template.
1313 #
1314 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1315 # this field is omitted and CryptoKey.purpose is
1316 # ENCRYPT_DECRYPT.
Bu Sun Kim65020912020-05-20 12:08:20 -07001317 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1318 # this template. Immutable. Defaults to SOFTWARE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001319 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001320 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001321 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001322</div>
1323
1324<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001325 <code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001326 <pre>Sets the access control policy on the specified resource. Replaces any
1327existing policy.
1328
Bu Sun Kim65020912020-05-20 12:08:20 -07001329Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
Dan O'Mearadd494642020-05-01 07:42:23 -07001330
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001331Args:
1332 resource: string, REQUIRED: The resource for which the policy is being specified.
1333See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001334 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001335 The object takes the form of:
1336
1337{ # Request message for `SetIamPolicy` method.
Bu Sun Kim65020912020-05-20 12:08:20 -07001338 &quot;policy&quot;: { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001339 # the policy is limited to a few 10s of KB. An empty policy is a
1340 # valid policy but certain Cloud Platform services (such as Projects)
1341 # might reject them.
Dan O'Mearadd494642020-05-01 07:42:23 -07001342 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001343 #
1344 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001345 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1346 # `members` to a single `role`. Members can be user accounts, service accounts,
1347 # Google groups, and domains (such as G Suite). A `role` is a named list of
1348 # permissions; each `role` can be an IAM predefined role or a user-created
1349 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001350 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001351 # For some types of Google Cloud resources, a `binding` can also specify a
1352 # `condition`, which is a logical expression that allows access to a resource
1353 # only if the expression evaluates to `true`. A condition can add constraints
1354 # based on attributes of the request, the resource, or both. To learn which
1355 # resources support conditions in their IAM policies, see the
1356 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -07001357 #
1358 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001359 #
1360 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001361 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001362 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001363 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
1364 # &quot;members&quot;: [
1365 # &quot;user:mike@example.com&quot;,
1366 # &quot;group:admins@example.com&quot;,
1367 # &quot;domain:google.com&quot;,
1368 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001369 # ]
1370 # },
1371 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001372 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
1373 # &quot;members&quot;: [
1374 # &quot;user:eve@example.com&quot;
1375 # ],
1376 # &quot;condition&quot;: {
1377 # &quot;title&quot;: &quot;expirable access&quot;,
1378 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
1379 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -07001380 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001381 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001382 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001383 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
1384 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001385 # }
1386 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001387 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001388 #
1389 # bindings:
1390 # - members:
1391 # - user:mike@example.com
1392 # - group:admins@example.com
1393 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001394 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1395 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001396 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001397 # - user:eve@example.com
1398 # role: roles/resourcemanager.organizationViewer
1399 # condition:
1400 # title: expirable access
1401 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -07001402 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -07001403 # - etag: BwWWja0YfJA=
1404 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001405 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001406 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001407 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001408 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
1409 # prevent simultaneous updates of a policy from overwriting each other.
1410 # It is strongly suggested that systems make use of the `etag` in the
1411 # read-modify-write cycle to perform policy updates in order to avoid race
1412 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1413 # systems are expected to put that etag in the request to `setIamPolicy` to
1414 # ensure that their change will be applied to the same version of the policy.
1415 #
1416 # **Important:** If you use IAM Conditions, you must include the `etag` field
1417 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1418 # you to overwrite a version `3` policy with a version `1` policy, and all of
1419 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -07001420 &quot;version&quot;: 42, # Specifies the format of the policy.
1421 #
1422 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1423 # are rejected.
1424 #
1425 # Any operation that affects conditional role bindings must specify version
1426 # `3`. This requirement applies to the following operations:
1427 #
1428 # * Getting a policy that includes a conditional role binding
1429 # * Adding a conditional role binding to a policy
1430 # * Changing a conditional role binding in a policy
1431 # * Removing any role binding, with or without a condition, from a policy
1432 # that includes conditions
1433 #
1434 # **Important:** If you use IAM Conditions, you must include the `etag` field
1435 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1436 # you to overwrite a version `3` policy with a version `1` policy, and all of
1437 # the conditions in the version `3` policy are lost.
1438 #
1439 # If a policy does not include any conditions, operations on that policy may
1440 # specify any valid version or leave the field unset.
1441 #
1442 # To learn which resources support conditions in their IAM policies, see the
1443 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1444 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
1445 { # Specifies the audit configuration for a service.
1446 # The configuration determines which permission types are logged, and what
1447 # identities, if any, are exempted from logging.
1448 # An AuditConfig must have one or more AuditLogConfigs.
1449 #
1450 # If there are AuditConfigs for both `allServices` and a specific service,
1451 # the union of the two AuditConfigs is used for that service: the log_types
1452 # specified in each AuditConfig are enabled, and the exempted_members in each
1453 # AuditLogConfig are exempted.
1454 #
1455 # Example Policy with multiple AuditConfigs:
1456 #
1457 # {
1458 # &quot;audit_configs&quot;: [
1459 # {
1460 # &quot;service&quot;: &quot;allServices&quot;
1461 # &quot;audit_log_configs&quot;: [
1462 # {
1463 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1464 # &quot;exempted_members&quot;: [
1465 # &quot;user:jose@example.com&quot;
1466 # ]
1467 # },
1468 # {
1469 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1470 # },
1471 # {
1472 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;,
1473 # }
1474 # ]
1475 # },
1476 # {
1477 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;
1478 # &quot;audit_log_configs&quot;: [
1479 # {
1480 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1481 # },
1482 # {
1483 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1484 # &quot;exempted_members&quot;: [
1485 # &quot;user:aliya@example.com&quot;
1486 # ]
1487 # }
1488 # ]
1489 # }
1490 # ]
1491 # }
1492 #
1493 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1494 # logging. It also exempts jose@example.com from DATA_READ logging, and
1495 # aliya@example.com from DATA_WRITE logging.
1496 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
1497 { # Provides the configuration for logging a type of permissions.
1498 # Example:
1499 #
1500 # {
1501 # &quot;audit_log_configs&quot;: [
1502 # {
1503 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1504 # &quot;exempted_members&quot;: [
1505 # &quot;user:jose@example.com&quot;
1506 # ]
1507 # },
1508 # {
1509 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1510 # }
1511 # ]
1512 # }
1513 #
1514 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
1515 # jose@example.com from DATA_READ logging.
1516 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
1517 # permission.
1518 # Follows the same format of Binding.members.
1519 &quot;A String&quot;,
1520 ],
1521 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
1522 },
1523 ],
1524 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
1525 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
1526 # `allServices` is a special value that covers all services.
1527 },
1528 ],
1529 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -07001530 # `condition` that determines how and when the `bindings` are applied. Each
1531 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001532 { # Associates `members` with a `role`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001533 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1534 #
1535 # If the condition evaluates to `true`, then this binding applies to the
1536 # current request.
1537 #
1538 # If the condition evaluates to `false`, then this binding does not apply to
1539 # the current request. However, a different role binding might grant the same
1540 # role to one or more of the members in this binding.
1541 #
1542 # To learn which resources support conditions in their IAM policies, see the
1543 # [IAM
1544 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1545 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1546 # are documented at https://github.com/google/cel-spec.
1547 #
1548 # Example (Comparison):
1549 #
1550 # title: &quot;Summary size limit&quot;
1551 # description: &quot;Determines if a summary is less than 100 chars&quot;
1552 # expression: &quot;document.summary.size() &lt; 100&quot;
1553 #
1554 # Example (Equality):
1555 #
1556 # title: &quot;Requestor is owner&quot;
1557 # description: &quot;Determines if requestor is the document owner&quot;
1558 # expression: &quot;document.owner == request.auth.claims.email&quot;
1559 #
1560 # Example (Logic):
1561 #
1562 # title: &quot;Public documents&quot;
1563 # description: &quot;Determine whether the document should be publicly visible&quot;
1564 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
1565 #
1566 # Example (Data Manipulation):
1567 #
1568 # title: &quot;Notification string&quot;
1569 # description: &quot;Create a notification string with a timestamp.&quot;
1570 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
1571 #
1572 # The exact variables and functions that may be referenced within an expression
1573 # are determined by the service that evaluates it. See the service
1574 # documentation for additional information.
1575 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
1576 # its purpose. This can be used e.g. in UIs which allow to enter the
1577 # expression.
1578 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1579 # reporting, e.g. a file name and a position in the file.
1580 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1581 # describes the expression, e.g. when hovered over it in a UI.
1582 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1583 # syntax.
1584 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001585 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
1586 # `members` can have the following values:
1587 #
1588 # * `allUsers`: A special identifier that represents anyone who is
1589 # on the internet; with or without a Google account.
1590 #
1591 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1592 # who is authenticated with a Google account or a service account.
1593 #
1594 # * `user:{emailid}`: An email address that represents a specific Google
1595 # account. For example, `alice@example.com` .
1596 #
1597 #
1598 # * `serviceAccount:{emailid}`: An email address that represents a service
1599 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1600 #
1601 # * `group:{emailid}`: An email address that represents a Google group.
1602 # For example, `admins@example.com`.
1603 #
1604 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1605 # identifier) representing a user that has been recently deleted. For
1606 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1607 # recovered, this value reverts to `user:{emailid}` and the recovered user
1608 # retains the role in the binding.
1609 #
1610 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1611 # unique identifier) representing a service account that has been recently
1612 # deleted. For example,
1613 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1614 # If the service account is undeleted, this value reverts to
1615 # `serviceAccount:{emailid}` and the undeleted service account retains the
1616 # role in the binding.
1617 #
1618 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1619 # identifier) representing a Google group that has been recently
1620 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1621 # the group is recovered, this value reverts to `group:{emailid}` and the
1622 # recovered group retains the role in the binding.
1623 #
1624 #
1625 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1626 # users of that domain. For example, `google.com` or `example.com`.
1627 #
1628 &quot;A String&quot;,
1629 ],
1630 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
1631 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001632 },
1633 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001634 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001635 &quot;updateMask&quot;: &quot;A String&quot;, # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001636 # the fields in the mask will be modified. If no mask is provided, the
1637 # following default mask is used:
Bu Sun Kim65020912020-05-20 12:08:20 -07001638 #
1639 # `paths: &quot;bindings, etag&quot;`
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001640 }
1641
1642 x__xgafv: string, V1 error format.
1643 Allowed values
1644 1 - v1 error format
1645 2 - v2 error format
1646
1647Returns:
1648 An object of the form:
1649
Dan O'Mearadd494642020-05-01 07:42:23 -07001650 { # An Identity and Access Management (IAM) policy, which specifies access
1651 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001652 #
1653 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001654 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1655 # `members` to a single `role`. Members can be user accounts, service accounts,
1656 # Google groups, and domains (such as G Suite). A `role` is a named list of
1657 # permissions; each `role` can be an IAM predefined role or a user-created
1658 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001659 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001660 # For some types of Google Cloud resources, a `binding` can also specify a
1661 # `condition`, which is a logical expression that allows access to a resource
1662 # only if the expression evaluates to `true`. A condition can add constraints
1663 # based on attributes of the request, the resource, or both. To learn which
1664 # resources support conditions in their IAM policies, see the
1665 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -07001666 #
1667 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001668 #
1669 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001670 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001671 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001672 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
1673 # &quot;members&quot;: [
1674 # &quot;user:mike@example.com&quot;,
1675 # &quot;group:admins@example.com&quot;,
1676 # &quot;domain:google.com&quot;,
1677 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001678 # ]
1679 # },
1680 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001681 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
1682 # &quot;members&quot;: [
1683 # &quot;user:eve@example.com&quot;
1684 # ],
1685 # &quot;condition&quot;: {
1686 # &quot;title&quot;: &quot;expirable access&quot;,
1687 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
1688 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -07001689 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001690 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001691 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001692 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
1693 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001694 # }
1695 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001696 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001697 #
1698 # bindings:
1699 # - members:
1700 # - user:mike@example.com
1701 # - group:admins@example.com
1702 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001703 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1704 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001705 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001706 # - user:eve@example.com
1707 # role: roles/resourcemanager.organizationViewer
1708 # condition:
1709 # title: expirable access
1710 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -07001711 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -07001712 # - etag: BwWWja0YfJA=
1713 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001714 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001715 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001716 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001717 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
1718 # prevent simultaneous updates of a policy from overwriting each other.
1719 # It is strongly suggested that systems make use of the `etag` in the
1720 # read-modify-write cycle to perform policy updates in order to avoid race
1721 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1722 # systems are expected to put that etag in the request to `setIamPolicy` to
1723 # ensure that their change will be applied to the same version of the policy.
1724 #
1725 # **Important:** If you use IAM Conditions, you must include the `etag` field
1726 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1727 # you to overwrite a version `3` policy with a version `1` policy, and all of
1728 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -07001729 &quot;version&quot;: 42, # Specifies the format of the policy.
1730 #
1731 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1732 # are rejected.
1733 #
1734 # Any operation that affects conditional role bindings must specify version
1735 # `3`. This requirement applies to the following operations:
1736 #
1737 # * Getting a policy that includes a conditional role binding
1738 # * Adding a conditional role binding to a policy
1739 # * Changing a conditional role binding in a policy
1740 # * Removing any role binding, with or without a condition, from a policy
1741 # that includes conditions
1742 #
1743 # **Important:** If you use IAM Conditions, you must include the `etag` field
1744 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1745 # you to overwrite a version `3` policy with a version `1` policy, and all of
1746 # the conditions in the version `3` policy are lost.
1747 #
1748 # If a policy does not include any conditions, operations on that policy may
1749 # specify any valid version or leave the field unset.
1750 #
1751 # To learn which resources support conditions in their IAM policies, see the
1752 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1753 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
1754 { # Specifies the audit configuration for a service.
1755 # The configuration determines which permission types are logged, and what
1756 # identities, if any, are exempted from logging.
1757 # An AuditConfig must have one or more AuditLogConfigs.
1758 #
1759 # If there are AuditConfigs for both `allServices` and a specific service,
1760 # the union of the two AuditConfigs is used for that service: the log_types
1761 # specified in each AuditConfig are enabled, and the exempted_members in each
1762 # AuditLogConfig are exempted.
1763 #
1764 # Example Policy with multiple AuditConfigs:
1765 #
1766 # {
1767 # &quot;audit_configs&quot;: [
1768 # {
1769 # &quot;service&quot;: &quot;allServices&quot;
1770 # &quot;audit_log_configs&quot;: [
1771 # {
1772 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1773 # &quot;exempted_members&quot;: [
1774 # &quot;user:jose@example.com&quot;
1775 # ]
1776 # },
1777 # {
1778 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1779 # },
1780 # {
1781 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;,
1782 # }
1783 # ]
1784 # },
1785 # {
1786 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;
1787 # &quot;audit_log_configs&quot;: [
1788 # {
1789 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1790 # },
1791 # {
1792 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1793 # &quot;exempted_members&quot;: [
1794 # &quot;user:aliya@example.com&quot;
1795 # ]
1796 # }
1797 # ]
1798 # }
1799 # ]
1800 # }
1801 #
1802 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1803 # logging. It also exempts jose@example.com from DATA_READ logging, and
1804 # aliya@example.com from DATA_WRITE logging.
1805 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
1806 { # Provides the configuration for logging a type of permissions.
1807 # Example:
1808 #
1809 # {
1810 # &quot;audit_log_configs&quot;: [
1811 # {
1812 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1813 # &quot;exempted_members&quot;: [
1814 # &quot;user:jose@example.com&quot;
1815 # ]
1816 # },
1817 # {
1818 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1819 # }
1820 # ]
1821 # }
1822 #
1823 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
1824 # jose@example.com from DATA_READ logging.
1825 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
1826 # permission.
1827 # Follows the same format of Binding.members.
1828 &quot;A String&quot;,
1829 ],
1830 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
1831 },
1832 ],
1833 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
1834 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
1835 # `allServices` is a special value that covers all services.
1836 },
1837 ],
1838 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -07001839 # `condition` that determines how and when the `bindings` are applied. Each
1840 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001841 { # Associates `members` with a `role`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001842 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1843 #
1844 # If the condition evaluates to `true`, then this binding applies to the
1845 # current request.
1846 #
1847 # If the condition evaluates to `false`, then this binding does not apply to
1848 # the current request. However, a different role binding might grant the same
1849 # role to one or more of the members in this binding.
1850 #
1851 # To learn which resources support conditions in their IAM policies, see the
1852 # [IAM
1853 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1854 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1855 # are documented at https://github.com/google/cel-spec.
1856 #
1857 # Example (Comparison):
1858 #
1859 # title: &quot;Summary size limit&quot;
1860 # description: &quot;Determines if a summary is less than 100 chars&quot;
1861 # expression: &quot;document.summary.size() &lt; 100&quot;
1862 #
1863 # Example (Equality):
1864 #
1865 # title: &quot;Requestor is owner&quot;
1866 # description: &quot;Determines if requestor is the document owner&quot;
1867 # expression: &quot;document.owner == request.auth.claims.email&quot;
1868 #
1869 # Example (Logic):
1870 #
1871 # title: &quot;Public documents&quot;
1872 # description: &quot;Determine whether the document should be publicly visible&quot;
1873 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
1874 #
1875 # Example (Data Manipulation):
1876 #
1877 # title: &quot;Notification string&quot;
1878 # description: &quot;Create a notification string with a timestamp.&quot;
1879 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
1880 #
1881 # The exact variables and functions that may be referenced within an expression
1882 # are determined by the service that evaluates it. See the service
1883 # documentation for additional information.
1884 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
1885 # its purpose. This can be used e.g. in UIs which allow to enter the
1886 # expression.
1887 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1888 # reporting, e.g. a file name and a position in the file.
1889 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1890 # describes the expression, e.g. when hovered over it in a UI.
1891 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1892 # syntax.
1893 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001894 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
1895 # `members` can have the following values:
1896 #
1897 # * `allUsers`: A special identifier that represents anyone who is
1898 # on the internet; with or without a Google account.
1899 #
1900 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1901 # who is authenticated with a Google account or a service account.
1902 #
1903 # * `user:{emailid}`: An email address that represents a specific Google
1904 # account. For example, `alice@example.com` .
1905 #
1906 #
1907 # * `serviceAccount:{emailid}`: An email address that represents a service
1908 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1909 #
1910 # * `group:{emailid}`: An email address that represents a Google group.
1911 # For example, `admins@example.com`.
1912 #
1913 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1914 # identifier) representing a user that has been recently deleted. For
1915 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1916 # recovered, this value reverts to `user:{emailid}` and the recovered user
1917 # retains the role in the binding.
1918 #
1919 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1920 # unique identifier) representing a service account that has been recently
1921 # deleted. For example,
1922 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1923 # If the service account is undeleted, this value reverts to
1924 # `serviceAccount:{emailid}` and the undeleted service account retains the
1925 # role in the binding.
1926 #
1927 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1928 # identifier) representing a Google group that has been recently
1929 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1930 # the group is recovered, this value reverts to `group:{emailid}` and the
1931 # recovered group retains the role in the binding.
1932 #
1933 #
1934 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1935 # users of that domain. For example, `google.com` or `example.com`.
1936 #
1937 &quot;A String&quot;,
1938 ],
1939 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
1940 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001941 },
1942 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001943 }</pre>
1944</div>
1945
1946<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001947 <code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001948 <pre>Returns permissions that a caller has on the specified resource.
1949If the resource does not exist, this will return an empty set of
Bu Sun Kim65020912020-05-20 12:08:20 -07001950permissions, not a `NOT_FOUND` error.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001951
1952Note: This operation is designed to be used for building permission-aware
1953UIs and command-line tools, not for authorization checking. This operation
Bu Sun Kim65020912020-05-20 12:08:20 -07001954may &quot;fail open&quot; without warning.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001955
1956Args:
1957 resource: string, REQUIRED: The resource for which the policy detail is being requested.
1958See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001959 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001960 The object takes the form of:
1961
1962{ # Request message for `TestIamPermissions` method.
Bu Sun Kim65020912020-05-20 12:08:20 -07001963 &quot;permissions&quot;: [ # The set of permissions to check for the `resource`. Permissions with
1964 # wildcards (such as &#x27;*&#x27; or &#x27;storage.*&#x27;) are not allowed. For more
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001965 # information see
1966 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
Bu Sun Kim65020912020-05-20 12:08:20 -07001967 &quot;A String&quot;,
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001968 ],
1969 }
1970
1971 x__xgafv: string, V1 error format.
1972 Allowed values
1973 1 - v1 error format
1974 2 - v2 error format
1975
1976Returns:
1977 An object of the form:
1978
1979 { # Response message for `TestIamPermissions` method.
Bu Sun Kim65020912020-05-20 12:08:20 -07001980 &quot;permissions&quot;: [ # A subset of `TestPermissionsRequest.permissions` that the caller is
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001981 # allowed.
Bu Sun Kim65020912020-05-20 12:08:20 -07001982 &quot;A String&quot;,
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001983 ],
1984 }</pre>
1985</div>
1986
1987<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001988 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001989 <pre>Update the version of a CryptoKey that will be used in Encrypt.
1990
1991Returns an error if called on an asymmetric key.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001992
1993Args:
Dan O'Mearadd494642020-05-01 07:42:23 -07001994 name: string, Required. The resource name of the CryptoKey to update. (required)
1995 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001996 The object takes the form of:
1997
1998{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim65020912020-05-20 12:08:20 -07001999 &quot;cryptoKeyVersionId&quot;: &quot;A String&quot;, # Required. The id of the child CryptoKeyVersion to use as primary.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002000 }
2001
2002 x__xgafv: string, V1 error format.
2003 Allowed values
2004 1 - v1 error format
2005 2 - v2 error format
2006
2007Returns:
2008 An object of the form:
2009
2010 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002011 # operations.
2012 #
2013 # A CryptoKey is made up of zero or more versions,
2014 # which represent the actual key material used in cryptographic operations.
2015 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002016 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002017 # 1. Create a new version of this CryptoKey.
2018 # 2. Mark the new version as primary.
2019 #
2020 # Key rotations performed manually via
2021 # CreateCryptoKeyVersion and
2022 # UpdateCryptoKeyPrimaryVersion
2023 # do not affect next_rotation_time.
2024 #
2025 # Keys with purpose
2026 # ENCRYPT_DECRYPT support
2027 # automatic rotation. For other keys, this field must be omitted.
2028 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
2029 # [Labeling Keys](/kms/docs/labeling-keys).
2030 &quot;a_key&quot;: &quot;A String&quot;,
2031 },
2032 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
2033 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
2034 # automatically rotates a key. Must be at least 24 hours and at most
2035 # 876,000 hours.
2036 #
2037 # If rotation_period is set, next_rotation_time must also be set.
2038 #
2039 # Keys with purpose
2040 # ENCRYPT_DECRYPT support
2041 # automatic rotation. For other keys, this field must be omitted.
2042 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
2043 # by Encrypt when this CryptoKey is given
2044 # in EncryptRequest.name.
2045 #
2046 # The CryptoKey&#x27;s primary version can be updated via
2047 # UpdateCryptoKeyPrimaryVersion.
2048 #
2049 # Keys with purpose
2050 # ENCRYPT_DECRYPT may have a
2051 # primary. For other keys, this field will be omitted.
2052 # associated key material.
2053 #
2054 # An ENABLED version can be
2055 # used for cryptographic operations.
2056 #
2057 # For security reasons, the raw cryptographic key material represented by a
2058 # CryptoKeyVersion can never be viewed or exported. It can only be used to
2059 # encrypt, decrypt, or sign data when an authorized user or application invokes
2060 # Cloud KMS.
2061 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
2062 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
2063 # CryptoKeyVersion supports.
2064 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
2065 # CryptoKeyVersion. Only present if the underlying key material was
2066 # imported.
2067 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
2068 # configuring a CryptoKeyVersion that are specific to the
2069 # EXTERNAL protection level.
2070 # configuring a CryptoKeyVersion that are specific to the
2071 # EXTERNAL protection level.
2072 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
Bu Sun Kim65020912020-05-20 12:08:20 -07002073 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002074 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
2075 # destroyed. Only present if state is
2076 # DESTROYED.
2077 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
2078 # was imported.
2079 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
2080 # for destruction. Only present if state is
2081 # DESTROY_SCHEDULED.
2082 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
2083 # state is
2084 # IMPORT_FAILED.
2085 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
2086 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
2087 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
2088 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
2089 # creation time. Use this statement to verify attributes of the key as stored
2090 # on the HSM, independently of Google. Only provided for key versions with
2091 # protection_level HSM.
2092 # information, see [Verifying attestations]
2093 # (https://cloud.google.com/kms/docs/attest-key).
2094 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
2095 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
2096 # operation was performed.
Bu Sun Kim65020912020-05-20 12:08:20 -07002097 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002098 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
2099 # generated.
2100 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
2101 # performed with this CryptoKeyVersion.
2102 },
2103 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
2104 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
2105 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
2106 # The properties of new CryptoKeyVersion instances created by either
2107 # CreateCryptoKeyVersion or
2108 # auto-rotation are controlled by this template.
2109 # a new CryptoKeyVersion, either manually with
2110 # CreateCryptoKeyVersion or
2111 # automatically as a result of auto-rotation.
2112 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
2113 # when creating a CryptoKeyVersion based on this template.
Bu Sun Kim65020912020-05-20 12:08:20 -07002114 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002115 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
2116 # this field is omitted and CryptoKey.purpose is
2117 # ENCRYPT_DECRYPT.
2118 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
2119 # this template. Immutable. Defaults to SOFTWARE.
2120 },
2121 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
2122 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002123</div>
2124
2125</body></html>