blob: f7fb34daf00a8643f61efe6d23956cf4b87a319a [file] [log] [blame]
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070075<h1><a href="cloudkms_v1.html">Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040076<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code>
79</p>
80<p class="firstline">Returns the cryptoKeyVersions Resource.</p>
81
82<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070083 <code><a href="#create">create(parent, body=None, skipInitialVersionCreation=None, cryptoKeyId=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040084<p class="firstline">Create a new CryptoKey within a KeyRing.</p>
85<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070086 <code><a href="#decrypt">decrypt(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070087<p class="firstline">Decrypts data that was protected by Encrypt. The CryptoKey.purpose</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040088<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070089 <code><a href="#encrypt">encrypt(name, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -040090<p class="firstline">Encrypts data, so that it can only be recovered by a call to Decrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040091<p class="toc_element">
92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p>
94<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070095 <code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040096<p class="firstline">Gets the access control policy for a resource.</p>
97<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070098 <code><a href="#list">list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None, versionView=None, filter=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040099<p class="firstline">Lists CryptoKeys.</p>
100<p class="toc_element">
101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
102<p class="firstline">Retrieves the next page of results.</p>
103<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700104 <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400105<p class="firstline">Update a CryptoKey.</p>
106<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700107 <code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
109<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700110 <code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400111<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
112<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400115<h3>Method Details</h3>
116<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700117 <code class="details" id="create">create(parent, body=None, skipInitialVersionCreation=None, cryptoKeyId=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400118 <pre>Create a new CryptoKey within a KeyRing.
119
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700120CryptoKey.purpose and
121CryptoKey.version_template.algorithm
122are required.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400123
124Args:
125 parent: string, Required. The name of the KeyRing associated with the
126CryptoKeys. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700127 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400128 The object takes the form of:
129
130{ # A CryptoKey represents a logical key that can be used for cryptographic
131 # operations.
132 #
133 # A CryptoKey is made up of one or more versions, which
134 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400135 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -0700136 # automatically rotates a key. Must be at least 24 hours and at most
137 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400138 #
139 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700140 #
141 # Keys with purpose
142 # ENCRYPT_DECRYPT support
143 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -0700144 "name": "A String", # Output only. The resource name for this CryptoKey in the format
145 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
146 "labels": { # Labels with user-defined metadata. For more information, see
147 # [Labeling Keys](/kms/docs/labeling-keys).
148 "a_key": "A String",
149 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400150 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
151 # by Encrypt when this CryptoKey is given
152 # in EncryptRequest.name.
153 #
154 # The CryptoKey's primary version can be updated via
155 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700156 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700157 # Keys with purpose
158 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700159 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400160 # associated key material.
161 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700162 # An ENABLED version can be
163 # used for cryptographic operations.
164 #
165 # For security reasons, the raw cryptographic key material represented by a
166 # CryptoKeyVersion can never be viewed or exported. It can only be used to
167 # encrypt, decrypt, or sign data when an authorized user or application invokes
168 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400169 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
170 # for destruction. Only present if state is
171 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -0700172 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
173 # state is
174 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700175 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
176 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700177 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
178 # performed with this CryptoKeyVersion.
179 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
180 # creation time. Use this statement to verify attributes of the key as stored
181 # on the HSM, independently of Google. Only provided for key versions with
182 # protection_level HSM.
183 # information, see [Verifying attestations]
184 # (https://cloud.google.com/kms/docs/attest-key).
185 "content": "A String", # Output only. The attestation data provided by the HSM when the key
186 # operation was performed.
187 "format": "A String", # Output only. The format of the attestation data.
188 },
189 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -0700190 "importJob": "A String", # Output only. The name of the ImportJob used to import this
191 # CryptoKeyVersion. Only present if the underlying key material was
192 # imported.
193 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
194 # generated.
195 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
196 # was imported.
197 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
198 # CryptoKeyVersion supports.
199 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
200 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
201 # configuring a CryptoKeyVersion that are specific to the
202 # EXTERNAL protection level.
203 # configuring a CryptoKeyVersion that are specific to the
204 # EXTERNAL protection level.
205 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
206 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400207 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
208 # destroyed. Only present if state is
209 # DESTROYED.
210 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700211 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
212 # The properties of new CryptoKeyVersion instances created by either
213 # CreateCryptoKeyVersion or
214 # auto-rotation are controlled by this template.
215 # a new CryptoKeyVersion, either manually with
216 # CreateCryptoKeyVersion or
217 # automatically as a result of auto-rotation.
218 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
219 # this template. Immutable. Defaults to SOFTWARE.
220 "algorithm": "A String", # Required. Algorithm to use
221 # when creating a CryptoKeyVersion based on this template.
222 #
223 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
224 # this field is omitted and CryptoKey.purpose is
225 # ENCRYPT_DECRYPT.
226 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700227 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
228 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400229 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
230 #
231 # 1. Create a new version of this CryptoKey.
232 # 2. Mark the new version as primary.
233 #
234 # Key rotations performed manually via
235 # CreateCryptoKeyVersion and
236 # UpdateCryptoKeyPrimaryVersion
237 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700238 #
239 # Keys with purpose
240 # ENCRYPT_DECRYPT support
241 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400242}
243
Dan O'Mearadd494642020-05-01 07:42:23 -0700244 skipInitialVersionCreation: boolean, If set to true, the request will create a CryptoKey without any
245CryptoKeyVersions. You must manually call
246CreateCryptoKeyVersion or
247ImportCryptoKeyVersion
248before you can use this CryptoKey.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400249 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
250expression `[a-zA-Z0-9_-]{1,63}`
251 x__xgafv: string, V1 error format.
252 Allowed values
253 1 - v1 error format
254 2 - v2 error format
255
256Returns:
257 An object of the form:
258
259 { # A CryptoKey represents a logical key that can be used for cryptographic
260 # operations.
261 #
262 # A CryptoKey is made up of one or more versions, which
263 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400264 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -0700265 # automatically rotates a key. Must be at least 24 hours and at most
266 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400267 #
268 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700269 #
270 # Keys with purpose
271 # ENCRYPT_DECRYPT support
272 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -0700273 "name": "A String", # Output only. The resource name for this CryptoKey in the format
274 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
275 "labels": { # Labels with user-defined metadata. For more information, see
276 # [Labeling Keys](/kms/docs/labeling-keys).
277 "a_key": "A String",
278 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400279 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
280 # by Encrypt when this CryptoKey is given
281 # in EncryptRequest.name.
282 #
283 # The CryptoKey's primary version can be updated via
284 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700285 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700286 # Keys with purpose
287 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700288 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400289 # associated key material.
290 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700291 # An ENABLED version can be
292 # used for cryptographic operations.
293 #
294 # For security reasons, the raw cryptographic key material represented by a
295 # CryptoKeyVersion can never be viewed or exported. It can only be used to
296 # encrypt, decrypt, or sign data when an authorized user or application invokes
297 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400298 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
299 # for destruction. Only present if state is
300 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -0700301 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
302 # state is
303 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700304 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
305 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700306 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
307 # performed with this CryptoKeyVersion.
308 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
309 # creation time. Use this statement to verify attributes of the key as stored
310 # on the HSM, independently of Google. Only provided for key versions with
311 # protection_level HSM.
312 # information, see [Verifying attestations]
313 # (https://cloud.google.com/kms/docs/attest-key).
314 "content": "A String", # Output only. The attestation data provided by the HSM when the key
315 # operation was performed.
316 "format": "A String", # Output only. The format of the attestation data.
317 },
318 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -0700319 "importJob": "A String", # Output only. The name of the ImportJob used to import this
320 # CryptoKeyVersion. Only present if the underlying key material was
321 # imported.
322 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
323 # generated.
324 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
325 # was imported.
326 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
327 # CryptoKeyVersion supports.
328 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
329 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
330 # configuring a CryptoKeyVersion that are specific to the
331 # EXTERNAL protection level.
332 # configuring a CryptoKeyVersion that are specific to the
333 # EXTERNAL protection level.
334 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
335 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400336 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
337 # destroyed. Only present if state is
338 # DESTROYED.
339 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700340 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
341 # The properties of new CryptoKeyVersion instances created by either
342 # CreateCryptoKeyVersion or
343 # auto-rotation are controlled by this template.
344 # a new CryptoKeyVersion, either manually with
345 # CreateCryptoKeyVersion or
346 # automatically as a result of auto-rotation.
347 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
348 # this template. Immutable. Defaults to SOFTWARE.
349 "algorithm": "A String", # Required. Algorithm to use
350 # when creating a CryptoKeyVersion based on this template.
351 #
352 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
353 # this field is omitted and CryptoKey.purpose is
354 # ENCRYPT_DECRYPT.
355 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700356 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
357 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400358 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
359 #
360 # 1. Create a new version of this CryptoKey.
361 # 2. Mark the new version as primary.
362 #
363 # Key rotations performed manually via
364 # CreateCryptoKeyVersion and
365 # UpdateCryptoKeyPrimaryVersion
366 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700367 #
368 # Keys with purpose
369 # ENCRYPT_DECRYPT support
370 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400371 }</pre>
372</div>
373
374<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700375 <code class="details" id="decrypt">decrypt(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700376 <pre>Decrypts data that was protected by Encrypt. The CryptoKey.purpose
377must be ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400378
379Args:
380 name: string, Required. The resource name of the CryptoKey to use for decryption.
381The server will choose the appropriate version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700382 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400383 The object takes the form of:
384
385{ # Request message for KeyManagementService.Decrypt.
386 "ciphertext": "A String", # Required. The encrypted data originally returned in
387 # EncryptResponse.ciphertext.
Dan O'Mearadd494642020-05-01 07:42:23 -0700388 "additionalAuthenticatedData": "A String", # Optional. Optional data that must match the data originally supplied in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400389 # EncryptRequest.additional_authenticated_data.
390 }
391
392 x__xgafv: string, V1 error format.
393 Allowed values
394 1 - v1 error format
395 2 - v2 error format
396
397Returns:
398 An object of the form:
399
400 { # Response message for KeyManagementService.Decrypt.
401 "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext.
402 }</pre>
403</div>
404
405<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700406 <code class="details" id="encrypt">encrypt(name, body=None, x__xgafv=None)</code>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400407 <pre>Encrypts data, so that it can only be recovered by a call to Decrypt.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700408The CryptoKey.purpose must be
409ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400410
411Args:
412 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion
413to use for encryption.
414
415If a CryptoKey is specified, the server will use its
416primary version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700417 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400418 The object takes the form of:
419
420{ # Request message for KeyManagementService.Encrypt.
421 "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700422 #
423 # The maximum size depends on the key version's
424 # protection_level. For
425 # SOFTWARE keys, the plaintext must be no larger
426 # than 64KiB. For HSM keys, the combined length of the
427 # plaintext and additional_authenticated_data fields must be no larger than
428 # 8KiB.
Dan O'Mearadd494642020-05-01 07:42:23 -0700429 "additionalAuthenticatedData": "A String", # Optional. Optional data that, if specified, must also be provided during decryption
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700430 # through DecryptRequest.additional_authenticated_data.
431 #
432 # The maximum size depends on the key version's
433 # protection_level. For
434 # SOFTWARE keys, the AAD must be no larger than
435 # 64KiB. For HSM keys, the combined length of the
436 # plaintext and additional_authenticated_data fields must be no larger than
437 # 8KiB.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400438 }
439
440 x__xgafv: string, V1 error format.
441 Allowed values
442 1 - v1 error format
443 2 - v2 error format
444
445Returns:
446 An object of the form:
447
448 { # Response message for KeyManagementService.Encrypt.
449 "ciphertext": "A String", # The encrypted data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700450 "name": "A String", # The resource name of the CryptoKeyVersion used in encryption. Check
451 # this field to verify that the intended resource was used for encryption.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400452 }</pre>
453</div>
454
455<div class="method">
456 <code class="details" id="get">get(name, x__xgafv=None)</code>
457 <pre>Returns metadata for a given CryptoKey, as well as its
458primary CryptoKeyVersion.
459
460Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700461 name: string, Required. The name of the CryptoKey to get. (required)
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400462 x__xgafv: string, V1 error format.
463 Allowed values
464 1 - v1 error format
465 2 - v2 error format
466
467Returns:
468 An object of the form:
469
470 { # A CryptoKey represents a logical key that can be used for cryptographic
471 # operations.
472 #
473 # A CryptoKey is made up of one or more versions, which
474 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400475 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -0700476 # automatically rotates a key. Must be at least 24 hours and at most
477 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400478 #
479 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700480 #
481 # Keys with purpose
482 # ENCRYPT_DECRYPT support
483 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -0700484 "name": "A String", # Output only. The resource name for this CryptoKey in the format
485 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
486 "labels": { # Labels with user-defined metadata. For more information, see
487 # [Labeling Keys](/kms/docs/labeling-keys).
488 "a_key": "A String",
489 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400490 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
491 # by Encrypt when this CryptoKey is given
492 # in EncryptRequest.name.
493 #
494 # The CryptoKey's primary version can be updated via
495 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700496 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700497 # Keys with purpose
498 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700499 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400500 # associated key material.
501 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700502 # An ENABLED version can be
503 # used for cryptographic operations.
504 #
505 # For security reasons, the raw cryptographic key material represented by a
506 # CryptoKeyVersion can never be viewed or exported. It can only be used to
507 # encrypt, decrypt, or sign data when an authorized user or application invokes
508 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400509 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
510 # for destruction. Only present if state is
511 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -0700512 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
513 # state is
514 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700515 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
516 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700517 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
518 # performed with this CryptoKeyVersion.
519 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
520 # creation time. Use this statement to verify attributes of the key as stored
521 # on the HSM, independently of Google. Only provided for key versions with
522 # protection_level HSM.
523 # information, see [Verifying attestations]
524 # (https://cloud.google.com/kms/docs/attest-key).
525 "content": "A String", # Output only. The attestation data provided by the HSM when the key
526 # operation was performed.
527 "format": "A String", # Output only. The format of the attestation data.
528 },
529 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -0700530 "importJob": "A String", # Output only. The name of the ImportJob used to import this
531 # CryptoKeyVersion. Only present if the underlying key material was
532 # imported.
533 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
534 # generated.
535 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
536 # was imported.
537 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
538 # CryptoKeyVersion supports.
539 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
540 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
541 # configuring a CryptoKeyVersion that are specific to the
542 # EXTERNAL protection level.
543 # configuring a CryptoKeyVersion that are specific to the
544 # EXTERNAL protection level.
545 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
546 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400547 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
548 # destroyed. Only present if state is
549 # DESTROYED.
550 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700551 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
552 # The properties of new CryptoKeyVersion instances created by either
553 # CreateCryptoKeyVersion or
554 # auto-rotation are controlled by this template.
555 # a new CryptoKeyVersion, either manually with
556 # CreateCryptoKeyVersion or
557 # automatically as a result of auto-rotation.
558 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
559 # this template. Immutable. Defaults to SOFTWARE.
560 "algorithm": "A String", # Required. Algorithm to use
561 # when creating a CryptoKeyVersion based on this template.
562 #
563 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
564 # this field is omitted and CryptoKey.purpose is
565 # ENCRYPT_DECRYPT.
566 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700567 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
568 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400569 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
570 #
571 # 1. Create a new version of this CryptoKey.
572 # 2. Mark the new version as primary.
573 #
574 # Key rotations performed manually via
575 # CreateCryptoKeyVersion and
576 # UpdateCryptoKeyPrimaryVersion
577 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700578 #
579 # Keys with purpose
580 # ENCRYPT_DECRYPT support
581 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400582 }</pre>
583</div>
584
585<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700586 <code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400587 <pre>Gets the access control policy for a resource.
588Returns an empty policy if the resource exists and does not have a policy
589set.
590
591Args:
592 resource: string, REQUIRED: The resource for which the policy is being requested.
593See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700594 options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.
595
596Valid values are 0, 1, and 3. Requests specifying an invalid value will be
597rejected.
598
599Requests for policies with any conditional bindings must specify version 3.
600Policies without any conditional bindings may specify any valid value or
601leave the field unset.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400602 x__xgafv: string, V1 error format.
603 Allowed values
604 1 - v1 error format
605 2 - v2 error format
606
607Returns:
608 An object of the form:
609
Dan O'Mearadd494642020-05-01 07:42:23 -0700610 { # An Identity and Access Management (IAM) policy, which specifies access
611 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400612 #
613 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700614 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
615 # `members` to a single `role`. Members can be user accounts, service accounts,
616 # Google groups, and domains (such as G Suite). A `role` is a named list of
617 # permissions; each `role` can be an IAM predefined role or a user-created
618 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400619 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700620 # Optionally, a `binding` can specify a `condition`, which is a logical
621 # expression that allows access to a resource only if the expression evaluates
622 # to `true`. A condition can add constraints based on attributes of the
623 # request, the resource, or both.
624 #
625 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400626 #
627 # {
628 # "bindings": [
629 # {
Dan O'Mearadd494642020-05-01 07:42:23 -0700630 # "role": "roles/resourcemanager.organizationAdmin",
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400631 # "members": [
632 # "user:mike@example.com",
633 # "group:admins@example.com",
634 # "domain:google.com",
Dan O'Mearadd494642020-05-01 07:42:23 -0700635 # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400636 # ]
637 # },
638 # {
Dan O'Mearadd494642020-05-01 07:42:23 -0700639 # "role": "roles/resourcemanager.organizationViewer",
640 # "members": ["user:eve@example.com"],
641 # "condition": {
642 # "title": "expirable access",
643 # "description": "Does not grant access after Sep 2020",
644 # "expression": "request.time &lt; timestamp('2020-10-01T00:00:00.000Z')",
645 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400646 # }
Dan O'Mearadd494642020-05-01 07:42:23 -0700647 # ],
648 # "etag": "BwWWja0YfJA=",
649 # "version": 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400650 # }
651 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700652 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700653 #
654 # bindings:
655 # - members:
656 # - user:mike@example.com
657 # - group:admins@example.com
658 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -0700659 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
660 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700661 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -0700662 # - user:eve@example.com
663 # role: roles/resourcemanager.organizationViewer
664 # condition:
665 # title: expirable access
666 # description: Does not grant access after Sep 2020
667 # expression: request.time &lt; timestamp('2020-10-01T00:00:00.000Z')
668 # - etag: BwWWja0YfJA=
669 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700670 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400671 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -0700672 # [IAM documentation](https://cloud.google.com/iam/docs/).
673 "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
674 # `condition` that determines how and when the `bindings` are applied. Each
675 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700676 { # Associates `members` with a `role`.
677 "role": "A String", # Role that is assigned to `members`.
678 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700679 "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
680 # NOTE: An unsatisfied condition will not allow user access via current
681 # binding. Different bindings, including their conditions, are examined
682 # independently.
683 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
684 # are documented at https://github.com/google/cel-spec.
685 #
686 # Example (Comparison):
687 #
688 # title: "Summary size limit"
689 # description: "Determines if a summary is less than 100 chars"
690 # expression: "document.summary.size() &lt; 100"
691 #
692 # Example (Equality):
693 #
694 # title: "Requestor is owner"
695 # description: "Determines if requestor is the document owner"
696 # expression: "document.owner == request.auth.claims.email"
697 #
698 # Example (Logic):
699 #
700 # title: "Public documents"
701 # description: "Determine whether the document should be publicly visible"
702 # expression: "document.type != 'private' &amp;&amp; document.type != 'internal'"
703 #
704 # Example (Data Manipulation):
705 #
706 # title: "Notification string"
707 # description: "Create a notification string with a timestamp."
708 # expression: "'New message received at ' + string(document.create_time)"
709 #
710 # The exact variables and functions that may be referenced within an expression
711 # are determined by the service that evaluates it. See the service
712 # documentation for additional information.
713 "location": "A String", # Optional. String indicating the location of the expression for error
714 # reporting, e.g. a file name and a position in the file.
715 "expression": "A String", # Textual representation of an expression in Common Expression Language
716 # syntax.
717 "description": "A String", # Optional. Description of the expression. This is a longer text which
718 # describes the expression, e.g. when hovered over it in a UI.
719 "title": "A String", # Optional. Title for the expression, i.e. a short string describing
720 # its purpose. This can be used e.g. in UIs which allow to enter the
721 # expression.
722 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700723 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
724 # `members` can have the following values:
725 #
726 # * `allUsers`: A special identifier that represents anyone who is
727 # on the internet; with or without a Google account.
728 #
729 # * `allAuthenticatedUsers`: A special identifier that represents anyone
730 # who is authenticated with a Google account or a service account.
731 #
732 # * `user:{emailid}`: An email address that represents a specific Google
Dan O'Mearadd494642020-05-01 07:42:23 -0700733 # account. For example, `alice@example.com` .
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700734 #
735 #
736 # * `serviceAccount:{emailid}`: An email address that represents a service
737 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
738 #
739 # * `group:{emailid}`: An email address that represents a Google group.
740 # For example, `admins@example.com`.
741 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700742 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
743 # identifier) representing a user that has been recently deleted. For
744 # example, `alice@example.com?uid=123456789012345678901`. If the user is
745 # recovered, this value reverts to `user:{emailid}` and the recovered user
746 # retains the role in the binding.
747 #
748 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
749 # unique identifier) representing a service account that has been recently
750 # deleted. For example,
751 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
752 # If the service account is undeleted, this value reverts to
753 # `serviceAccount:{emailid}` and the undeleted service account retains the
754 # role in the binding.
755 #
756 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
757 # identifier) representing a Google group that has been recently
758 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
759 # the group is recovered, this value reverts to `group:{emailid}` and the
760 # recovered group retains the role in the binding.
761 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700762 #
763 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
764 # users of that domain. For example, `google.com` or `example.com`.
765 #
766 "A String",
767 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700768 },
769 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400770 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
771 { # Specifies the audit configuration for a service.
Sai Cheemalapatie833b792017-03-24 15:06:46 -0700772 # The configuration determines which permission types are logged, and what
773 # identities, if any, are exempted from logging.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400774 # An AuditConfig must have one or more AuditLogConfigs.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400775 #
776 # If there are AuditConfigs for both `allServices` and a specific service,
777 # the union of the two AuditConfigs is used for that service: the log_types
778 # specified in each AuditConfig are enabled, and the exempted_members in each
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700779 # AuditLogConfig are exempted.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400780 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400781 # Example Policy with multiple AuditConfigs:
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400782 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400783 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400784 # "audit_configs": [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400785 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400786 # "service": "allServices"
787 # "audit_log_configs": [
788 # {
789 # "log_type": "DATA_READ",
790 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -0700791 # "user:jose@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400792 # ]
793 # },
794 # {
795 # "log_type": "DATA_WRITE",
796 # },
797 # {
798 # "log_type": "ADMIN_READ",
799 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400800 # ]
801 # },
802 # {
Dan O'Mearadd494642020-05-01 07:42:23 -0700803 # "service": "sampleservice.googleapis.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400804 # "audit_log_configs": [
805 # {
806 # "log_type": "DATA_READ",
807 # },
808 # {
809 # "log_type": "DATA_WRITE",
810 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -0700811 # "user:aliya@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400812 # ]
813 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400814 # ]
815 # }
816 # ]
817 # }
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400818 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700819 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
820 # logging. It also exempts jose@example.com from DATA_READ logging, and
821 # aliya@example.com from DATA_WRITE logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400822 "auditLogConfigs": [ # The configuration for logging of each type of permission.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400823 { # Provides the configuration for logging a type of permissions.
824 # Example:
825 #
826 # {
827 # "audit_log_configs": [
828 # {
829 # "log_type": "DATA_READ",
830 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -0700831 # "user:jose@example.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400832 # ]
833 # },
834 # {
835 # "log_type": "DATA_WRITE",
836 # }
837 # ]
838 # }
839 #
840 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
Dan O'Mearadd494642020-05-01 07:42:23 -0700841 # jose@example.com from DATA_READ logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400842 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
843 # permission.
844 # Follows the same format of Binding.members.
845 "A String",
846 ],
847 "logType": "A String", # The log type that this config enables.
848 },
849 ],
850 "service": "A String", # Specifies a service that will be enabled for audit logging.
Sai Cheemalapatie833b792017-03-24 15:06:46 -0700851 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400852 # `allServices` is a special value that covers all services.
853 },
854 ],
Dan O'Mearadd494642020-05-01 07:42:23 -0700855 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
856 # prevent simultaneous updates of a policy from overwriting each other.
857 # It is strongly suggested that systems make use of the `etag` in the
858 # read-modify-write cycle to perform policy updates in order to avoid race
859 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
860 # systems are expected to put that etag in the request to `setIamPolicy` to
861 # ensure that their change will be applied to the same version of the policy.
862 #
863 # **Important:** If you use IAM Conditions, you must include the `etag` field
864 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
865 # you to overwrite a version `3` policy with a version `1` policy, and all of
866 # the conditions in the version `3` policy are lost.
867 "version": 42, # Specifies the format of the policy.
868 #
869 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
870 # are rejected.
871 #
872 # Any operation that affects conditional role bindings must specify version
873 # `3`. This requirement applies to the following operations:
874 #
875 # * Getting a policy that includes a conditional role binding
876 # * Adding a conditional role binding to a policy
877 # * Changing a conditional role binding in a policy
878 # * Removing any role binding, with or without a condition, from a policy
879 # that includes conditions
880 #
881 # **Important:** If you use IAM Conditions, you must include the `etag` field
882 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
883 # you to overwrite a version `3` policy with a version `1` policy, and all of
884 # the conditions in the version `3` policy are lost.
885 #
886 # If a policy does not include any conditions, operations on that policy may
887 # specify any valid version or leave the field unset.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400888 }</pre>
889</div>
890
891<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700892 <code class="details" id="list">list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None, versionView=None, filter=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400893 <pre>Lists CryptoKeys.
894
895Args:
896 parent: string, Required. The resource name of the KeyRing to list, in the format
897`projects/*/locations/*/keyRings/*`. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700898 orderBy: string, Optional. Specify how the results should be sorted. If not specified, the
899results will be sorted in the default order. For more information, see
900[Sorting and filtering list
901results](https://cloud.google.com/kms/docs/sorting-and-filtering).
902 pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
903response. Further CryptoKeys can subsequently be obtained by
904including the ListCryptoKeysResponse.next_page_token in a subsequent
905request. If unspecified, the server will pick an appropriate default.
906 pageToken: string, Optional. Optional pagination token, returned earlier via
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400907ListCryptoKeysResponse.next_page_token.
908 x__xgafv: string, V1 error format.
909 Allowed values
910 1 - v1 error format
911 2 - v2 error format
Dan O'Mearadd494642020-05-01 07:42:23 -0700912 versionView: string, The fields of the primary version to include in the response.
913 filter: string, Optional. Only include resources that match the filter in the response. For
914more information, see
915[Sorting and filtering list
916results](https://cloud.google.com/kms/docs/sorting-and-filtering).
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400917
918Returns:
919 An object of the form:
920
921 { # Response message for KeyManagementService.ListCryptoKeys.
922 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
923 # ListCryptoKeysRequest.page_token to retrieve the next page of results.
924 "cryptoKeys": [ # The list of CryptoKeys.
925 { # A CryptoKey represents a logical key that can be used for cryptographic
926 # operations.
927 #
928 # A CryptoKey is made up of one or more versions, which
929 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400930 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -0700931 # automatically rotates a key. Must be at least 24 hours and at most
932 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400933 #
934 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700935 #
936 # Keys with purpose
937 # ENCRYPT_DECRYPT support
938 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -0700939 "name": "A String", # Output only. The resource name for this CryptoKey in the format
940 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
941 "labels": { # Labels with user-defined metadata. For more information, see
942 # [Labeling Keys](/kms/docs/labeling-keys).
943 "a_key": "A String",
944 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400945 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
946 # by Encrypt when this CryptoKey is given
947 # in EncryptRequest.name.
948 #
949 # The CryptoKey's primary version can be updated via
950 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700951 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700952 # Keys with purpose
953 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700954 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400955 # associated key material.
956 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700957 # An ENABLED version can be
958 # used for cryptographic operations.
959 #
960 # For security reasons, the raw cryptographic key material represented by a
961 # CryptoKeyVersion can never be viewed or exported. It can only be used to
962 # encrypt, decrypt, or sign data when an authorized user or application invokes
963 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400964 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
965 # for destruction. Only present if state is
966 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -0700967 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
968 # state is
969 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700970 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
971 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700972 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
973 # performed with this CryptoKeyVersion.
974 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
975 # creation time. Use this statement to verify attributes of the key as stored
976 # on the HSM, independently of Google. Only provided for key versions with
977 # protection_level HSM.
978 # information, see [Verifying attestations]
979 # (https://cloud.google.com/kms/docs/attest-key).
980 "content": "A String", # Output only. The attestation data provided by the HSM when the key
981 # operation was performed.
982 "format": "A String", # Output only. The format of the attestation data.
983 },
984 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -0700985 "importJob": "A String", # Output only. The name of the ImportJob used to import this
986 # CryptoKeyVersion. Only present if the underlying key material was
987 # imported.
988 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
989 # generated.
990 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
991 # was imported.
992 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
993 # CryptoKeyVersion supports.
994 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
995 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
996 # configuring a CryptoKeyVersion that are specific to the
997 # EXTERNAL protection level.
998 # configuring a CryptoKeyVersion that are specific to the
999 # EXTERNAL protection level.
1000 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
1001 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001002 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1003 # destroyed. Only present if state is
1004 # DESTROYED.
1005 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001006 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1007 # The properties of new CryptoKeyVersion instances created by either
1008 # CreateCryptoKeyVersion or
1009 # auto-rotation are controlled by this template.
1010 # a new CryptoKeyVersion, either manually with
1011 # CreateCryptoKeyVersion or
1012 # automatically as a result of auto-rotation.
1013 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
1014 # this template. Immutable. Defaults to SOFTWARE.
1015 "algorithm": "A String", # Required. Algorithm to use
1016 # when creating a CryptoKeyVersion based on this template.
1017 #
1018 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1019 # this field is omitted and CryptoKey.purpose is
1020 # ENCRYPT_DECRYPT.
1021 },
Dan O'Mearadd494642020-05-01 07:42:23 -07001022 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
1023 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001024 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
1025 #
1026 # 1. Create a new version of this CryptoKey.
1027 # 2. Mark the new version as primary.
1028 #
1029 # Key rotations performed manually via
1030 # CreateCryptoKeyVersion and
1031 # UpdateCryptoKeyPrimaryVersion
1032 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001033 #
1034 # Keys with purpose
1035 # ENCRYPT_DECRYPT support
1036 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001037 },
1038 ],
1039 "totalSize": 42, # The total number of CryptoKeys that matched the query.
1040 }</pre>
1041</div>
1042
1043<div class="method">
1044 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
1045 <pre>Retrieves the next page of results.
1046
1047Args:
1048 previous_request: The request for the previous page. (required)
1049 previous_response: The response from the request for the previous page. (required)
1050
1051Returns:
1052 A request object that you can call 'execute()' on to request the next
1053 page. Returns None if there are no more items in the collection.
1054 </pre>
1055</div>
1056
1057<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001058 <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001059 <pre>Update a CryptoKey.
1060
1061Args:
1062 name: string, Output only. The resource name for this CryptoKey in the format
1063`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001064 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001065 The object takes the form of:
1066
1067{ # A CryptoKey represents a logical key that can be used for cryptographic
1068 # operations.
1069 #
1070 # A CryptoKey is made up of one or more versions, which
1071 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001072 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -07001073 # automatically rotates a key. Must be at least 24 hours and at most
1074 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001075 #
1076 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001077 #
1078 # Keys with purpose
1079 # ENCRYPT_DECRYPT support
1080 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -07001081 "name": "A String", # Output only. The resource name for this CryptoKey in the format
1082 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1083 "labels": { # Labels with user-defined metadata. For more information, see
1084 # [Labeling Keys](/kms/docs/labeling-keys).
1085 "a_key": "A String",
1086 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001087 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
1088 # by Encrypt when this CryptoKey is given
1089 # in EncryptRequest.name.
1090 #
1091 # The CryptoKey's primary version can be updated via
1092 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001093 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001094 # Keys with purpose
1095 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001096 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001097 # associated key material.
1098 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001099 # An ENABLED version can be
1100 # used for cryptographic operations.
1101 #
1102 # For security reasons, the raw cryptographic key material represented by a
1103 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1104 # encrypt, decrypt, or sign data when an authorized user or application invokes
1105 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001106 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
1107 # for destruction. Only present if state is
1108 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -07001109 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
1110 # state is
1111 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001112 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
1113 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001114 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
1115 # performed with this CryptoKeyVersion.
1116 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1117 # creation time. Use this statement to verify attributes of the key as stored
1118 # on the HSM, independently of Google. Only provided for key versions with
1119 # protection_level HSM.
1120 # information, see [Verifying attestations]
1121 # (https://cloud.google.com/kms/docs/attest-key).
1122 "content": "A String", # Output only. The attestation data provided by the HSM when the key
1123 # operation was performed.
1124 "format": "A String", # Output only. The format of the attestation data.
1125 },
1126 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -07001127 "importJob": "A String", # Output only. The name of the ImportJob used to import this
1128 # CryptoKeyVersion. Only present if the underlying key material was
1129 # imported.
1130 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1131 # generated.
1132 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
1133 # was imported.
1134 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
1135 # CryptoKeyVersion supports.
1136 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
1137 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1138 # configuring a CryptoKeyVersion that are specific to the
1139 # EXTERNAL protection level.
1140 # configuring a CryptoKeyVersion that are specific to the
1141 # EXTERNAL protection level.
1142 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
1143 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001144 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1145 # destroyed. Only present if state is
1146 # DESTROYED.
1147 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001148 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1149 # The properties of new CryptoKeyVersion instances created by either
1150 # CreateCryptoKeyVersion or
1151 # auto-rotation are controlled by this template.
1152 # a new CryptoKeyVersion, either manually with
1153 # CreateCryptoKeyVersion or
1154 # automatically as a result of auto-rotation.
1155 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
1156 # this template. Immutable. Defaults to SOFTWARE.
1157 "algorithm": "A String", # Required. Algorithm to use
1158 # when creating a CryptoKeyVersion based on this template.
1159 #
1160 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1161 # this field is omitted and CryptoKey.purpose is
1162 # ENCRYPT_DECRYPT.
1163 },
Dan O'Mearadd494642020-05-01 07:42:23 -07001164 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
1165 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001166 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
1167 #
1168 # 1. Create a new version of this CryptoKey.
1169 # 2. Mark the new version as primary.
1170 #
1171 # Key rotations performed manually via
1172 # CreateCryptoKeyVersion and
1173 # UpdateCryptoKeyPrimaryVersion
1174 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001175 #
1176 # Keys with purpose
1177 # ENCRYPT_DECRYPT support
1178 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001179}
1180
Dan O'Mearadd494642020-05-01 07:42:23 -07001181 updateMask: string, Required. List of fields to be updated in this request.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001182 x__xgafv: string, V1 error format.
1183 Allowed values
1184 1 - v1 error format
1185 2 - v2 error format
1186
1187Returns:
1188 An object of the form:
1189
1190 { # A CryptoKey represents a logical key that can be used for cryptographic
1191 # operations.
1192 #
1193 # A CryptoKey is made up of one or more versions, which
1194 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001195 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -07001196 # automatically rotates a key. Must be at least 24 hours and at most
1197 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001198 #
1199 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001200 #
1201 # Keys with purpose
1202 # ENCRYPT_DECRYPT support
1203 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -07001204 "name": "A String", # Output only. The resource name for this CryptoKey in the format
1205 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1206 "labels": { # Labels with user-defined metadata. For more information, see
1207 # [Labeling Keys](/kms/docs/labeling-keys).
1208 "a_key": "A String",
1209 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001210 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
1211 # by Encrypt when this CryptoKey is given
1212 # in EncryptRequest.name.
1213 #
1214 # The CryptoKey's primary version can be updated via
1215 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001216 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001217 # Keys with purpose
1218 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001219 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001220 # associated key material.
1221 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001222 # An ENABLED version can be
1223 # used for cryptographic operations.
1224 #
1225 # For security reasons, the raw cryptographic key material represented by a
1226 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1227 # encrypt, decrypt, or sign data when an authorized user or application invokes
1228 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001229 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
1230 # for destruction. Only present if state is
1231 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -07001232 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
1233 # state is
1234 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001235 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
1236 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001237 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
1238 # performed with this CryptoKeyVersion.
1239 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1240 # creation time. Use this statement to verify attributes of the key as stored
1241 # on the HSM, independently of Google. Only provided for key versions with
1242 # protection_level HSM.
1243 # information, see [Verifying attestations]
1244 # (https://cloud.google.com/kms/docs/attest-key).
1245 "content": "A String", # Output only. The attestation data provided by the HSM when the key
1246 # operation was performed.
1247 "format": "A String", # Output only. The format of the attestation data.
1248 },
1249 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -07001250 "importJob": "A String", # Output only. The name of the ImportJob used to import this
1251 # CryptoKeyVersion. Only present if the underlying key material was
1252 # imported.
1253 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1254 # generated.
1255 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
1256 # was imported.
1257 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
1258 # CryptoKeyVersion supports.
1259 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
1260 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1261 # configuring a CryptoKeyVersion that are specific to the
1262 # EXTERNAL protection level.
1263 # configuring a CryptoKeyVersion that are specific to the
1264 # EXTERNAL protection level.
1265 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
1266 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001267 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1268 # destroyed. Only present if state is
1269 # DESTROYED.
1270 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001271 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1272 # The properties of new CryptoKeyVersion instances created by either
1273 # CreateCryptoKeyVersion or
1274 # auto-rotation are controlled by this template.
1275 # a new CryptoKeyVersion, either manually with
1276 # CreateCryptoKeyVersion or
1277 # automatically as a result of auto-rotation.
1278 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
1279 # this template. Immutable. Defaults to SOFTWARE.
1280 "algorithm": "A String", # Required. Algorithm to use
1281 # when creating a CryptoKeyVersion based on this template.
1282 #
1283 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1284 # this field is omitted and CryptoKey.purpose is
1285 # ENCRYPT_DECRYPT.
1286 },
Dan O'Mearadd494642020-05-01 07:42:23 -07001287 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
1288 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001289 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
1290 #
1291 # 1. Create a new version of this CryptoKey.
1292 # 2. Mark the new version as primary.
1293 #
1294 # Key rotations performed manually via
1295 # CreateCryptoKeyVersion and
1296 # UpdateCryptoKeyPrimaryVersion
1297 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001298 #
1299 # Keys with purpose
1300 # ENCRYPT_DECRYPT support
1301 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001302 }</pre>
1303</div>
1304
1305<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001306 <code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001307 <pre>Sets the access control policy on the specified resource. Replaces any
1308existing policy.
1309
Dan O'Mearadd494642020-05-01 07:42:23 -07001310Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and PERMISSION_DENIED
1311
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001312Args:
1313 resource: string, REQUIRED: The resource for which the policy is being specified.
1314See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001315 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001316 The object takes the form of:
1317
1318{ # Request message for `SetIamPolicy` method.
Dan O'Mearadd494642020-05-01 07:42:23 -07001319 "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001320 # the policy is limited to a few 10s of KB. An empty policy is a
1321 # valid policy but certain Cloud Platform services (such as Projects)
1322 # might reject them.
Dan O'Mearadd494642020-05-01 07:42:23 -07001323 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001324 #
1325 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001326 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1327 # `members` to a single `role`. Members can be user accounts, service accounts,
1328 # Google groups, and domains (such as G Suite). A `role` is a named list of
1329 # permissions; each `role` can be an IAM predefined role or a user-created
1330 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001331 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001332 # Optionally, a `binding` can specify a `condition`, which is a logical
1333 # expression that allows access to a resource only if the expression evaluates
1334 # to `true`. A condition can add constraints based on attributes of the
1335 # request, the resource, or both.
1336 #
1337 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001338 #
1339 # {
1340 # "bindings": [
1341 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001342 # "role": "roles/resourcemanager.organizationAdmin",
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001343 # "members": [
1344 # "user:mike@example.com",
1345 # "group:admins@example.com",
1346 # "domain:google.com",
Dan O'Mearadd494642020-05-01 07:42:23 -07001347 # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001348 # ]
1349 # },
1350 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001351 # "role": "roles/resourcemanager.organizationViewer",
1352 # "members": ["user:eve@example.com"],
1353 # "condition": {
1354 # "title": "expirable access",
1355 # "description": "Does not grant access after Sep 2020",
1356 # "expression": "request.time &lt; timestamp('2020-10-01T00:00:00.000Z')",
1357 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001358 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001359 # ],
1360 # "etag": "BwWWja0YfJA=",
1361 # "version": 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001362 # }
1363 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001364 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001365 #
1366 # bindings:
1367 # - members:
1368 # - user:mike@example.com
1369 # - group:admins@example.com
1370 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001371 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1372 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001373 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001374 # - user:eve@example.com
1375 # role: roles/resourcemanager.organizationViewer
1376 # condition:
1377 # title: expirable access
1378 # description: Does not grant access after Sep 2020
1379 # expression: request.time &lt; timestamp('2020-10-01T00:00:00.000Z')
1380 # - etag: BwWWja0YfJA=
1381 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001382 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001383 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001384 # [IAM documentation](https://cloud.google.com/iam/docs/).
1385 "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
1386 # `condition` that determines how and when the `bindings` are applied. Each
1387 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001388 { # Associates `members` with a `role`.
1389 "role": "A String", # Role that is assigned to `members`.
1390 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Dan O'Mearadd494642020-05-01 07:42:23 -07001391 "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1392 # NOTE: An unsatisfied condition will not allow user access via current
1393 # binding. Different bindings, including their conditions, are examined
1394 # independently.
1395 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1396 # are documented at https://github.com/google/cel-spec.
1397 #
1398 # Example (Comparison):
1399 #
1400 # title: "Summary size limit"
1401 # description: "Determines if a summary is less than 100 chars"
1402 # expression: "document.summary.size() &lt; 100"
1403 #
1404 # Example (Equality):
1405 #
1406 # title: "Requestor is owner"
1407 # description: "Determines if requestor is the document owner"
1408 # expression: "document.owner == request.auth.claims.email"
1409 #
1410 # Example (Logic):
1411 #
1412 # title: "Public documents"
1413 # description: "Determine whether the document should be publicly visible"
1414 # expression: "document.type != 'private' &amp;&amp; document.type != 'internal'"
1415 #
1416 # Example (Data Manipulation):
1417 #
1418 # title: "Notification string"
1419 # description: "Create a notification string with a timestamp."
1420 # expression: "'New message received at ' + string(document.create_time)"
1421 #
1422 # The exact variables and functions that may be referenced within an expression
1423 # are determined by the service that evaluates it. See the service
1424 # documentation for additional information.
1425 "location": "A String", # Optional. String indicating the location of the expression for error
1426 # reporting, e.g. a file name and a position in the file.
1427 "expression": "A String", # Textual representation of an expression in Common Expression Language
1428 # syntax.
1429 "description": "A String", # Optional. Description of the expression. This is a longer text which
1430 # describes the expression, e.g. when hovered over it in a UI.
1431 "title": "A String", # Optional. Title for the expression, i.e. a short string describing
1432 # its purpose. This can be used e.g. in UIs which allow to enter the
1433 # expression.
1434 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001435 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
1436 # `members` can have the following values:
1437 #
1438 # * `allUsers`: A special identifier that represents anyone who is
1439 # on the internet; with or without a Google account.
1440 #
1441 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1442 # who is authenticated with a Google account or a service account.
1443 #
1444 # * `user:{emailid}`: An email address that represents a specific Google
Dan O'Mearadd494642020-05-01 07:42:23 -07001445 # account. For example, `alice@example.com` .
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001446 #
1447 #
1448 # * `serviceAccount:{emailid}`: An email address that represents a service
1449 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1450 #
1451 # * `group:{emailid}`: An email address that represents a Google group.
1452 # For example, `admins@example.com`.
1453 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001454 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1455 # identifier) representing a user that has been recently deleted. For
1456 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1457 # recovered, this value reverts to `user:{emailid}` and the recovered user
1458 # retains the role in the binding.
1459 #
1460 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1461 # unique identifier) representing a service account that has been recently
1462 # deleted. For example,
1463 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1464 # If the service account is undeleted, this value reverts to
1465 # `serviceAccount:{emailid}` and the undeleted service account retains the
1466 # role in the binding.
1467 #
1468 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1469 # identifier) representing a Google group that has been recently
1470 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1471 # the group is recovered, this value reverts to `group:{emailid}` and the
1472 # recovered group retains the role in the binding.
1473 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001474 #
1475 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1476 # users of that domain. For example, `google.com` or `example.com`.
1477 #
1478 "A String",
1479 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001480 },
1481 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001482 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
1483 { # Specifies the audit configuration for a service.
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001484 # The configuration determines which permission types are logged, and what
1485 # identities, if any, are exempted from logging.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001486 # An AuditConfig must have one or more AuditLogConfigs.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001487 #
1488 # If there are AuditConfigs for both `allServices` and a specific service,
1489 # the union of the two AuditConfigs is used for that service: the log_types
1490 # specified in each AuditConfig are enabled, and the exempted_members in each
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001491 # AuditLogConfig are exempted.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001492 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001493 # Example Policy with multiple AuditConfigs:
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001494 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001495 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001496 # "audit_configs": [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001497 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001498 # "service": "allServices"
1499 # "audit_log_configs": [
1500 # {
1501 # "log_type": "DATA_READ",
1502 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001503 # "user:jose@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001504 # ]
1505 # },
1506 # {
1507 # "log_type": "DATA_WRITE",
1508 # },
1509 # {
1510 # "log_type": "ADMIN_READ",
1511 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001512 # ]
1513 # },
1514 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001515 # "service": "sampleservice.googleapis.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001516 # "audit_log_configs": [
1517 # {
1518 # "log_type": "DATA_READ",
1519 # },
1520 # {
1521 # "log_type": "DATA_WRITE",
1522 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001523 # "user:aliya@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001524 # ]
1525 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001526 # ]
1527 # }
1528 # ]
1529 # }
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001530 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001531 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1532 # logging. It also exempts jose@example.com from DATA_READ logging, and
1533 # aliya@example.com from DATA_WRITE logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001534 "auditLogConfigs": [ # The configuration for logging of each type of permission.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001535 { # Provides the configuration for logging a type of permissions.
1536 # Example:
1537 #
1538 # {
1539 # "audit_log_configs": [
1540 # {
1541 # "log_type": "DATA_READ",
1542 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001543 # "user:jose@example.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001544 # ]
1545 # },
1546 # {
1547 # "log_type": "DATA_WRITE",
1548 # }
1549 # ]
1550 # }
1551 #
1552 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
Dan O'Mearadd494642020-05-01 07:42:23 -07001553 # jose@example.com from DATA_READ logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001554 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
1555 # permission.
1556 # Follows the same format of Binding.members.
1557 "A String",
1558 ],
1559 "logType": "A String", # The log type that this config enables.
1560 },
1561 ],
1562 "service": "A String", # Specifies a service that will be enabled for audit logging.
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001563 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001564 # `allServices` is a special value that covers all services.
1565 },
1566 ],
Dan O'Mearadd494642020-05-01 07:42:23 -07001567 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
1568 # prevent simultaneous updates of a policy from overwriting each other.
1569 # It is strongly suggested that systems make use of the `etag` in the
1570 # read-modify-write cycle to perform policy updates in order to avoid race
1571 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1572 # systems are expected to put that etag in the request to `setIamPolicy` to
1573 # ensure that their change will be applied to the same version of the policy.
1574 #
1575 # **Important:** If you use IAM Conditions, you must include the `etag` field
1576 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1577 # you to overwrite a version `3` policy with a version `1` policy, and all of
1578 # the conditions in the version `3` policy are lost.
1579 "version": 42, # Specifies the format of the policy.
1580 #
1581 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1582 # are rejected.
1583 #
1584 # Any operation that affects conditional role bindings must specify version
1585 # `3`. This requirement applies to the following operations:
1586 #
1587 # * Getting a policy that includes a conditional role binding
1588 # * Adding a conditional role binding to a policy
1589 # * Changing a conditional role binding in a policy
1590 # * Removing any role binding, with or without a condition, from a policy
1591 # that includes conditions
1592 #
1593 # **Important:** If you use IAM Conditions, you must include the `etag` field
1594 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1595 # you to overwrite a version `3` policy with a version `1` policy, and all of
1596 # the conditions in the version `3` policy are lost.
1597 #
1598 # If a policy does not include any conditions, operations on that policy may
1599 # specify any valid version or leave the field unset.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001600 },
1601 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001602 # the fields in the mask will be modified. If no mask is provided, the
1603 # following default mask is used:
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001604 # paths: "bindings, etag"
1605 # This field is only used by Cloud IAM.
1606 }
1607
1608 x__xgafv: string, V1 error format.
1609 Allowed values
1610 1 - v1 error format
1611 2 - v2 error format
1612
1613Returns:
1614 An object of the form:
1615
Dan O'Mearadd494642020-05-01 07:42:23 -07001616 { # An Identity and Access Management (IAM) policy, which specifies access
1617 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001618 #
1619 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001620 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1621 # `members` to a single `role`. Members can be user accounts, service accounts,
1622 # Google groups, and domains (such as G Suite). A `role` is a named list of
1623 # permissions; each `role` can be an IAM predefined role or a user-created
1624 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001625 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001626 # Optionally, a `binding` can specify a `condition`, which is a logical
1627 # expression that allows access to a resource only if the expression evaluates
1628 # to `true`. A condition can add constraints based on attributes of the
1629 # request, the resource, or both.
1630 #
1631 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001632 #
1633 # {
1634 # "bindings": [
1635 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001636 # "role": "roles/resourcemanager.organizationAdmin",
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001637 # "members": [
1638 # "user:mike@example.com",
1639 # "group:admins@example.com",
1640 # "domain:google.com",
Dan O'Mearadd494642020-05-01 07:42:23 -07001641 # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001642 # ]
1643 # },
1644 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001645 # "role": "roles/resourcemanager.organizationViewer",
1646 # "members": ["user:eve@example.com"],
1647 # "condition": {
1648 # "title": "expirable access",
1649 # "description": "Does not grant access after Sep 2020",
1650 # "expression": "request.time &lt; timestamp('2020-10-01T00:00:00.000Z')",
1651 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001652 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001653 # ],
1654 # "etag": "BwWWja0YfJA=",
1655 # "version": 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001656 # }
1657 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001658 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001659 #
1660 # bindings:
1661 # - members:
1662 # - user:mike@example.com
1663 # - group:admins@example.com
1664 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001665 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1666 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001667 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001668 # - user:eve@example.com
1669 # role: roles/resourcemanager.organizationViewer
1670 # condition:
1671 # title: expirable access
1672 # description: Does not grant access after Sep 2020
1673 # expression: request.time &lt; timestamp('2020-10-01T00:00:00.000Z')
1674 # - etag: BwWWja0YfJA=
1675 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001676 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001677 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001678 # [IAM documentation](https://cloud.google.com/iam/docs/).
1679 "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
1680 # `condition` that determines how and when the `bindings` are applied. Each
1681 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001682 { # Associates `members` with a `role`.
1683 "role": "A String", # Role that is assigned to `members`.
1684 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Dan O'Mearadd494642020-05-01 07:42:23 -07001685 "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1686 # NOTE: An unsatisfied condition will not allow user access via current
1687 # binding. Different bindings, including their conditions, are examined
1688 # independently.
1689 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1690 # are documented at https://github.com/google/cel-spec.
1691 #
1692 # Example (Comparison):
1693 #
1694 # title: "Summary size limit"
1695 # description: "Determines if a summary is less than 100 chars"
1696 # expression: "document.summary.size() &lt; 100"
1697 #
1698 # Example (Equality):
1699 #
1700 # title: "Requestor is owner"
1701 # description: "Determines if requestor is the document owner"
1702 # expression: "document.owner == request.auth.claims.email"
1703 #
1704 # Example (Logic):
1705 #
1706 # title: "Public documents"
1707 # description: "Determine whether the document should be publicly visible"
1708 # expression: "document.type != 'private' &amp;&amp; document.type != 'internal'"
1709 #
1710 # Example (Data Manipulation):
1711 #
1712 # title: "Notification string"
1713 # description: "Create a notification string with a timestamp."
1714 # expression: "'New message received at ' + string(document.create_time)"
1715 #
1716 # The exact variables and functions that may be referenced within an expression
1717 # are determined by the service that evaluates it. See the service
1718 # documentation for additional information.
1719 "location": "A String", # Optional. String indicating the location of the expression for error
1720 # reporting, e.g. a file name and a position in the file.
1721 "expression": "A String", # Textual representation of an expression in Common Expression Language
1722 # syntax.
1723 "description": "A String", # Optional. Description of the expression. This is a longer text which
1724 # describes the expression, e.g. when hovered over it in a UI.
1725 "title": "A String", # Optional. Title for the expression, i.e. a short string describing
1726 # its purpose. This can be used e.g. in UIs which allow to enter the
1727 # expression.
1728 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001729 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
1730 # `members` can have the following values:
1731 #
1732 # * `allUsers`: A special identifier that represents anyone who is
1733 # on the internet; with or without a Google account.
1734 #
1735 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1736 # who is authenticated with a Google account or a service account.
1737 #
1738 # * `user:{emailid}`: An email address that represents a specific Google
Dan O'Mearadd494642020-05-01 07:42:23 -07001739 # account. For example, `alice@example.com` .
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001740 #
1741 #
1742 # * `serviceAccount:{emailid}`: An email address that represents a service
1743 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1744 #
1745 # * `group:{emailid}`: An email address that represents a Google group.
1746 # For example, `admins@example.com`.
1747 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001748 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1749 # identifier) representing a user that has been recently deleted. For
1750 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1751 # recovered, this value reverts to `user:{emailid}` and the recovered user
1752 # retains the role in the binding.
1753 #
1754 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1755 # unique identifier) representing a service account that has been recently
1756 # deleted. For example,
1757 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1758 # If the service account is undeleted, this value reverts to
1759 # `serviceAccount:{emailid}` and the undeleted service account retains the
1760 # role in the binding.
1761 #
1762 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1763 # identifier) representing a Google group that has been recently
1764 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1765 # the group is recovered, this value reverts to `group:{emailid}` and the
1766 # recovered group retains the role in the binding.
1767 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001768 #
1769 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1770 # users of that domain. For example, `google.com` or `example.com`.
1771 #
1772 "A String",
1773 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001774 },
1775 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001776 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
1777 { # Specifies the audit configuration for a service.
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001778 # The configuration determines which permission types are logged, and what
1779 # identities, if any, are exempted from logging.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001780 # An AuditConfig must have one or more AuditLogConfigs.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001781 #
1782 # If there are AuditConfigs for both `allServices` and a specific service,
1783 # the union of the two AuditConfigs is used for that service: the log_types
1784 # specified in each AuditConfig are enabled, and the exempted_members in each
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001785 # AuditLogConfig are exempted.
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001786 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001787 # Example Policy with multiple AuditConfigs:
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001788 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001789 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001790 # "audit_configs": [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001791 # {
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001792 # "service": "allServices"
1793 # "audit_log_configs": [
1794 # {
1795 # "log_type": "DATA_READ",
1796 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001797 # "user:jose@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001798 # ]
1799 # },
1800 # {
1801 # "log_type": "DATA_WRITE",
1802 # },
1803 # {
1804 # "log_type": "ADMIN_READ",
1805 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001806 # ]
1807 # },
1808 # {
Dan O'Mearadd494642020-05-01 07:42:23 -07001809 # "service": "sampleservice.googleapis.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001810 # "audit_log_configs": [
1811 # {
1812 # "log_type": "DATA_READ",
1813 # },
1814 # {
1815 # "log_type": "DATA_WRITE",
1816 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001817 # "user:aliya@example.com"
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001818 # ]
1819 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001820 # ]
1821 # }
1822 # ]
1823 # }
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -04001824 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001825 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1826 # logging. It also exempts jose@example.com from DATA_READ logging, and
1827 # aliya@example.com from DATA_WRITE logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001828 "auditLogConfigs": [ # The configuration for logging of each type of permission.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001829 { # Provides the configuration for logging a type of permissions.
1830 # Example:
1831 #
1832 # {
1833 # "audit_log_configs": [
1834 # {
1835 # "log_type": "DATA_READ",
1836 # "exempted_members": [
Dan O'Mearadd494642020-05-01 07:42:23 -07001837 # "user:jose@example.com"
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001838 # ]
1839 # },
1840 # {
1841 # "log_type": "DATA_WRITE",
1842 # }
1843 # ]
1844 # }
1845 #
1846 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
Dan O'Mearadd494642020-05-01 07:42:23 -07001847 # jose@example.com from DATA_READ logging.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001848 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
1849 # permission.
1850 # Follows the same format of Binding.members.
1851 "A String",
1852 ],
1853 "logType": "A String", # The log type that this config enables.
1854 },
1855 ],
1856 "service": "A String", # Specifies a service that will be enabled for audit logging.
Sai Cheemalapatie833b792017-03-24 15:06:46 -07001857 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001858 # `allServices` is a special value that covers all services.
1859 },
1860 ],
Dan O'Mearadd494642020-05-01 07:42:23 -07001861 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
1862 # prevent simultaneous updates of a policy from overwriting each other.
1863 # It is strongly suggested that systems make use of the `etag` in the
1864 # read-modify-write cycle to perform policy updates in order to avoid race
1865 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1866 # systems are expected to put that etag in the request to `setIamPolicy` to
1867 # ensure that their change will be applied to the same version of the policy.
1868 #
1869 # **Important:** If you use IAM Conditions, you must include the `etag` field
1870 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1871 # you to overwrite a version `3` policy with a version `1` policy, and all of
1872 # the conditions in the version `3` policy are lost.
1873 "version": 42, # Specifies the format of the policy.
1874 #
1875 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1876 # are rejected.
1877 #
1878 # Any operation that affects conditional role bindings must specify version
1879 # `3`. This requirement applies to the following operations:
1880 #
1881 # * Getting a policy that includes a conditional role binding
1882 # * Adding a conditional role binding to a policy
1883 # * Changing a conditional role binding in a policy
1884 # * Removing any role binding, with or without a condition, from a policy
1885 # that includes conditions
1886 #
1887 # **Important:** If you use IAM Conditions, you must include the `etag` field
1888 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1889 # you to overwrite a version `3` policy with a version `1` policy, and all of
1890 # the conditions in the version `3` policy are lost.
1891 #
1892 # If a policy does not include any conditions, operations on that policy may
1893 # specify any valid version or leave the field unset.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001894 }</pre>
1895</div>
1896
1897<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001898 <code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001899 <pre>Returns permissions that a caller has on the specified resource.
1900If the resource does not exist, this will return an empty set of
1901permissions, not a NOT_FOUND error.
1902
1903Note: This operation is designed to be used for building permission-aware
1904UIs and command-line tools, not for authorization checking. This operation
1905may "fail open" without warning.
1906
1907Args:
1908 resource: string, REQUIRED: The resource for which the policy detail is being requested.
1909See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001910 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001911 The object takes the form of:
1912
1913{ # Request message for `TestIamPermissions` method.
1914 "permissions": [ # The set of permissions to check for the `resource`. Permissions with
1915 # wildcards (such as '*' or 'storage.*') are not allowed. For more
1916 # information see
1917 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
1918 "A String",
1919 ],
1920 }
1921
1922 x__xgafv: string, V1 error format.
1923 Allowed values
1924 1 - v1 error format
1925 2 - v2 error format
1926
1927Returns:
1928 An object of the form:
1929
1930 { # Response message for `TestIamPermissions` method.
1931 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
1932 # allowed.
1933 "A String",
1934 ],
1935 }</pre>
1936</div>
1937
1938<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001939 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001940 <pre>Update the version of a CryptoKey that will be used in Encrypt.
1941
1942Returns an error if called on an asymmetric key.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001943
1944Args:
Dan O'Mearadd494642020-05-01 07:42:23 -07001945 name: string, Required. The resource name of the CryptoKey to update. (required)
1946 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001947 The object takes the form of:
1948
1949{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -07001950 "cryptoKeyVersionId": "A String", # Required. The id of the child CryptoKeyVersion to use as primary.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001951 }
1952
1953 x__xgafv: string, V1 error format.
1954 Allowed values
1955 1 - v1 error format
1956 2 - v2 error format
1957
1958Returns:
1959 An object of the form:
1960
1961 { # A CryptoKey represents a logical key that can be used for cryptographic
1962 # operations.
1963 #
1964 # A CryptoKey is made up of one or more versions, which
1965 # represent the actual key material used in cryptographic operations.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001966 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
Dan O'Mearadd494642020-05-01 07:42:23 -07001967 # automatically rotates a key. Must be at least 24 hours and at most
1968 # 876,000 hours.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001969 #
1970 # If rotation_period is set, next_rotation_time must also be set.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001971 #
1972 # Keys with purpose
1973 # ENCRYPT_DECRYPT support
1974 # automatic rotation. For other keys, this field must be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -07001975 "name": "A String", # Output only. The resource name for this CryptoKey in the format
1976 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1977 "labels": { # Labels with user-defined metadata. For more information, see
1978 # [Labeling Keys](/kms/docs/labeling-keys).
1979 "a_key": "A String",
1980 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001981 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
1982 # by Encrypt when this CryptoKey is given
1983 # in EncryptRequest.name.
1984 #
1985 # The CryptoKey's primary version can be updated via
1986 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001987 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001988 # Keys with purpose
1989 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001990 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001991 # associated key material.
1992 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001993 # An ENABLED version can be
1994 # used for cryptographic operations.
1995 #
1996 # For security reasons, the raw cryptographic key material represented by a
1997 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1998 # encrypt, decrypt, or sign data when an authorized user or application invokes
1999 # Cloud KMS.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002000 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
2001 # for destruction. Only present if state is
2002 # DESTROY_SCHEDULED.
Dan O'Mearadd494642020-05-01 07:42:23 -07002003 "importFailureReason": "A String", # Output only. The root cause of an import failure. Only present if
2004 # state is
2005 # IMPORT_FAILED.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002006 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
2007 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002008 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are
2009 # performed with this CryptoKeyVersion.
2010 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
2011 # creation time. Use this statement to verify attributes of the key as stored
2012 # on the HSM, independently of Google. Only provided for key versions with
2013 # protection_level HSM.
2014 # information, see [Verifying attestations]
2015 # (https://cloud.google.com/kms/docs/attest-key).
2016 "content": "A String", # Output only. The attestation data provided by the HSM when the key
2017 # operation was performed.
2018 "format": "A String", # Output only. The format of the attestation data.
2019 },
2020 "state": "A String", # The current state of the CryptoKeyVersion.
Dan O'Mearadd494642020-05-01 07:42:23 -07002021 "importJob": "A String", # Output only. The name of the ImportJob used to import this
2022 # CryptoKeyVersion. Only present if the underlying key material was
2023 # imported.
2024 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
2025 # generated.
2026 "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material
2027 # was imported.
2028 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this
2029 # CryptoKeyVersion supports.
2030 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
2031 "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
2032 # configuring a CryptoKeyVersion that are specific to the
2033 # EXTERNAL protection level.
2034 # configuring a CryptoKeyVersion that are specific to the
2035 # EXTERNAL protection level.
2036 "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
2037 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002038 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
2039 # destroyed. Only present if state is
2040 # DESTROYED.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002041 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002042 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
2043 # The properties of new CryptoKeyVersion instances created by either
2044 # CreateCryptoKeyVersion or
2045 # auto-rotation are controlled by this template.
2046 # a new CryptoKeyVersion, either manually with
2047 # CreateCryptoKeyVersion or
2048 # automatically as a result of auto-rotation.
2049 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on
2050 # this template. Immutable. Defaults to SOFTWARE.
2051 "algorithm": "A String", # Required. Algorithm to use
2052 # when creating a CryptoKeyVersion based on this template.
2053 #
2054 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
2055 # this field is omitted and CryptoKey.purpose is
2056 # ENCRYPT_DECRYPT.
2057 },
Dan O'Mearadd494642020-05-01 07:42:23 -07002058 "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
2059 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002060 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
2061 #
2062 # 1. Create a new version of this CryptoKey.
2063 # 2. Mark the new version as primary.
2064 #
2065 # Key rotations performed manually via
2066 # CreateCryptoKeyVersion and
2067 # UpdateCryptoKeyPrimaryVersion
2068 # do not affect next_rotation_time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002069 #
2070 # Keys with purpose
2071 # ENCRYPT_DECRYPT support
2072 # automatic rotation. For other keys, this field must be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002073 }</pre>
2074</div>
2075
2076</body></html>