blob: db59a1a215f2a1bfcd88f27eeeb2d01e0e4cd7b5 [file] [log] [blame]
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070075<h1><a href="cloudkms_v1.html">Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040076<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code>
79</p>
80<p class="firstline">Returns the cryptoKeyVersions Resource.</p>
81
82<p class="toc_element">
Bu Sun Kim65020912020-05-20 12:08:20 -070083 <code><a href="#create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040084<p class="firstline">Create a new CryptoKey within a KeyRing.</p>
85<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070086 <code><a href="#decrypt">decrypt(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070087<p class="firstline">Decrypts data that was protected by Encrypt. The CryptoKey.purpose</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040088<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070089 <code><a href="#encrypt">encrypt(name, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -040090<p class="firstline">Encrypts data, so that it can only be recovered by a call to Decrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040091<p class="toc_element">
92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p>
94<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070095 <code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040096<p class="firstline">Gets the access control policy for a resource.</p>
97<p class="toc_element">
Bu Sun Kimd059ad82020-07-22 17:02:09 -070098 <code><a href="#list">list(parent, orderBy=None, pageToken=None, pageSize=None, versionView=None, filter=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -040099<p class="firstline">Lists CryptoKeys.</p>
100<p class="toc_element">
101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
102<p class="firstline">Retrieves the next page of results.</p>
103<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700104 <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400105<p class="firstline">Update a CryptoKey.</p>
106<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700107 <code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
109<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700110 <code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400111<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
112<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt.</p>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400115<h3>Method Details</h3>
116<div class="method">
Bu Sun Kim65020912020-05-20 12:08:20 -0700117 <code class="details" id="create">create(parent, body=None, cryptoKeyId=None, skipInitialVersionCreation=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400118 <pre>Create a new CryptoKey within a KeyRing.
119
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700120CryptoKey.purpose and
121CryptoKey.version_template.algorithm
122are required.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400123
124Args:
125 parent: string, Required. The name of the KeyRing associated with the
126CryptoKeys. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700127 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400128 The object takes the form of:
129
130{ # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700131 # operations.
132 #
133 # A CryptoKey is made up of zero or more versions,
134 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700135 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700136 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700137 &quot;a_key&quot;: &quot;A String&quot;,
138 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700139 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700140 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700141 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
142 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700143 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
144 # by Encrypt when this CryptoKey is given
145 # in EncryptRequest.name.
146 #
147 # The CryptoKey&#x27;s primary version can be updated via
148 # UpdateCryptoKeyPrimaryVersion.
149 #
150 # Keys with purpose
151 # ENCRYPT_DECRYPT may have a
152 # primary. For other keys, this field will be omitted.
153 # associated key material.
154 #
155 # An ENABLED version can be
156 # used for cryptographic operations.
157 #
158 # For security reasons, the raw cryptographic key material represented by a
159 # CryptoKeyVersion can never be viewed or exported. It can only be used to
160 # encrypt, decrypt, or sign data when an authorized user or application invokes
161 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700162 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
163 # generated.
164 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
165 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700166 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
167 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700168 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
169 # state is
170 # IMPORT_FAILED.
171 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700172 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
173 # creation time. Use this statement to verify attributes of the key as stored
174 # on the HSM, independently of Google. Only provided for key versions with
175 # protection_level HSM.
176 # information, see [Verifying attestations]
177 # (https://cloud.google.com/kms/docs/attest-key).
178 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
179 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
180 # operation was performed.
181 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700182 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
183 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
184 # for destruction. Only present if state is
185 # DESTROY_SCHEDULED.
186 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
187 # destroyed. Only present if state is
188 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700189 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
190 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700191 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
192 # configuring a CryptoKeyVersion that are specific to the
193 # EXTERNAL protection level.
194 # configuring a CryptoKeyVersion that are specific to the
195 # EXTERNAL protection level.
196 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
197 },
198 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
199 # CryptoKeyVersion. Only present if the underlying key material was
200 # imported.
201 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
202 # CryptoKeyVersion supports.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700203 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700204 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
205 # The properties of new CryptoKeyVersion instances created by either
206 # CreateCryptoKeyVersion or
207 # auto-rotation are controlled by this template.
208 # a new CryptoKeyVersion, either manually with
209 # CreateCryptoKeyVersion or
210 # automatically as a result of auto-rotation.
211 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
212 # when creating a CryptoKeyVersion based on this template.
213 #
214 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
215 # this field is omitted and CryptoKey.purpose is
216 # ENCRYPT_DECRYPT.
217 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
218 # this template. Immutable. Defaults to SOFTWARE.
219 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700220 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
221 # automatically rotates a key. Must be at least 24 hours and at most
222 # 876,000 hours.
223 #
224 # If rotation_period is set, next_rotation_time must also be set.
225 #
226 # Keys with purpose
227 # ENCRYPT_DECRYPT support
228 # automatic rotation. For other keys, this field must be omitted.
229 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
230 #
231 # 1. Create a new version of this CryptoKey.
232 # 2. Mark the new version as primary.
233 #
234 # Key rotations performed manually via
235 # CreateCryptoKeyVersion and
236 # UpdateCryptoKeyPrimaryVersion
237 # do not affect next_rotation_time.
238 #
239 # Keys with purpose
240 # ENCRYPT_DECRYPT support
241 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700242}
243
244 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
245expression `[a-zA-Z0-9_-]{1,63}`
246 skipInitialVersionCreation: boolean, If set to true, the request will create a CryptoKey without any
247CryptoKeyVersions. You must manually call
248CreateCryptoKeyVersion or
249ImportCryptoKeyVersion
250before you can use this CryptoKey.
251 x__xgafv: string, V1 error format.
252 Allowed values
253 1 - v1 error format
254 2 - v2 error format
255
256Returns:
257 An object of the form:
258
259 { # A CryptoKey represents a logical key that can be used for cryptographic
260 # operations.
261 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700262 # A CryptoKey is made up of zero or more versions,
263 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700264 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700265 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700266 &quot;a_key&quot;: &quot;A String&quot;,
267 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700268 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700269 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700270 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
271 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim65020912020-05-20 12:08:20 -0700272 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400273 # by Encrypt when this CryptoKey is given
274 # in EncryptRequest.name.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700275 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700276 # The CryptoKey&#x27;s primary version can be updated via
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400277 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700278 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700279 # Keys with purpose
280 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700281 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400282 # associated key material.
283 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700284 # An ENABLED version can be
285 # used for cryptographic operations.
286 #
287 # For security reasons, the raw cryptographic key material represented by a
288 # CryptoKeyVersion can never be viewed or exported. It can only be used to
289 # encrypt, decrypt, or sign data when an authorized user or application invokes
290 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700291 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
292 # generated.
293 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
294 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700295 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
296 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700297 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
298 # state is
299 # IMPORT_FAILED.
300 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700301 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
302 # creation time. Use this statement to verify attributes of the key as stored
303 # on the HSM, independently of Google. Only provided for key versions with
304 # protection_level HSM.
305 # information, see [Verifying attestations]
306 # (https://cloud.google.com/kms/docs/attest-key).
307 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
308 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
309 # operation was performed.
310 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700311 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
312 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
313 # for destruction. Only present if state is
314 # DESTROY_SCHEDULED.
315 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
316 # destroyed. Only present if state is
317 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700318 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
319 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700320 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
321 # configuring a CryptoKeyVersion that are specific to the
322 # EXTERNAL protection level.
323 # configuring a CryptoKeyVersion that are specific to the
324 # EXTERNAL protection level.
325 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
326 },
327 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
328 # CryptoKeyVersion. Only present if the underlying key material was
329 # imported.
330 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
331 # CryptoKeyVersion supports.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400332 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700333 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700334 # The properties of new CryptoKeyVersion instances created by either
335 # CreateCryptoKeyVersion or
336 # auto-rotation are controlled by this template.
337 # a new CryptoKeyVersion, either manually with
338 # CreateCryptoKeyVersion or
339 # automatically as a result of auto-rotation.
Bu Sun Kim65020912020-05-20 12:08:20 -0700340 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700341 # when creating a CryptoKeyVersion based on this template.
342 #
343 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
344 # this field is omitted and CryptoKey.purpose is
345 # ENCRYPT_DECRYPT.
Bu Sun Kim65020912020-05-20 12:08:20 -0700346 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
347 # this template. Immutable. Defaults to SOFTWARE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700348 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700349 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
350 # automatically rotates a key. Must be at least 24 hours and at most
351 # 876,000 hours.
352 #
353 # If rotation_period is set, next_rotation_time must also be set.
354 #
355 # Keys with purpose
356 # ENCRYPT_DECRYPT support
357 # automatic rotation. For other keys, this field must be omitted.
358 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
359 #
360 # 1. Create a new version of this CryptoKey.
361 # 2. Mark the new version as primary.
362 #
363 # Key rotations performed manually via
364 # CreateCryptoKeyVersion and
365 # UpdateCryptoKeyPrimaryVersion
366 # do not affect next_rotation_time.
367 #
368 # Keys with purpose
369 # ENCRYPT_DECRYPT support
370 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700371 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400372</div>
373
374<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700375 <code class="details" id="decrypt">decrypt(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700376 <pre>Decrypts data that was protected by Encrypt. The CryptoKey.purpose
377must be ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400378
379Args:
380 name: string, Required. The resource name of the CryptoKey to use for decryption.
381The server will choose the appropriate version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700382 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400383 The object takes the form of:
384
385{ # Request message for KeyManagementService.Decrypt.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700386 &quot;ciphertextCrc32c&quot;: &quot;A String&quot;, # Optional. An optional CRC32C checksum of the DecryptRequest.ciphertext. If
387 # specified, KeyManagementService will verify the integrity of the
388 # received DecryptRequest.ciphertext using this checksum.
389 # KeyManagementService will report an error if the checksum verification
390 # fails. If you receive a checksum error, your client should verify that
391 # CRC32C(DecryptRequest.ciphertext) is equal to
392 # DecryptRequest.ciphertext_crc32c, and if so, perform a limited number
393 # of retries. A persistent mismatch may indicate an issue in your computation
394 # of the CRC32C checksum.
395 # Note: This field is defined as int64 for reasons of compatibility across
396 # different languages. However, it is a non-negative integer, which will
397 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
398 # that support this type.
399 #
400 # NOTE: This field is in Beta.
Bu Sun Kim65020912020-05-20 12:08:20 -0700401 &quot;additionalAuthenticatedData&quot;: &quot;A String&quot;, # Optional. Optional data that must match the data originally supplied in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400402 # EncryptRequest.additional_authenticated_data.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700403 &quot;ciphertext&quot;: &quot;A String&quot;, # Required. The encrypted data originally returned in
404 # EncryptResponse.ciphertext.
405 &quot;additionalAuthenticatedDataCrc32c&quot;: &quot;A String&quot;, # Optional. An optional CRC32C checksum of the
406 # DecryptRequest.additional_authenticated_data. If specified,
407 # KeyManagementService will verify the integrity of the received
408 # DecryptRequest.additional_authenticated_data using this checksum.
409 # KeyManagementService will report an error if the checksum verification
410 # fails. If you receive a checksum error, your client should verify that
411 # CRC32C(DecryptRequest.additional_authenticated_data) is equal to
412 # DecryptRequest.additional_authenticated_data_crc32c, and if so, perform
413 # a limited number of retries. A persistent mismatch may indicate an issue in
414 # your computation of the CRC32C checksum.
415 # Note: This field is defined as int64 for reasons of compatibility across
416 # different languages. However, it is a non-negative integer, which will
417 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
418 # that support this type.
419 #
420 # NOTE: This field is in Beta.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400421 }
422
423 x__xgafv: string, V1 error format.
424 Allowed values
425 1 - v1 error format
426 2 - v2 error format
427
428Returns:
429 An object of the form:
430
431 { # Response message for KeyManagementService.Decrypt.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700432 &quot;plaintextCrc32c&quot;: &quot;A String&quot;, # Integrity verification field. A CRC32C checksum of the returned
433 # DecryptResponse.plaintext. An integrity check of
434 # DecryptResponse.plaintext can be performed by computing the CRC32C
435 # checksum of DecryptResponse.plaintext and comparing your results to
436 # this field. Discard the response in case of non-matching checksum values,
437 # and perform a limited number of retries. A persistent mismatch may indicate
438 # an issue in your computation of the CRC32C checksum. Note: receiving this
439 # response message indicates that KeyManagementService is able to
440 # successfully decrypt the ciphertext.
441 # Note: This field is defined as int64 for reasons of compatibility across
442 # different languages. However, it is a non-negative integer, which will
443 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
444 # that support this type.
445 #
446 # NOTE: This field is in Beta.
Bu Sun Kim65020912020-05-20 12:08:20 -0700447 &quot;plaintext&quot;: &quot;A String&quot;, # The decrypted data originally supplied in EncryptRequest.plaintext.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400448 }</pre>
449</div>
450
451<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700452 <code class="details" id="encrypt">encrypt(name, body=None, x__xgafv=None)</code>
Sai Cheemalapati4ba8c232017-06-06 18:46:08 -0400453 <pre>Encrypts data, so that it can only be recovered by a call to Decrypt.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700454The CryptoKey.purpose must be
455ENCRYPT_DECRYPT.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400456
457Args:
458 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion
459to use for encryption.
460
461If a CryptoKey is specified, the server will use its
462primary version. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700463 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400464 The object takes the form of:
465
466{ # Request message for KeyManagementService.Encrypt.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700467 &quot;plaintextCrc32c&quot;: &quot;A String&quot;, # Optional. An optional CRC32C checksum of the EncryptRequest.plaintext. If
468 # specified, KeyManagementService will verify the integrity of the
469 # received EncryptRequest.plaintext using this checksum.
470 # KeyManagementService will report an error if the checksum verification
471 # fails. If you receive a checksum error, your client should verify that
472 # CRC32C(EncryptRequest.plaintext) is equal to
473 # EncryptRequest.plaintext_crc32c, and if so, perform a limited number of
474 # retries. A persistent mismatch may indicate an issue in your computation of
475 # the CRC32C checksum.
476 # Note: This field is defined as int64 for reasons of compatibility across
477 # different languages. However, it is a non-negative integer, which will
478 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
479 # that support this type.
480 #
481 # NOTE: This field is in Beta.
Bu Sun Kim65020912020-05-20 12:08:20 -0700482 &quot;plaintext&quot;: &quot;A String&quot;, # Required. The data to encrypt. Must be no larger than 64KiB.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700483 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700484 # The maximum size depends on the key version&#x27;s
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700485 # protection_level. For
486 # SOFTWARE keys, the plaintext must be no larger
487 # than 64KiB. For HSM keys, the combined length of the
488 # plaintext and additional_authenticated_data fields must be no larger than
489 # 8KiB.
Bu Sun Kim65020912020-05-20 12:08:20 -0700490 &quot;additionalAuthenticatedData&quot;: &quot;A String&quot;, # Optional. Optional data that, if specified, must also be provided during decryption
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700491 # through DecryptRequest.additional_authenticated_data.
492 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700493 # The maximum size depends on the key version&#x27;s
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700494 # protection_level. For
495 # SOFTWARE keys, the AAD must be no larger than
496 # 64KiB. For HSM keys, the combined length of the
497 # plaintext and additional_authenticated_data fields must be no larger than
498 # 8KiB.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700499 &quot;additionalAuthenticatedDataCrc32c&quot;: &quot;A String&quot;, # Optional. An optional CRC32C checksum of the
500 # EncryptRequest.additional_authenticated_data. If specified,
501 # KeyManagementService will verify the integrity of the received
502 # EncryptRequest.additional_authenticated_data using this checksum.
503 # KeyManagementService will report an error if the checksum verification
504 # fails. If you receive a checksum error, your client should verify that
505 # CRC32C(EncryptRequest.additional_authenticated_data) is equal to
506 # EncryptRequest.additional_authenticated_data_crc32c, and if so, perform
507 # a limited number of retries. A persistent mismatch may indicate an issue in
508 # your computation of the CRC32C checksum.
509 # Note: This field is defined as int64 for reasons of compatibility across
510 # different languages. However, it is a non-negative integer, which will
511 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
512 # that support this type.
513 #
514 # NOTE: This field is in Beta.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400515 }
516
517 x__xgafv: string, V1 error format.
518 Allowed values
519 1 - v1 error format
520 2 - v2 error format
521
522Returns:
523 An object of the form:
524
525 { # Response message for KeyManagementService.Encrypt.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700526 &quot;verifiedAdditionalAuthenticatedDataCrc32c&quot;: True or False, # Integrity verification field. A flag indicating whether
527 # EncryptRequest.additional_authenticated_data_crc32c was received by
528 # KeyManagementService and used for the integrity verification of the
529 # AAD. A false value of this
530 # field indicates either that
531 # EncryptRequest.additional_authenticated_data_crc32c was left unset or
532 # that it was not delivered to KeyManagementService. If you&#x27;ve set
533 # EncryptRequest.additional_authenticated_data_crc32c but this field is
534 # still false, discard the response and perform a limited number of retries.
535 #
536 # NOTE: This field is in Beta.
537 &quot;ciphertextCrc32c&quot;: &quot;A String&quot;, # Integrity verification field. A CRC32C checksum of the returned
538 # EncryptResponse.ciphertext. An integrity check of
539 # EncryptResponse.ciphertext can be performed by computing the CRC32C
540 # checksum of EncryptResponse.ciphertext and comparing your results to
541 # this field. Discard the response in case of non-matching checksum values,
542 # and perform a limited number of retries. A persistent mismatch may indicate
543 # an issue in your computation of the CRC32C checksum.
544 # Note: This field is defined as int64 for reasons of compatibility across
545 # different languages. However, it is a non-negative integer, which will
546 # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
547 # that support this type.
548 #
549 # NOTE: This field is in Beta.
550 &quot;verifiedPlaintextCrc32c&quot;: True or False, # Integrity verification field. A flag indicating whether
551 # EncryptRequest.plaintext_crc32c was received by
552 # KeyManagementService and used for the integrity verification of the
553 # plaintext. A false value of this field
554 # indicates either that EncryptRequest.plaintext_crc32c was left unset or
555 # that it was not delivered to KeyManagementService. If you&#x27;ve set
556 # EncryptRequest.plaintext_crc32c but this field is still false, discard
557 # the response and perform a limited number of retries.
558 #
559 # NOTE: This field is in Beta.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700560 &quot;ciphertext&quot;: &quot;A String&quot;, # The encrypted data.
Bu Sun Kim65020912020-05-20 12:08:20 -0700561 &quot;name&quot;: &quot;A String&quot;, # The resource name of the CryptoKeyVersion used in encryption. Check
Dan O'Mearadd494642020-05-01 07:42:23 -0700562 # this field to verify that the intended resource was used for encryption.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400563 }</pre>
564</div>
565
566<div class="method">
567 <code class="details" id="get">get(name, x__xgafv=None)</code>
568 <pre>Returns metadata for a given CryptoKey, as well as its
569primary CryptoKeyVersion.
570
571Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700572 name: string, Required. The name of the CryptoKey to get. (required)
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400573 x__xgafv: string, V1 error format.
574 Allowed values
575 1 - v1 error format
576 2 - v2 error format
577
578Returns:
579 An object of the form:
580
581 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700582 # operations.
583 #
584 # A CryptoKey is made up of zero or more versions,
585 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700586 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700587 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700588 &quot;a_key&quot;: &quot;A String&quot;,
589 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700590 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700591 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700592 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
593 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700594 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
595 # by Encrypt when this CryptoKey is given
596 # in EncryptRequest.name.
597 #
598 # The CryptoKey&#x27;s primary version can be updated via
599 # UpdateCryptoKeyPrimaryVersion.
600 #
601 # Keys with purpose
602 # ENCRYPT_DECRYPT may have a
603 # primary. For other keys, this field will be omitted.
604 # associated key material.
605 #
606 # An ENABLED version can be
607 # used for cryptographic operations.
608 #
609 # For security reasons, the raw cryptographic key material represented by a
610 # CryptoKeyVersion can never be viewed or exported. It can only be used to
611 # encrypt, decrypt, or sign data when an authorized user or application invokes
612 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700613 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
614 # generated.
615 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
616 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700617 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
618 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700619 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
620 # state is
621 # IMPORT_FAILED.
622 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700623 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
624 # creation time. Use this statement to verify attributes of the key as stored
625 # on the HSM, independently of Google. Only provided for key versions with
626 # protection_level HSM.
627 # information, see [Verifying attestations]
628 # (https://cloud.google.com/kms/docs/attest-key).
629 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
630 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
631 # operation was performed.
Bu Sun Kim65020912020-05-20 12:08:20 -0700632 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700633 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
634 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
635 # for destruction. Only present if state is
636 # DESTROY_SCHEDULED.
637 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
638 # destroyed. Only present if state is
639 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700640 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
641 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700642 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
643 # configuring a CryptoKeyVersion that are specific to the
644 # EXTERNAL protection level.
645 # configuring a CryptoKeyVersion that are specific to the
646 # EXTERNAL protection level.
647 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
648 },
649 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
650 # CryptoKeyVersion. Only present if the underlying key material was
651 # imported.
652 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
653 # CryptoKeyVersion supports.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700654 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700655 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
656 # The properties of new CryptoKeyVersion instances created by either
657 # CreateCryptoKeyVersion or
658 # auto-rotation are controlled by this template.
659 # a new CryptoKeyVersion, either manually with
660 # CreateCryptoKeyVersion or
661 # automatically as a result of auto-rotation.
662 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
663 # when creating a CryptoKeyVersion based on this template.
Bu Sun Kim65020912020-05-20 12:08:20 -0700664 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700665 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
666 # this field is omitted and CryptoKey.purpose is
667 # ENCRYPT_DECRYPT.
668 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
669 # this template. Immutable. Defaults to SOFTWARE.
670 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700671 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
672 # automatically rotates a key. Must be at least 24 hours and at most
673 # 876,000 hours.
674 #
675 # If rotation_period is set, next_rotation_time must also be set.
676 #
677 # Keys with purpose
678 # ENCRYPT_DECRYPT support
679 # automatic rotation. For other keys, this field must be omitted.
680 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
681 #
682 # 1. Create a new version of this CryptoKey.
683 # 2. Mark the new version as primary.
684 #
685 # Key rotations performed manually via
686 # CreateCryptoKeyVersion and
687 # UpdateCryptoKeyPrimaryVersion
688 # do not affect next_rotation_time.
689 #
690 # Keys with purpose
691 # ENCRYPT_DECRYPT support
692 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700693 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400694</div>
695
696<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700697 <code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400698 <pre>Gets the access control policy for a resource.
699Returns an empty policy if the resource exists and does not have a policy
700set.
701
702Args:
703 resource: string, REQUIRED: The resource for which the policy is being requested.
704See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700705 options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.
706
707Valid values are 0, 1, and 3. Requests specifying an invalid value will be
708rejected.
709
710Requests for policies with any conditional bindings must specify version 3.
711Policies without any conditional bindings may specify any valid value or
712leave the field unset.
Bu Sun Kim65020912020-05-20 12:08:20 -0700713
714To learn which resources support conditions in their IAM policies, see the
715[IAM
716documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400717 x__xgafv: string, V1 error format.
718 Allowed values
719 1 - v1 error format
720 2 - v2 error format
721
722Returns:
723 An object of the form:
724
Dan O'Mearadd494642020-05-01 07:42:23 -0700725 { # An Identity and Access Management (IAM) policy, which specifies access
726 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400727 #
728 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700729 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
730 # `members` to a single `role`. Members can be user accounts, service accounts,
731 # Google groups, and domains (such as G Suite). A `role` is a named list of
732 # permissions; each `role` can be an IAM predefined role or a user-created
733 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400734 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700735 # For some types of Google Cloud resources, a `binding` can also specify a
736 # `condition`, which is a logical expression that allows access to a resource
737 # only if the expression evaluates to `true`. A condition can add constraints
738 # based on attributes of the request, the resource, or both. To learn which
739 # resources support conditions in their IAM policies, see the
740 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -0700741 #
742 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400743 #
744 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700745 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400746 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700747 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
748 # &quot;members&quot;: [
749 # &quot;user:mike@example.com&quot;,
750 # &quot;group:admins@example.com&quot;,
751 # &quot;domain:google.com&quot;,
752 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400753 # ]
754 # },
755 # {
Bu Sun Kim65020912020-05-20 12:08:20 -0700756 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
757 # &quot;members&quot;: [
758 # &quot;user:eve@example.com&quot;
759 # ],
760 # &quot;condition&quot;: {
761 # &quot;title&quot;: &quot;expirable access&quot;,
762 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
763 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -0700764 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400765 # }
Dan O'Mearadd494642020-05-01 07:42:23 -0700766 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700767 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
768 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400769 # }
770 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700771 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700772 #
773 # bindings:
774 # - members:
775 # - user:mike@example.com
776 # - group:admins@example.com
777 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -0700778 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
779 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700780 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -0700781 # - user:eve@example.com
782 # role: roles/resourcemanager.organizationViewer
783 # condition:
784 # title: expirable access
785 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -0700786 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -0700787 # - etag: BwWWja0YfJA=
788 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700789 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400790 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -0700791 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700792 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
793 # prevent simultaneous updates of a policy from overwriting each other.
794 # It is strongly suggested that systems make use of the `etag` in the
795 # read-modify-write cycle to perform policy updates in order to avoid race
796 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
797 # systems are expected to put that etag in the request to `setIamPolicy` to
798 # ensure that their change will be applied to the same version of the policy.
799 #
800 # **Important:** If you use IAM Conditions, you must include the `etag` field
801 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
802 # you to overwrite a version `3` policy with a version `1` policy, and all of
803 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -0700804 &quot;version&quot;: 42, # Specifies the format of the policy.
805 #
806 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
807 # are rejected.
808 #
809 # Any operation that affects conditional role bindings must specify version
810 # `3`. This requirement applies to the following operations:
811 #
812 # * Getting a policy that includes a conditional role binding
813 # * Adding a conditional role binding to a policy
814 # * Changing a conditional role binding in a policy
815 # * Removing any role binding, with or without a condition, from a policy
816 # that includes conditions
817 #
818 # **Important:** If you use IAM Conditions, you must include the `etag` field
819 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
820 # you to overwrite a version `3` policy with a version `1` policy, and all of
821 # the conditions in the version `3` policy are lost.
822 #
823 # If a policy does not include any conditions, operations on that policy may
824 # specify any valid version or leave the field unset.
825 #
826 # To learn which resources support conditions in their IAM policies, see the
827 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Bu Sun Kim65020912020-05-20 12:08:20 -0700828 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -0700829 # `condition` that determines how and when the `bindings` are applied. Each
830 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700831 { # Associates `members` with a `role`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700832 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
833 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim65020912020-05-20 12:08:20 -0700834 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
835 #
836 # If the condition evaluates to `true`, then this binding applies to the
837 # current request.
838 #
839 # If the condition evaluates to `false`, then this binding does not apply to
840 # the current request. However, a different role binding might grant the same
841 # role to one or more of the members in this binding.
842 #
843 # To learn which resources support conditions in their IAM policies, see the
844 # [IAM
845 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
846 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
847 # are documented at https://github.com/google/cel-spec.
848 #
849 # Example (Comparison):
850 #
851 # title: &quot;Summary size limit&quot;
852 # description: &quot;Determines if a summary is less than 100 chars&quot;
853 # expression: &quot;document.summary.size() &lt; 100&quot;
854 #
855 # Example (Equality):
856 #
857 # title: &quot;Requestor is owner&quot;
858 # description: &quot;Determines if requestor is the document owner&quot;
859 # expression: &quot;document.owner == request.auth.claims.email&quot;
860 #
861 # Example (Logic):
862 #
863 # title: &quot;Public documents&quot;
864 # description: &quot;Determine whether the document should be publicly visible&quot;
865 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
866 #
867 # Example (Data Manipulation):
868 #
869 # title: &quot;Notification string&quot;
870 # description: &quot;Create a notification string with a timestamp.&quot;
871 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
872 #
873 # The exact variables and functions that may be referenced within an expression
874 # are determined by the service that evaluates it. See the service
875 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700876 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
877 # describes the expression, e.g. when hovered over it in a UI.
Bu Sun Kim65020912020-05-20 12:08:20 -0700878 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
879 # its purpose. This can be used e.g. in UIs which allow to enter the
880 # expression.
Bu Sun Kim65020912020-05-20 12:08:20 -0700881 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
882 # syntax.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700883 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
884 # reporting, e.g. a file name and a position in the file.
Bu Sun Kim65020912020-05-20 12:08:20 -0700885 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700886 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
887 # `members` can have the following values:
888 #
889 # * `allUsers`: A special identifier that represents anyone who is
890 # on the internet; with or without a Google account.
891 #
892 # * `allAuthenticatedUsers`: A special identifier that represents anyone
893 # who is authenticated with a Google account or a service account.
894 #
895 # * `user:{emailid}`: An email address that represents a specific Google
896 # account. For example, `alice@example.com` .
897 #
898 #
899 # * `serviceAccount:{emailid}`: An email address that represents a service
900 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
901 #
902 # * `group:{emailid}`: An email address that represents a Google group.
903 # For example, `admins@example.com`.
904 #
905 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
906 # identifier) representing a user that has been recently deleted. For
907 # example, `alice@example.com?uid=123456789012345678901`. If the user is
908 # recovered, this value reverts to `user:{emailid}` and the recovered user
909 # retains the role in the binding.
910 #
911 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
912 # unique identifier) representing a service account that has been recently
913 # deleted. For example,
914 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
915 # If the service account is undeleted, this value reverts to
916 # `serviceAccount:{emailid}` and the undeleted service account retains the
917 # role in the binding.
918 #
919 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
920 # identifier) representing a Google group that has been recently
921 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
922 # the group is recovered, this value reverts to `group:{emailid}` and the
923 # recovered group retains the role in the binding.
924 #
925 #
926 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
927 # users of that domain. For example, `google.com` or `example.com`.
928 #
929 &quot;A String&quot;,
930 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700931 },
932 ],
933 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
934 { # Specifies the audit configuration for a service.
935 # The configuration determines which permission types are logged, and what
936 # identities, if any, are exempted from logging.
937 # An AuditConfig must have one or more AuditLogConfigs.
938 #
939 # If there are AuditConfigs for both `allServices` and a specific service,
940 # the union of the two AuditConfigs is used for that service: the log_types
941 # specified in each AuditConfig are enabled, and the exempted_members in each
942 # AuditLogConfig are exempted.
943 #
944 # Example Policy with multiple AuditConfigs:
945 #
946 # {
947 # &quot;audit_configs&quot;: [
948 # {
949 # &quot;service&quot;: &quot;allServices&quot;,
950 # &quot;audit_log_configs&quot;: [
951 # {
952 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
953 # &quot;exempted_members&quot;: [
954 # &quot;user:jose@example.com&quot;
955 # ]
956 # },
957 # {
958 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
959 # },
960 # {
961 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
962 # }
963 # ]
964 # },
965 # {
966 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
967 # &quot;audit_log_configs&quot;: [
968 # {
969 # &quot;log_type&quot;: &quot;DATA_READ&quot;
970 # },
971 # {
972 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
973 # &quot;exempted_members&quot;: [
974 # &quot;user:aliya@example.com&quot;
975 # ]
976 # }
977 # ]
978 # }
979 # ]
980 # }
981 #
982 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
983 # logging. It also exempts jose@example.com from DATA_READ logging, and
984 # aliya@example.com from DATA_WRITE logging.
985 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
986 { # Provides the configuration for logging a type of permissions.
987 # Example:
988 #
989 # {
990 # &quot;audit_log_configs&quot;: [
991 # {
992 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
993 # &quot;exempted_members&quot;: [
994 # &quot;user:jose@example.com&quot;
995 # ]
996 # },
997 # {
998 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
999 # }
1000 # ]
1001 # }
1002 #
1003 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
1004 # jose@example.com from DATA_READ logging.
1005 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
1006 # permission.
1007 # Follows the same format of Binding.members.
1008 &quot;A String&quot;,
1009 ],
1010 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
1011 },
1012 ],
1013 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
1014 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
1015 # `allServices` is a special value that covers all services.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001016 },
1017 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001018 }</pre>
1019</div>
1020
1021<div class="method">
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001022 <code class="details" id="list">list(parent, orderBy=None, pageToken=None, pageSize=None, versionView=None, filter=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001023 <pre>Lists CryptoKeys.
1024
1025Args:
1026 parent: string, Required. The resource name of the KeyRing to list, in the format
1027`projects/*/locations/*/keyRings/*`. (required)
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001028 orderBy: string, Optional. Specify how the results should be sorted. If not specified, the
1029results will be sorted in the default order. For more information, see
1030[Sorting and filtering list
1031results](https://cloud.google.com/kms/docs/sorting-and-filtering).
Bu Sun Kim65020912020-05-20 12:08:20 -07001032 pageToken: string, Optional. Optional pagination token, returned earlier via
1033ListCryptoKeysResponse.next_page_token.
1034 pageSize: integer, Optional. Optional limit on the number of CryptoKeys to include in the
1035response. Further CryptoKeys can subsequently be obtained by
1036including the ListCryptoKeysResponse.next_page_token in a subsequent
1037request. If unspecified, the server will pick an appropriate default.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001038 versionView: string, The fields of the primary version to include in the response.
1039 filter: string, Optional. Only include resources that match the filter in the response. For
1040more information, see
1041[Sorting and filtering list
1042results](https://cloud.google.com/kms/docs/sorting-and-filtering).
Bu Sun Kim65020912020-05-20 12:08:20 -07001043 x__xgafv: string, V1 error format.
1044 Allowed values
1045 1 - v1 error format
1046 2 - v2 error format
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001047
1048Returns:
1049 An object of the form:
1050
1051 { # Response message for KeyManagementService.ListCryptoKeys.
Bu Sun Kim65020912020-05-20 12:08:20 -07001052 &quot;nextPageToken&quot;: &quot;A String&quot;, # A token to retrieve next page of results. Pass this value in
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001053 # ListCryptoKeysRequest.page_token to retrieve the next page of results.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001054 &quot;totalSize&quot;: 42, # The total number of CryptoKeys that matched the query.
Bu Sun Kim65020912020-05-20 12:08:20 -07001055 &quot;cryptoKeys&quot;: [ # The list of CryptoKeys.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001056 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001057 # operations.
1058 #
1059 # A CryptoKey is made up of zero or more versions,
1060 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001061 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001062 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001063 &quot;a_key&quot;: &quot;A String&quot;,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001064 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001065 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001066 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001067 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1068 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001069 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
1070 # by Encrypt when this CryptoKey is given
1071 # in EncryptRequest.name.
1072 #
1073 # The CryptoKey&#x27;s primary version can be updated via
1074 # UpdateCryptoKeyPrimaryVersion.
1075 #
1076 # Keys with purpose
1077 # ENCRYPT_DECRYPT may have a
1078 # primary. For other keys, this field will be omitted.
1079 # associated key material.
1080 #
1081 # An ENABLED version can be
1082 # used for cryptographic operations.
1083 #
1084 # For security reasons, the raw cryptographic key material represented by a
1085 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1086 # encrypt, decrypt, or sign data when an authorized user or application invokes
1087 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001088 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1089 # generated.
1090 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1091 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001092 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1093 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001094 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1095 # state is
1096 # IMPORT_FAILED.
1097 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001098 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1099 # creation time. Use this statement to verify attributes of the key as stored
1100 # on the HSM, independently of Google. Only provided for key versions with
1101 # protection_level HSM.
1102 # information, see [Verifying attestations]
1103 # (https://cloud.google.com/kms/docs/attest-key).
1104 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1105 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1106 # operation was performed.
1107 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001108 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
1109 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1110 # for destruction. Only present if state is
1111 # DESTROY_SCHEDULED.
1112 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1113 # destroyed. Only present if state is
1114 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001115 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1116 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001117 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1118 # configuring a CryptoKeyVersion that are specific to the
1119 # EXTERNAL protection level.
1120 # configuring a CryptoKeyVersion that are specific to the
1121 # EXTERNAL protection level.
1122 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
1123 },
1124 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
1125 # CryptoKeyVersion. Only present if the underlying key material was
1126 # imported.
1127 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
1128 # CryptoKeyVersion supports.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001129 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001130 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1131 # The properties of new CryptoKeyVersion instances created by either
1132 # CreateCryptoKeyVersion or
1133 # auto-rotation are controlled by this template.
1134 # a new CryptoKeyVersion, either manually with
1135 # CreateCryptoKeyVersion or
1136 # automatically as a result of auto-rotation.
1137 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
1138 # when creating a CryptoKeyVersion based on this template.
1139 #
1140 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1141 # this field is omitted and CryptoKey.purpose is
1142 # ENCRYPT_DECRYPT.
1143 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1144 # this template. Immutable. Defaults to SOFTWARE.
1145 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001146 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
1147 # automatically rotates a key. Must be at least 24 hours and at most
1148 # 876,000 hours.
1149 #
1150 # If rotation_period is set, next_rotation_time must also be set.
1151 #
1152 # Keys with purpose
1153 # ENCRYPT_DECRYPT support
1154 # automatic rotation. For other keys, this field must be omitted.
1155 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
1156 #
1157 # 1. Create a new version of this CryptoKey.
1158 # 2. Mark the new version as primary.
1159 #
1160 # Key rotations performed manually via
1161 # CreateCryptoKeyVersion and
1162 # UpdateCryptoKeyPrimaryVersion
1163 # do not affect next_rotation_time.
1164 #
1165 # Keys with purpose
1166 # ENCRYPT_DECRYPT support
1167 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001168 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001169 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001170 }</pre>
1171</div>
1172
1173<div class="method">
1174 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
1175 <pre>Retrieves the next page of results.
1176
1177Args:
1178 previous_request: The request for the previous page. (required)
1179 previous_response: The response from the request for the previous page. (required)
1180
1181Returns:
Bu Sun Kim65020912020-05-20 12:08:20 -07001182 A request object that you can call &#x27;execute()&#x27; on to request the next
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001183 page. Returns None if there are no more items in the collection.
1184 </pre>
1185</div>
1186
1187<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001188 <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001189 <pre>Update a CryptoKey.
1190
1191Args:
1192 name: string, Output only. The resource name for this CryptoKey in the format
1193`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001194 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001195 The object takes the form of:
1196
1197{ # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001198 # operations.
1199 #
1200 # A CryptoKey is made up of zero or more versions,
1201 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001202 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001203 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001204 &quot;a_key&quot;: &quot;A String&quot;,
1205 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001206 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001207 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001208 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1209 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001210 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
1211 # by Encrypt when this CryptoKey is given
1212 # in EncryptRequest.name.
1213 #
1214 # The CryptoKey&#x27;s primary version can be updated via
1215 # UpdateCryptoKeyPrimaryVersion.
1216 #
1217 # Keys with purpose
1218 # ENCRYPT_DECRYPT may have a
1219 # primary. For other keys, this field will be omitted.
1220 # associated key material.
1221 #
1222 # An ENABLED version can be
1223 # used for cryptographic operations.
1224 #
1225 # For security reasons, the raw cryptographic key material represented by a
1226 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1227 # encrypt, decrypt, or sign data when an authorized user or application invokes
1228 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001229 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1230 # generated.
1231 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1232 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001233 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1234 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001235 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1236 # state is
1237 # IMPORT_FAILED.
1238 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001239 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1240 # creation time. Use this statement to verify attributes of the key as stored
1241 # on the HSM, independently of Google. Only provided for key versions with
1242 # protection_level HSM.
1243 # information, see [Verifying attestations]
1244 # (https://cloud.google.com/kms/docs/attest-key).
1245 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1246 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1247 # operation was performed.
1248 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001249 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
1250 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1251 # for destruction. Only present if state is
1252 # DESTROY_SCHEDULED.
1253 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1254 # destroyed. Only present if state is
1255 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001256 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1257 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001258 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1259 # configuring a CryptoKeyVersion that are specific to the
1260 # EXTERNAL protection level.
1261 # configuring a CryptoKeyVersion that are specific to the
1262 # EXTERNAL protection level.
1263 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
1264 },
1265 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
1266 # CryptoKeyVersion. Only present if the underlying key material was
1267 # imported.
1268 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
1269 # CryptoKeyVersion supports.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001270 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001271 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
1272 # The properties of new CryptoKeyVersion instances created by either
1273 # CreateCryptoKeyVersion or
1274 # auto-rotation are controlled by this template.
1275 # a new CryptoKeyVersion, either manually with
1276 # CreateCryptoKeyVersion or
1277 # automatically as a result of auto-rotation.
1278 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
1279 # when creating a CryptoKeyVersion based on this template.
1280 #
1281 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1282 # this field is omitted and CryptoKey.purpose is
1283 # ENCRYPT_DECRYPT.
1284 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1285 # this template. Immutable. Defaults to SOFTWARE.
1286 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001287 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
1288 # automatically rotates a key. Must be at least 24 hours and at most
1289 # 876,000 hours.
1290 #
1291 # If rotation_period is set, next_rotation_time must also be set.
1292 #
1293 # Keys with purpose
1294 # ENCRYPT_DECRYPT support
1295 # automatic rotation. For other keys, this field must be omitted.
1296 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
1297 #
1298 # 1. Create a new version of this CryptoKey.
1299 # 2. Mark the new version as primary.
1300 #
1301 # Key rotations performed manually via
1302 # CreateCryptoKeyVersion and
1303 # UpdateCryptoKeyPrimaryVersion
1304 # do not affect next_rotation_time.
1305 #
1306 # Keys with purpose
1307 # ENCRYPT_DECRYPT support
1308 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001309}
1310
1311 updateMask: string, Required. List of fields to be updated in this request.
1312 x__xgafv: string, V1 error format.
1313 Allowed values
1314 1 - v1 error format
1315 2 - v2 error format
1316
1317Returns:
1318 An object of the form:
1319
1320 { # A CryptoKey represents a logical key that can be used for cryptographic
1321 # operations.
1322 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001323 # A CryptoKey is made up of zero or more versions,
1324 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001325 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001326 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001327 &quot;a_key&quot;: &quot;A String&quot;,
1328 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001329 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001330 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001331 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
1332 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001333 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001334 # by Encrypt when this CryptoKey is given
1335 # in EncryptRequest.name.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001336 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001337 # The CryptoKey&#x27;s primary version can be updated via
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001338 # UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001339 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001340 # Keys with purpose
1341 # ENCRYPT_DECRYPT may have a
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001342 # primary. For other keys, this field will be omitted.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001343 # associated key material.
1344 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001345 # An ENABLED version can be
1346 # used for cryptographic operations.
1347 #
1348 # For security reasons, the raw cryptographic key material represented by a
1349 # CryptoKeyVersion can never be viewed or exported. It can only be used to
1350 # encrypt, decrypt, or sign data when an authorized user or application invokes
1351 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001352 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1353 # generated.
1354 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
1355 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001356 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
1357 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001358 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
1359 # state is
1360 # IMPORT_FAILED.
1361 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001362 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
1363 # creation time. Use this statement to verify attributes of the key as stored
1364 # on the HSM, independently of Google. Only provided for key versions with
1365 # protection_level HSM.
1366 # information, see [Verifying attestations]
1367 # (https://cloud.google.com/kms/docs/attest-key).
1368 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
1369 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
1370 # operation was performed.
1371 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001372 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
1373 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
1374 # for destruction. Only present if state is
1375 # DESTROY_SCHEDULED.
1376 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
1377 # destroyed. Only present if state is
1378 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001379 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
1380 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001381 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
1382 # configuring a CryptoKeyVersion that are specific to the
1383 # EXTERNAL protection level.
1384 # configuring a CryptoKeyVersion that are specific to the
1385 # EXTERNAL protection level.
1386 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
1387 },
1388 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
1389 # CryptoKeyVersion. Only present if the underlying key material was
1390 # imported.
1391 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
1392 # CryptoKeyVersion supports.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001393 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001394 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001395 # The properties of new CryptoKeyVersion instances created by either
1396 # CreateCryptoKeyVersion or
1397 # auto-rotation are controlled by this template.
1398 # a new CryptoKeyVersion, either manually with
1399 # CreateCryptoKeyVersion or
1400 # automatically as a result of auto-rotation.
Bu Sun Kim65020912020-05-20 12:08:20 -07001401 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001402 # when creating a CryptoKeyVersion based on this template.
1403 #
1404 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
1405 # this field is omitted and CryptoKey.purpose is
1406 # ENCRYPT_DECRYPT.
Bu Sun Kim65020912020-05-20 12:08:20 -07001407 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
1408 # this template. Immutable. Defaults to SOFTWARE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001409 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001410 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
1411 # automatically rotates a key. Must be at least 24 hours and at most
1412 # 876,000 hours.
1413 #
1414 # If rotation_period is set, next_rotation_time must also be set.
1415 #
1416 # Keys with purpose
1417 # ENCRYPT_DECRYPT support
1418 # automatic rotation. For other keys, this field must be omitted.
1419 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
1420 #
1421 # 1. Create a new version of this CryptoKey.
1422 # 2. Mark the new version as primary.
1423 #
1424 # Key rotations performed manually via
1425 # CreateCryptoKeyVersion and
1426 # UpdateCryptoKeyPrimaryVersion
1427 # do not affect next_rotation_time.
1428 #
1429 # Keys with purpose
1430 # ENCRYPT_DECRYPT support
1431 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001432 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001433</div>
1434
1435<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001436 <code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001437 <pre>Sets the access control policy on the specified resource. Replaces any
1438existing policy.
1439
Bu Sun Kim65020912020-05-20 12:08:20 -07001440Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
Dan O'Mearadd494642020-05-01 07:42:23 -07001441
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001442Args:
1443 resource: string, REQUIRED: The resource for which the policy is being specified.
1444See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001445 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001446 The object takes the form of:
1447
1448{ # Request message for `SetIamPolicy` method.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001449 &quot;updateMask&quot;: &quot;A String&quot;, # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
1450 # the fields in the mask will be modified. If no mask is provided, the
1451 # following default mask is used:
1452 #
1453 # `paths: &quot;bindings, etag&quot;`
Bu Sun Kim65020912020-05-20 12:08:20 -07001454 &quot;policy&quot;: { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001455 # the policy is limited to a few 10s of KB. An empty policy is a
1456 # valid policy but certain Cloud Platform services (such as Projects)
1457 # might reject them.
Dan O'Mearadd494642020-05-01 07:42:23 -07001458 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001459 #
1460 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001461 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1462 # `members` to a single `role`. Members can be user accounts, service accounts,
1463 # Google groups, and domains (such as G Suite). A `role` is a named list of
1464 # permissions; each `role` can be an IAM predefined role or a user-created
1465 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001466 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001467 # For some types of Google Cloud resources, a `binding` can also specify a
1468 # `condition`, which is a logical expression that allows access to a resource
1469 # only if the expression evaluates to `true`. A condition can add constraints
1470 # based on attributes of the request, the resource, or both. To learn which
1471 # resources support conditions in their IAM policies, see the
1472 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -07001473 #
1474 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001475 #
1476 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001477 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001478 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001479 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
1480 # &quot;members&quot;: [
1481 # &quot;user:mike@example.com&quot;,
1482 # &quot;group:admins@example.com&quot;,
1483 # &quot;domain:google.com&quot;,
1484 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001485 # ]
1486 # },
1487 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001488 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
1489 # &quot;members&quot;: [
1490 # &quot;user:eve@example.com&quot;
1491 # ],
1492 # &quot;condition&quot;: {
1493 # &quot;title&quot;: &quot;expirable access&quot;,
1494 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
1495 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -07001496 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001497 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001498 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001499 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
1500 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001501 # }
1502 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001503 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001504 #
1505 # bindings:
1506 # - members:
1507 # - user:mike@example.com
1508 # - group:admins@example.com
1509 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001510 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1511 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001512 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001513 # - user:eve@example.com
1514 # role: roles/resourcemanager.organizationViewer
1515 # condition:
1516 # title: expirable access
1517 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -07001518 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -07001519 # - etag: BwWWja0YfJA=
1520 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001521 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001522 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001523 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001524 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
1525 # prevent simultaneous updates of a policy from overwriting each other.
1526 # It is strongly suggested that systems make use of the `etag` in the
1527 # read-modify-write cycle to perform policy updates in order to avoid race
1528 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1529 # systems are expected to put that etag in the request to `setIamPolicy` to
1530 # ensure that their change will be applied to the same version of the policy.
1531 #
1532 # **Important:** If you use IAM Conditions, you must include the `etag` field
1533 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1534 # you to overwrite a version `3` policy with a version `1` policy, and all of
1535 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -07001536 &quot;version&quot;: 42, # Specifies the format of the policy.
1537 #
1538 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1539 # are rejected.
1540 #
1541 # Any operation that affects conditional role bindings must specify version
1542 # `3`. This requirement applies to the following operations:
1543 #
1544 # * Getting a policy that includes a conditional role binding
1545 # * Adding a conditional role binding to a policy
1546 # * Changing a conditional role binding in a policy
1547 # * Removing any role binding, with or without a condition, from a policy
1548 # that includes conditions
1549 #
1550 # **Important:** If you use IAM Conditions, you must include the `etag` field
1551 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1552 # you to overwrite a version `3` policy with a version `1` policy, and all of
1553 # the conditions in the version `3` policy are lost.
1554 #
1555 # If a policy does not include any conditions, operations on that policy may
1556 # specify any valid version or leave the field unset.
1557 #
1558 # To learn which resources support conditions in their IAM policies, see the
1559 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Bu Sun Kim65020912020-05-20 12:08:20 -07001560 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -07001561 # `condition` that determines how and when the `bindings` are applied. Each
1562 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001563 { # Associates `members` with a `role`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001564 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
1565 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001566 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1567 #
1568 # If the condition evaluates to `true`, then this binding applies to the
1569 # current request.
1570 #
1571 # If the condition evaluates to `false`, then this binding does not apply to
1572 # the current request. However, a different role binding might grant the same
1573 # role to one or more of the members in this binding.
1574 #
1575 # To learn which resources support conditions in their IAM policies, see the
1576 # [IAM
1577 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1578 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1579 # are documented at https://github.com/google/cel-spec.
1580 #
1581 # Example (Comparison):
1582 #
1583 # title: &quot;Summary size limit&quot;
1584 # description: &quot;Determines if a summary is less than 100 chars&quot;
1585 # expression: &quot;document.summary.size() &lt; 100&quot;
1586 #
1587 # Example (Equality):
1588 #
1589 # title: &quot;Requestor is owner&quot;
1590 # description: &quot;Determines if requestor is the document owner&quot;
1591 # expression: &quot;document.owner == request.auth.claims.email&quot;
1592 #
1593 # Example (Logic):
1594 #
1595 # title: &quot;Public documents&quot;
1596 # description: &quot;Determine whether the document should be publicly visible&quot;
1597 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
1598 #
1599 # Example (Data Manipulation):
1600 #
1601 # title: &quot;Notification string&quot;
1602 # description: &quot;Create a notification string with a timestamp.&quot;
1603 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
1604 #
1605 # The exact variables and functions that may be referenced within an expression
1606 # are determined by the service that evaluates it. See the service
1607 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001608 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1609 # describes the expression, e.g. when hovered over it in a UI.
Bu Sun Kim65020912020-05-20 12:08:20 -07001610 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
1611 # its purpose. This can be used e.g. in UIs which allow to enter the
1612 # expression.
Bu Sun Kim65020912020-05-20 12:08:20 -07001613 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1614 # syntax.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001615 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1616 # reporting, e.g. a file name and a position in the file.
Bu Sun Kim65020912020-05-20 12:08:20 -07001617 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001618 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
1619 # `members` can have the following values:
1620 #
1621 # * `allUsers`: A special identifier that represents anyone who is
1622 # on the internet; with or without a Google account.
1623 #
1624 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1625 # who is authenticated with a Google account or a service account.
1626 #
1627 # * `user:{emailid}`: An email address that represents a specific Google
1628 # account. For example, `alice@example.com` .
1629 #
1630 #
1631 # * `serviceAccount:{emailid}`: An email address that represents a service
1632 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1633 #
1634 # * `group:{emailid}`: An email address that represents a Google group.
1635 # For example, `admins@example.com`.
1636 #
1637 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1638 # identifier) representing a user that has been recently deleted. For
1639 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1640 # recovered, this value reverts to `user:{emailid}` and the recovered user
1641 # retains the role in the binding.
1642 #
1643 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1644 # unique identifier) representing a service account that has been recently
1645 # deleted. For example,
1646 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1647 # If the service account is undeleted, this value reverts to
1648 # `serviceAccount:{emailid}` and the undeleted service account retains the
1649 # role in the binding.
1650 #
1651 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1652 # identifier) representing a Google group that has been recently
1653 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1654 # the group is recovered, this value reverts to `group:{emailid}` and the
1655 # recovered group retains the role in the binding.
1656 #
1657 #
1658 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1659 # users of that domain. For example, `google.com` or `example.com`.
1660 #
1661 &quot;A String&quot;,
1662 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001663 },
1664 ],
1665 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
1666 { # Specifies the audit configuration for a service.
1667 # The configuration determines which permission types are logged, and what
1668 # identities, if any, are exempted from logging.
1669 # An AuditConfig must have one or more AuditLogConfigs.
1670 #
1671 # If there are AuditConfigs for both `allServices` and a specific service,
1672 # the union of the two AuditConfigs is used for that service: the log_types
1673 # specified in each AuditConfig are enabled, and the exempted_members in each
1674 # AuditLogConfig are exempted.
1675 #
1676 # Example Policy with multiple AuditConfigs:
1677 #
1678 # {
1679 # &quot;audit_configs&quot;: [
1680 # {
1681 # &quot;service&quot;: &quot;allServices&quot;,
1682 # &quot;audit_log_configs&quot;: [
1683 # {
1684 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1685 # &quot;exempted_members&quot;: [
1686 # &quot;user:jose@example.com&quot;
1687 # ]
1688 # },
1689 # {
1690 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
1691 # },
1692 # {
1693 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
1694 # }
1695 # ]
1696 # },
1697 # {
1698 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
1699 # &quot;audit_log_configs&quot;: [
1700 # {
1701 # &quot;log_type&quot;: &quot;DATA_READ&quot;
1702 # },
1703 # {
1704 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1705 # &quot;exempted_members&quot;: [
1706 # &quot;user:aliya@example.com&quot;
1707 # ]
1708 # }
1709 # ]
1710 # }
1711 # ]
1712 # }
1713 #
1714 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1715 # logging. It also exempts jose@example.com from DATA_READ logging, and
1716 # aliya@example.com from DATA_WRITE logging.
1717 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
1718 { # Provides the configuration for logging a type of permissions.
1719 # Example:
1720 #
1721 # {
1722 # &quot;audit_log_configs&quot;: [
1723 # {
1724 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1725 # &quot;exempted_members&quot;: [
1726 # &quot;user:jose@example.com&quot;
1727 # ]
1728 # },
1729 # {
1730 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
1731 # }
1732 # ]
1733 # }
1734 #
1735 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
1736 # jose@example.com from DATA_READ logging.
1737 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
1738 # permission.
1739 # Follows the same format of Binding.members.
1740 &quot;A String&quot;,
1741 ],
1742 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
1743 },
1744 ],
1745 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
1746 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
1747 # `allServices` is a special value that covers all services.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001748 },
1749 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001750 },
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001751 }
1752
1753 x__xgafv: string, V1 error format.
1754 Allowed values
1755 1 - v1 error format
1756 2 - v2 error format
1757
1758Returns:
1759 An object of the form:
1760
Dan O'Mearadd494642020-05-01 07:42:23 -07001761 { # An Identity and Access Management (IAM) policy, which specifies access
1762 # controls for Google Cloud resources.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001763 #
1764 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001765 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1766 # `members` to a single `role`. Members can be user accounts, service accounts,
1767 # Google groups, and domains (such as G Suite). A `role` is a named list of
1768 # permissions; each `role` can be an IAM predefined role or a user-created
1769 # custom role.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001770 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001771 # For some types of Google Cloud resources, a `binding` can also specify a
1772 # `condition`, which is a logical expression that allows access to a resource
1773 # only if the expression evaluates to `true`. A condition can add constraints
1774 # based on attributes of the request, the resource, or both. To learn which
1775 # resources support conditions in their IAM policies, see the
1776 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -07001777 #
1778 # **JSON example:**
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001779 #
1780 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001781 # &quot;bindings&quot;: [
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001782 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001783 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
1784 # &quot;members&quot;: [
1785 # &quot;user:mike@example.com&quot;,
1786 # &quot;group:admins@example.com&quot;,
1787 # &quot;domain:google.com&quot;,
1788 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001789 # ]
1790 # },
1791 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001792 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
1793 # &quot;members&quot;: [
1794 # &quot;user:eve@example.com&quot;
1795 # ],
1796 # &quot;condition&quot;: {
1797 # &quot;title&quot;: &quot;expirable access&quot;,
1798 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
1799 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -07001800 # }
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001801 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001802 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001803 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
1804 # &quot;version&quot;: 3
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001805 # }
1806 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001807 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001808 #
1809 # bindings:
1810 # - members:
1811 # - user:mike@example.com
1812 # - group:admins@example.com
1813 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001814 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1815 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001816 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001817 # - user:eve@example.com
1818 # role: roles/resourcemanager.organizationViewer
1819 # condition:
1820 # title: expirable access
1821 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -07001822 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -07001823 # - etag: BwWWja0YfJA=
1824 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001825 #
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04001826 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001827 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001828 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
1829 # prevent simultaneous updates of a policy from overwriting each other.
1830 # It is strongly suggested that systems make use of the `etag` in the
1831 # read-modify-write cycle to perform policy updates in order to avoid race
1832 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1833 # systems are expected to put that etag in the request to `setIamPolicy` to
1834 # ensure that their change will be applied to the same version of the policy.
1835 #
1836 # **Important:** If you use IAM Conditions, you must include the `etag` field
1837 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1838 # you to overwrite a version `3` policy with a version `1` policy, and all of
1839 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -07001840 &quot;version&quot;: 42, # Specifies the format of the policy.
1841 #
1842 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1843 # are rejected.
1844 #
1845 # Any operation that affects conditional role bindings must specify version
1846 # `3`. This requirement applies to the following operations:
1847 #
1848 # * Getting a policy that includes a conditional role binding
1849 # * Adding a conditional role binding to a policy
1850 # * Changing a conditional role binding in a policy
1851 # * Removing any role binding, with or without a condition, from a policy
1852 # that includes conditions
1853 #
1854 # **Important:** If you use IAM Conditions, you must include the `etag` field
1855 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1856 # you to overwrite a version `3` policy with a version `1` policy, and all of
1857 # the conditions in the version `3` policy are lost.
1858 #
1859 # If a policy does not include any conditions, operations on that policy may
1860 # specify any valid version or leave the field unset.
1861 #
1862 # To learn which resources support conditions in their IAM policies, see the
1863 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Bu Sun Kim65020912020-05-20 12:08:20 -07001864 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
Dan O'Mearadd494642020-05-01 07:42:23 -07001865 # `condition` that determines how and when the `bindings` are applied. Each
1866 # of the `bindings` must contain at least one member.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001867 { # Associates `members` with a `role`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001868 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
1869 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001870 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1871 #
1872 # If the condition evaluates to `true`, then this binding applies to the
1873 # current request.
1874 #
1875 # If the condition evaluates to `false`, then this binding does not apply to
1876 # the current request. However, a different role binding might grant the same
1877 # role to one or more of the members in this binding.
1878 #
1879 # To learn which resources support conditions in their IAM policies, see the
1880 # [IAM
1881 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1882 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1883 # are documented at https://github.com/google/cel-spec.
1884 #
1885 # Example (Comparison):
1886 #
1887 # title: &quot;Summary size limit&quot;
1888 # description: &quot;Determines if a summary is less than 100 chars&quot;
1889 # expression: &quot;document.summary.size() &lt; 100&quot;
1890 #
1891 # Example (Equality):
1892 #
1893 # title: &quot;Requestor is owner&quot;
1894 # description: &quot;Determines if requestor is the document owner&quot;
1895 # expression: &quot;document.owner == request.auth.claims.email&quot;
1896 #
1897 # Example (Logic):
1898 #
1899 # title: &quot;Public documents&quot;
1900 # description: &quot;Determine whether the document should be publicly visible&quot;
1901 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
1902 #
1903 # Example (Data Manipulation):
1904 #
1905 # title: &quot;Notification string&quot;
1906 # description: &quot;Create a notification string with a timestamp.&quot;
1907 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
1908 #
1909 # The exact variables and functions that may be referenced within an expression
1910 # are determined by the service that evaluates it. See the service
1911 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001912 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1913 # describes the expression, e.g. when hovered over it in a UI.
Bu Sun Kim65020912020-05-20 12:08:20 -07001914 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
1915 # its purpose. This can be used e.g. in UIs which allow to enter the
1916 # expression.
Bu Sun Kim65020912020-05-20 12:08:20 -07001917 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1918 # syntax.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001919 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1920 # reporting, e.g. a file name and a position in the file.
Bu Sun Kim65020912020-05-20 12:08:20 -07001921 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001922 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
1923 # `members` can have the following values:
1924 #
1925 # * `allUsers`: A special identifier that represents anyone who is
1926 # on the internet; with or without a Google account.
1927 #
1928 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1929 # who is authenticated with a Google account or a service account.
1930 #
1931 # * `user:{emailid}`: An email address that represents a specific Google
1932 # account. For example, `alice@example.com` .
1933 #
1934 #
1935 # * `serviceAccount:{emailid}`: An email address that represents a service
1936 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1937 #
1938 # * `group:{emailid}`: An email address that represents a Google group.
1939 # For example, `admins@example.com`.
1940 #
1941 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1942 # identifier) representing a user that has been recently deleted. For
1943 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1944 # recovered, this value reverts to `user:{emailid}` and the recovered user
1945 # retains the role in the binding.
1946 #
1947 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1948 # unique identifier) representing a service account that has been recently
1949 # deleted. For example,
1950 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1951 # If the service account is undeleted, this value reverts to
1952 # `serviceAccount:{emailid}` and the undeleted service account retains the
1953 # role in the binding.
1954 #
1955 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1956 # identifier) representing a Google group that has been recently
1957 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1958 # the group is recovered, this value reverts to `group:{emailid}` and the
1959 # recovered group retains the role in the binding.
1960 #
1961 #
1962 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1963 # users of that domain. For example, `google.com` or `example.com`.
1964 #
1965 &quot;A String&quot;,
1966 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001967 },
1968 ],
1969 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
1970 { # Specifies the audit configuration for a service.
1971 # The configuration determines which permission types are logged, and what
1972 # identities, if any, are exempted from logging.
1973 # An AuditConfig must have one or more AuditLogConfigs.
1974 #
1975 # If there are AuditConfigs for both `allServices` and a specific service,
1976 # the union of the two AuditConfigs is used for that service: the log_types
1977 # specified in each AuditConfig are enabled, and the exempted_members in each
1978 # AuditLogConfig are exempted.
1979 #
1980 # Example Policy with multiple AuditConfigs:
1981 #
1982 # {
1983 # &quot;audit_configs&quot;: [
1984 # {
1985 # &quot;service&quot;: &quot;allServices&quot;,
1986 # &quot;audit_log_configs&quot;: [
1987 # {
1988 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1989 # &quot;exempted_members&quot;: [
1990 # &quot;user:jose@example.com&quot;
1991 # ]
1992 # },
1993 # {
1994 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
1995 # },
1996 # {
1997 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
1998 # }
1999 # ]
2000 # },
2001 # {
2002 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
2003 # &quot;audit_log_configs&quot;: [
2004 # {
2005 # &quot;log_type&quot;: &quot;DATA_READ&quot;
2006 # },
2007 # {
2008 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
2009 # &quot;exempted_members&quot;: [
2010 # &quot;user:aliya@example.com&quot;
2011 # ]
2012 # }
2013 # ]
2014 # }
2015 # ]
2016 # }
2017 #
2018 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
2019 # logging. It also exempts jose@example.com from DATA_READ logging, and
2020 # aliya@example.com from DATA_WRITE logging.
2021 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
2022 { # Provides the configuration for logging a type of permissions.
2023 # Example:
2024 #
2025 # {
2026 # &quot;audit_log_configs&quot;: [
2027 # {
2028 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
2029 # &quot;exempted_members&quot;: [
2030 # &quot;user:jose@example.com&quot;
2031 # ]
2032 # },
2033 # {
2034 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
2035 # }
2036 # ]
2037 # }
2038 #
2039 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
2040 # jose@example.com from DATA_READ logging.
2041 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
2042 # permission.
2043 # Follows the same format of Binding.members.
2044 &quot;A String&quot;,
2045 ],
2046 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
2047 },
2048 ],
2049 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
2050 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
2051 # `allServices` is a special value that covers all services.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002052 },
2053 ],
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002054 }</pre>
2055</div>
2056
2057<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07002058 <code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002059 <pre>Returns permissions that a caller has on the specified resource.
2060If the resource does not exist, this will return an empty set of
Bu Sun Kim65020912020-05-20 12:08:20 -07002061permissions, not a `NOT_FOUND` error.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002062
2063Note: This operation is designed to be used for building permission-aware
2064UIs and command-line tools, not for authorization checking. This operation
Bu Sun Kim65020912020-05-20 12:08:20 -07002065may &quot;fail open&quot; without warning.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002066
2067Args:
2068 resource: string, REQUIRED: The resource for which the policy detail is being requested.
2069See the operation documentation for the appropriate value for this field. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07002070 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002071 The object takes the form of:
2072
2073{ # Request message for `TestIamPermissions` method.
Bu Sun Kim65020912020-05-20 12:08:20 -07002074 &quot;permissions&quot;: [ # The set of permissions to check for the `resource`. Permissions with
2075 # wildcards (such as &#x27;*&#x27; or &#x27;storage.*&#x27;) are not allowed. For more
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002076 # information see
2077 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
Bu Sun Kim65020912020-05-20 12:08:20 -07002078 &quot;A String&quot;,
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002079 ],
2080 }
2081
2082 x__xgafv: string, V1 error format.
2083 Allowed values
2084 1 - v1 error format
2085 2 - v2 error format
2086
2087Returns:
2088 An object of the form:
2089
2090 { # Response message for `TestIamPermissions` method.
Bu Sun Kim65020912020-05-20 12:08:20 -07002091 &quot;permissions&quot;: [ # A subset of `TestPermissionsRequest.permissions` that the caller is
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002092 # allowed.
Bu Sun Kim65020912020-05-20 12:08:20 -07002093 &quot;A String&quot;,
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002094 ],
2095 }</pre>
2096</div>
2097
2098<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07002099 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002100 <pre>Update the version of a CryptoKey that will be used in Encrypt.
2101
2102Returns an error if called on an asymmetric key.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002103
2104Args:
Dan O'Mearadd494642020-05-01 07:42:23 -07002105 name: string, Required. The resource name of the CryptoKey to update. (required)
2106 body: object, The request body.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002107 The object takes the form of:
2108
2109{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
Bu Sun Kim65020912020-05-20 12:08:20 -07002110 &quot;cryptoKeyVersionId&quot;: &quot;A String&quot;, # Required. The id of the child CryptoKeyVersion to use as primary.
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002111 }
2112
2113 x__xgafv: string, V1 error format.
2114 Allowed values
2115 1 - v1 error format
2116 2 - v2 error format
2117
2118Returns:
2119 An object of the form:
2120
2121 { # A CryptoKey represents a logical key that can be used for cryptographic
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002122 # operations.
2123 #
2124 # A CryptoKey is made up of zero or more versions,
2125 # which represent the actual key material used in cryptographic operations.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002126 &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002127 # [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002128 &quot;a_key&quot;: &quot;A String&quot;,
2129 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002130 &quot;purpose&quot;: &quot;A String&quot;, # Immutable. The immutable purpose of this CryptoKey.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002131 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKey was created.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002132 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKey in the format
2133 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002134 &quot;primary&quot;: { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the &quot;primary&quot; CryptoKeyVersion that will be used
2135 # by Encrypt when this CryptoKey is given
2136 # in EncryptRequest.name.
2137 #
2138 # The CryptoKey&#x27;s primary version can be updated via
2139 # UpdateCryptoKeyPrimaryVersion.
2140 #
2141 # Keys with purpose
2142 # ENCRYPT_DECRYPT may have a
2143 # primary. For other keys, this field will be omitted.
2144 # associated key material.
2145 #
2146 # An ENABLED version can be
2147 # used for cryptographic operations.
2148 #
2149 # For security reasons, the raw cryptographic key material represented by a
2150 # CryptoKeyVersion can never be viewed or exported. It can only be used to
2151 # encrypt, decrypt, or sign data when an authorized user or application invokes
2152 # Cloud KMS.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002153 &quot;generateTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
2154 # generated.
2155 &quot;name&quot;: &quot;A String&quot;, # Output only. The resource name for this CryptoKeyVersion in the format
2156 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002157 &quot;importTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion&#x27;s key material
2158 # was imported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002159 &quot;importFailureReason&quot;: &quot;A String&quot;, # Output only. The root cause of an import failure. Only present if
2160 # state is
2161 # IMPORT_FAILED.
2162 &quot;state&quot;: &quot;A String&quot;, # The current state of the CryptoKeyVersion.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002163 &quot;attestation&quot;: { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key
2164 # creation time. Use this statement to verify attributes of the key as stored
2165 # on the HSM, independently of Google. Only provided for key versions with
2166 # protection_level HSM.
2167 # information, see [Verifying attestations]
2168 # (https://cloud.google.com/kms/docs/attest-key).
2169 &quot;format&quot;: &quot;A String&quot;, # Output only. The format of the attestation data.
2170 &quot;content&quot;: &quot;A String&quot;, # Output only. The attestation data provided by the HSM when the key
2171 # operation was performed.
Bu Sun Kim65020912020-05-20 12:08:20 -07002172 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002173 &quot;createTime&quot;: &quot;A String&quot;, # Output only. The time at which this CryptoKeyVersion was created.
2174 &quot;destroyTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material is scheduled
2175 # for destruction. Only present if state is
2176 # DESTROY_SCHEDULED.
2177 &quot;destroyEventTime&quot;: &quot;A String&quot;, # Output only. The time this CryptoKeyVersion&#x27;s key material was
2178 # destroyed. Only present if state is
2179 # DESTROYED.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002180 &quot;protectionLevel&quot;: &quot;A String&quot;, # Output only. The ProtectionLevel describing how crypto operations are
2181 # performed with this CryptoKeyVersion.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002182 &quot;externalProtectionLevelOptions&quot;: { # ExternalProtectionLevelOptions stores a group of additional fields for # ExternalProtectionLevelOptions stores a group of additional fields for
2183 # configuring a CryptoKeyVersion that are specific to the
2184 # EXTERNAL protection level.
2185 # configuring a CryptoKeyVersion that are specific to the
2186 # EXTERNAL protection level.
2187 &quot;externalKeyUri&quot;: &quot;A String&quot;, # The URI for an external resource that this CryptoKeyVersion represents.
2188 },
2189 &quot;importJob&quot;: &quot;A String&quot;, # Output only. The name of the ImportJob used to import this
2190 # CryptoKeyVersion. Only present if the underlying key material was
2191 # imported.
2192 &quot;algorithm&quot;: &quot;A String&quot;, # Output only. The CryptoKeyVersionAlgorithm that this
2193 # CryptoKeyVersion supports.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002194 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002195 &quot;versionTemplate&quot;: { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances.
2196 # The properties of new CryptoKeyVersion instances created by either
2197 # CreateCryptoKeyVersion or
2198 # auto-rotation are controlled by this template.
2199 # a new CryptoKeyVersion, either manually with
2200 # CreateCryptoKeyVersion or
2201 # automatically as a result of auto-rotation.
2202 &quot;algorithm&quot;: &quot;A String&quot;, # Required. Algorithm to use
2203 # when creating a CryptoKeyVersion based on this template.
Bu Sun Kim65020912020-05-20 12:08:20 -07002204 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002205 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
2206 # this field is omitted and CryptoKey.purpose is
2207 # ENCRYPT_DECRYPT.
2208 &quot;protectionLevel&quot;: &quot;A String&quot;, # ProtectionLevel to use when creating a CryptoKeyVersion based on
2209 # this template. Immutable. Defaults to SOFTWARE.
2210 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002211 &quot;rotationPeriod&quot;: &quot;A String&quot;, # next_rotation_time will be advanced by this period when the service
2212 # automatically rotates a key. Must be at least 24 hours and at most
2213 # 876,000 hours.
2214 #
2215 # If rotation_period is set, next_rotation_time must also be set.
2216 #
2217 # Keys with purpose
2218 # ENCRYPT_DECRYPT support
2219 # automatic rotation. For other keys, this field must be omitted.
2220 &quot;nextRotationTime&quot;: &quot;A String&quot;, # At next_rotation_time, the Key Management Service will automatically:
2221 #
2222 # 1. Create a new version of this CryptoKey.
2223 # 2. Mark the new version as primary.
2224 #
2225 # Key rotations performed manually via
2226 # CreateCryptoKeyVersion and
2227 # UpdateCryptoKeyPrimaryVersion
2228 # do not affect next_rotation_time.
2229 #
2230 # Keys with purpose
2231 # ENCRYPT_DECRYPT support
2232 # automatic rotation. For other keys, this field must be omitted.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002233 }</pre>
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -04002234</div>
2235
2236</body></html>