gcp.kms.CryptoKey
Explore with Pulumi AI
A CryptoKey
represents a logical key that can be used for cryptographic operations.
Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you use Pulumi’s protect resource option.
To get more information about CryptoKey, see:
- API documentation
- How-to Guides
Example Usage
Kms Crypto Key Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
name: "keyring-example",
location: "global",
});
const example_key = new gcp.kms.CryptoKey("example-key", {
name: "crypto-key-example",
keyRing: keyring.id,
rotationPeriod: "7776000s",
});
import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
name="keyring-example",
location="global")
example_key = gcp.kms.CryptoKey("example-key",
name="crypto-key-example",
key_ring=keyring.id,
rotation_period="7776000s")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
Name: pulumi.String("keyring-example"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = kms.NewCryptoKey(ctx, "example-key", &kms.CryptoKeyArgs{
Name: pulumi.String("crypto-key-example"),
KeyRing: keyring.ID(),
RotationPeriod: pulumi.String("7776000s"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var keyring = new Gcp.Kms.KeyRing("keyring", new()
{
Name = "keyring-example",
Location = "global",
});
var example_key = new Gcp.Kms.CryptoKey("example-key", new()
{
Name = "crypto-key-example",
KeyRing = keyring.Id,
RotationPeriod = "7776000s",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var keyring = new KeyRing("keyring", KeyRingArgs.builder()
.name("keyring-example")
.location("global")
.build());
var example_key = new CryptoKey("example-key", CryptoKeyArgs.builder()
.name("crypto-key-example")
.keyRing(keyring.id())
.rotationPeriod("7776000s")
.build());
}
}
resources:
keyring:
type: gcp:kms:KeyRing
properties:
name: keyring-example
location: global
example-key:
type: gcp:kms:CryptoKey
properties:
name: crypto-key-example
keyRing: ${keyring.id}
rotationPeriod: 7776000s
Kms Crypto Key Asymmetric Sign
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
name: "keyring-example",
location: "global",
});
const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
name: "crypto-key-example",
keyRing: keyring.id,
purpose: "ASYMMETRIC_SIGN",
versionTemplate: {
algorithm: "EC_SIGN_P384_SHA384",
},
});
import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
name="keyring-example",
location="global")
example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
name="crypto-key-example",
key_ring=keyring.id,
purpose="ASYMMETRIC_SIGN",
version_template={
"algorithm": "EC_SIGN_P384_SHA384",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
Name: pulumi.String("keyring-example"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = kms.NewCryptoKey(ctx, "example-asymmetric-sign-key", &kms.CryptoKeyArgs{
Name: pulumi.String("crypto-key-example"),
KeyRing: keyring.ID(),
Purpose: pulumi.String("ASYMMETRIC_SIGN"),
VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
Algorithm: pulumi.String("EC_SIGN_P384_SHA384"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var keyring = new Gcp.Kms.KeyRing("keyring", new()
{
Name = "keyring-example",
Location = "global",
});
var example_asymmetric_sign_key = new Gcp.Kms.CryptoKey("example-asymmetric-sign-key", new()
{
Name = "crypto-key-example",
KeyRing = keyring.Id,
Purpose = "ASYMMETRIC_SIGN",
VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
{
Algorithm = "EC_SIGN_P384_SHA384",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var keyring = new KeyRing("keyring", KeyRingArgs.builder()
.name("keyring-example")
.location("global")
.build());
var example_asymmetric_sign_key = new CryptoKey("example-asymmetric-sign-key", CryptoKeyArgs.builder()
.name("crypto-key-example")
.keyRing(keyring.id())
.purpose("ASYMMETRIC_SIGN")
.versionTemplate(CryptoKeyVersionTemplateArgs.builder()
.algorithm("EC_SIGN_P384_SHA384")
.build())
.build());
}
}
resources:
keyring:
type: gcp:kms:KeyRing
properties:
name: keyring-example
location: global
example-asymmetric-sign-key:
type: gcp:kms:CryptoKey
properties:
name: crypto-key-example
keyRing: ${keyring.id}
purpose: ASYMMETRIC_SIGN
versionTemplate:
algorithm: EC_SIGN_P384_SHA384
Create CryptoKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);
@overload
def CryptoKey(resource_name: str,
args: CryptoKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CryptoKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
key_ring: Optional[str] = None,
crypto_key_backend: Optional[str] = None,
destroy_scheduled_duration: Optional[str] = None,
import_only: Optional[bool] = None,
key_access_justifications_policy: Optional[CryptoKeyKeyAccessJustificationsPolicyArgs] = None,
labels: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
purpose: Optional[str] = None,
rotation_period: Optional[str] = None,
skip_initial_version_creation: Optional[bool] = None,
version_template: Optional[CryptoKeyVersionTemplateArgs] = None)
func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)
public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)
public CryptoKey(String name, CryptoKeyArgs args)
public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)
type: gcp:kms:CryptoKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var cryptoKeyResource = new Gcp.Kms.CryptoKey("cryptoKeyResource", new()
{
KeyRing = "string",
CryptoKeyBackend = "string",
DestroyScheduledDuration = "string",
ImportOnly = false,
KeyAccessJustificationsPolicy = new Gcp.Kms.Inputs.CryptoKeyKeyAccessJustificationsPolicyArgs
{
AllowedAccessReasons = new[]
{
"string",
},
},
Labels =
{
{ "string", "string" },
},
Name = "string",
Purpose = "string",
RotationPeriod = "string",
SkipInitialVersionCreation = false,
VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
{
Algorithm = "string",
ProtectionLevel = "string",
},
});
example, err := kms.NewCryptoKey(ctx, "cryptoKeyResource", &kms.CryptoKeyArgs{
KeyRing: pulumi.String("string"),
CryptoKeyBackend: pulumi.String("string"),
DestroyScheduledDuration: pulumi.String("string"),
ImportOnly: pulumi.Bool(false),
KeyAccessJustificationsPolicy: &kms.CryptoKeyKeyAccessJustificationsPolicyArgs{
AllowedAccessReasons: pulumi.StringArray{
pulumi.String("string"),
},
},
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Name: pulumi.String("string"),
Purpose: pulumi.String("string"),
RotationPeriod: pulumi.String("string"),
SkipInitialVersionCreation: pulumi.Bool(false),
VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
Algorithm: pulumi.String("string"),
ProtectionLevel: pulumi.String("string"),
},
})
var cryptoKeyResource = new CryptoKey("cryptoKeyResource", CryptoKeyArgs.builder()
.keyRing("string")
.cryptoKeyBackend("string")
.destroyScheduledDuration("string")
.importOnly(false)
.keyAccessJustificationsPolicy(CryptoKeyKeyAccessJustificationsPolicyArgs.builder()
.allowedAccessReasons("string")
.build())
.labels(Map.of("string", "string"))
.name("string")
.purpose("string")
.rotationPeriod("string")
.skipInitialVersionCreation(false)
.versionTemplate(CryptoKeyVersionTemplateArgs.builder()
.algorithm("string")
.protectionLevel("string")
.build())
.build());
crypto_key_resource = gcp.kms.CryptoKey("cryptoKeyResource",
key_ring="string",
crypto_key_backend="string",
destroy_scheduled_duration="string",
import_only=False,
key_access_justifications_policy={
"allowed_access_reasons": ["string"],
},
labels={
"string": "string",
},
name="string",
purpose="string",
rotation_period="string",
skip_initial_version_creation=False,
version_template={
"algorithm": "string",
"protection_level": "string",
})
const cryptoKeyResource = new gcp.kms.CryptoKey("cryptoKeyResource", {
keyRing: "string",
cryptoKeyBackend: "string",
destroyScheduledDuration: "string",
importOnly: false,
keyAccessJustificationsPolicy: {
allowedAccessReasons: ["string"],
},
labels: {
string: "string",
},
name: "string",
purpose: "string",
rotationPeriod: "string",
skipInitialVersionCreation: false,
versionTemplate: {
algorithm: "string",
protectionLevel: "string",
},
});
type: gcp:kms:CryptoKey
properties:
cryptoKeyBackend: string
destroyScheduledDuration: string
importOnly: false
keyAccessJustificationsPolicy:
allowedAccessReasons:
- string
keyRing: string
labels:
string: string
name: string
purpose: string
rotationPeriod: string
skipInitialVersionCreation: false
versionTemplate:
algorithm: string
protectionLevel: string
CryptoKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CryptoKey resource accepts the following input properties:
- Key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - Crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- Destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- Import
Only bool - Whether this key may contain imported versions only.
- Key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- Name string
- The resource name for the CryptoKey.
- Purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - Version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- Key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - Crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- Destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- Import
Only bool - Whether this key may contain imported versions only.
- Key
Access CryptoJustifications Policy Key Key Access Justifications Policy Args - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- Name string
- The resource name for the CryptoKey.
- Purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - Version
Template CryptoKey Version Template Args - A template describing settings for new crypto key versions. Structure is documented below.
- key
Ring String - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - crypto
Key StringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled StringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- import
Only Boolean - Whether this key may contain imported versions only.
- key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name String
- The resource name for the CryptoKey.
- purpose String
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- import
Only boolean - Whether this key may contain imported versions only.
- key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name string
- The resource name for the CryptoKey.
- purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial booleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- key_
ring str - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - crypto_
key_ strbackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy_
scheduled_ strduration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- import_
only bool - Whether this key may contain imported versions only.
- key_
access_ Cryptojustifications_ policy Key Key Access Justifications Policy Args - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name str
- The resource name for the CryptoKey.
- purpose str
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation_
period str - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip_
initial_ boolversion_ creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version_
template CryptoKey Version Template Args - A template describing settings for new crypto key versions. Structure is documented below.
- key
Ring String - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - crypto
Key StringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled StringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- import
Only Boolean - Whether this key may contain imported versions only.
- key
Access Property MapJustifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name String
- The resource name for the CryptoKey.
- purpose String
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template Property Map - A template describing settings for new crypto key versions. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Primaries
List<Crypto
Key Primary> - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Primaries
[]Crypto
Key Primary - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- primaries
List<Crypto
Key Primary> - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id string
- The provider-assigned unique ID for this managed resource.
- primaries
Crypto
Key Primary[] - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id str
- The provider-assigned unique ID for this managed resource.
- primaries
Sequence[Crypto
Key Primary] - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- primaries List<Property Map>
- A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
Look up Existing CryptoKey Resource
Get an existing CryptoKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CryptoKeyState, opts?: CustomResourceOptions): CryptoKey
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
crypto_key_backend: Optional[str] = None,
destroy_scheduled_duration: Optional[str] = None,
effective_labels: Optional[Mapping[str, str]] = None,
import_only: Optional[bool] = None,
key_access_justifications_policy: Optional[CryptoKeyKeyAccessJustificationsPolicyArgs] = None,
key_ring: Optional[str] = None,
labels: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
primaries: Optional[Sequence[CryptoKeyPrimaryArgs]] = None,
pulumi_labels: Optional[Mapping[str, str]] = None,
purpose: Optional[str] = None,
rotation_period: Optional[str] = None,
skip_initial_version_creation: Optional[bool] = None,
version_template: Optional[CryptoKeyVersionTemplateArgs] = None) -> CryptoKey
func GetCryptoKey(ctx *Context, name string, id IDInput, state *CryptoKeyState, opts ...ResourceOption) (*CryptoKey, error)
public static CryptoKey Get(string name, Input<string> id, CryptoKeyState? state, CustomResourceOptions? opts = null)
public static CryptoKey get(String name, Output<String> id, CryptoKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- Destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Import
Only bool - Whether this key may contain imported versions only.
- Key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- Key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- Name string
- The resource name for the CryptoKey.
- Primaries
List<Crypto
Key Primary> - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - Version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- Crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- Destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Import
Only bool - Whether this key may contain imported versions only.
- Key
Access CryptoJustifications Policy Key Key Access Justifications Policy Args - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- Key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - Labels map[string]string
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- Name string
- The resource name for the CryptoKey.
- Primaries
[]Crypto
Key Primary Args - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - Version
Template CryptoKey Version Template Args - A template describing settings for new crypto key versions. Structure is documented below.
- crypto
Key StringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled StringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- import
Only Boolean - Whether this key may contain imported versions only.
- key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- key
Ring String - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name String
- The resource name for the CryptoKey.
- primaries
List<Crypto
Key Primary> - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- purpose String
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- crypto
Key stringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled stringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- import
Only boolean - Whether this key may contain imported versions only.
- key
Access CryptoJustifications Policy Key Key Access Justifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- key
Ring string - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name string
- The resource name for the CryptoKey.
- primaries
Crypto
Key Primary[] - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- purpose string
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial booleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template CryptoKey Version Template - A template describing settings for new crypto key versions. Structure is documented below.
- crypto_
key_ strbackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy_
scheduled_ strduration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- import_
only bool - Whether this key may contain imported versions only.
- key_
access_ Cryptojustifications_ policy Key Key Access Justifications Policy Args - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- key_
ring str - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name str
- The resource name for the CryptoKey.
- primaries
Sequence[Crypto
Key Primary Args] - A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- purpose str
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation_
period str - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip_
initial_ boolversion_ creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version_
template CryptoKey Version Template Args - A template describing settings for new crypto key versions. Structure is documented below.
- crypto
Key StringBackend - The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
- destroy
Scheduled StringDuration - The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- import
Only Boolean - Whether this key may contain imported versions only.
- key
Access Property MapJustifications Policy - The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
- key
Ring String - The KeyRing that this key belongs to.
Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
. - labels Map<String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labels
for all of the labels present on the resource.- name String
- The resource name for the CryptoKey.
- primaries List<Property Map>
- A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- purpose String
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter
s
(seconds). It must be greater than a day (ie, 86400). - skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the
gcp.kms.CryptoKeyVersion
resource to create a new CryptoKeyVersion orgcp.kms.KeyRingImportJob
resource to import the CryptoKeyVersion. - version
Template Property Map - A template describing settings for new crypto key versions. Structure is documented below.
Supporting Types
CryptoKeyKeyAccessJustificationsPolicy, CryptoKeyKeyAccessJustificationsPolicyArgs
- Allowed
Access List<string>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- Allowed
Access []stringReasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access List<String>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access string[]Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed_
access_ Sequence[str]reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access List<String>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
CryptoKeyPrimary, CryptoKeyPrimaryArgs
CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs
- Algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- Protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- Algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- Protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm String
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level String - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm str
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection_
level str - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm String
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level String - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
Import
CryptoKey can be imported using any of these accepted formats:
{{key_ring}}/cryptoKeys/{{name}}
{{key_ring}}/{{name}}
When using the pulumi import
command, CryptoKey can be imported using one of the formats above. For example:
$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}}
$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.