1. Packages
  2. Google Cloud Native
  3. API Docs
  4. cloudkms
  5. cloudkms/v1
  6. CryptoKey

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.cloudkms/v1.CryptoKey

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Create a new CryptoKey within a KeyRing. CryptoKey.purpose and CryptoKey.version_template.algorithm are required. Note - this resource’s API doesn’t support deletion. When deleted, the resource will persist on Google Cloud even though it will be deleted from Pulumi state.

    Create CryptoKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);
    @overload
    def CryptoKey(resource_name: str,
                  args: CryptoKeyArgs,
                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def CryptoKey(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  key_ring_id: Optional[str] = None,
                  location: Optional[str] = None,
                  destroy_scheduled_duration: Optional[str] = None,
                  import_only: Optional[bool] = None,
                  crypto_key_id: Optional[str] = None,
                  labels: Optional[Mapping[str, str]] = None,
                  crypto_key_backend: Optional[str] = None,
                  next_rotation_time: Optional[str] = None,
                  project: Optional[str] = None,
                  purpose: Optional[CryptoKeyPurpose] = None,
                  rotation_period: Optional[str] = None,
                  skip_initial_version_creation: Optional[bool] = None,
                  version_template: Optional[CryptoKeyVersionTemplateArgs] = None)
    func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)
    public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)
    public CryptoKey(String name, CryptoKeyArgs args)
    public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)
    
    type: google-native:cloudkms/v1:CryptoKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var cryptoKeyResource = new GoogleNative.Cloudkms.V1.CryptoKey("cryptoKeyResource", new()
    {
        KeyRingId = "string",
        Location = "string",
        DestroyScheduledDuration = "string",
        ImportOnly = false,
        CryptoKeyId = "string",
        Labels = 
        {
            { "string", "string" },
        },
        CryptoKeyBackend = "string",
        NextRotationTime = "string",
        Project = "string",
        Purpose = GoogleNative.Cloudkms.V1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
        RotationPeriod = "string",
        SkipInitialVersionCreation = false,
        VersionTemplate = new GoogleNative.Cloudkms.V1.Inputs.CryptoKeyVersionTemplateArgs
        {
            Algorithm = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
            ProtectionLevel = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
        },
    });
    
    example, err := cloudkms.NewCryptoKey(ctx, "cryptoKeyResource", &cloudkms.CryptoKeyArgs{
    	KeyRingId:                pulumi.String("string"),
    	Location:                 pulumi.String("string"),
    	DestroyScheduledDuration: pulumi.String("string"),
    	ImportOnly:               pulumi.Bool(false),
    	CryptoKeyId:              pulumi.String("string"),
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	CryptoKeyBackend:           pulumi.String("string"),
    	NextRotationTime:           pulumi.String("string"),
    	Project:                    pulumi.String("string"),
    	Purpose:                    cloudkms.CryptoKeyPurposeCryptoKeyPurposeUnspecified,
    	RotationPeriod:             pulumi.String("string"),
    	SkipInitialVersionCreation: pulumi.Bool(false),
    	VersionTemplate: &cloudkms.CryptoKeyVersionTemplateArgs{
    		Algorithm:       cloudkms.CryptoKeyVersionTemplateAlgorithmCryptoKeyVersionAlgorithmUnspecified,
    		ProtectionLevel: cloudkms.CryptoKeyVersionTemplateProtectionLevelProtectionLevelUnspecified,
    	},
    })
    
    var cryptoKeyResource = new CryptoKey("cryptoKeyResource", CryptoKeyArgs.builder()
        .keyRingId("string")
        .location("string")
        .destroyScheduledDuration("string")
        .importOnly(false)
        .cryptoKeyId("string")
        .labels(Map.of("string", "string"))
        .cryptoKeyBackend("string")
        .nextRotationTime("string")
        .project("string")
        .purpose("CRYPTO_KEY_PURPOSE_UNSPECIFIED")
        .rotationPeriod("string")
        .skipInitialVersionCreation(false)
        .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
            .algorithm("CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED")
            .protectionLevel("PROTECTION_LEVEL_UNSPECIFIED")
            .build())
        .build());
    
    crypto_key_resource = google_native.cloudkms.v1.CryptoKey("cryptoKeyResource",
        key_ring_id="string",
        location="string",
        destroy_scheduled_duration="string",
        import_only=False,
        crypto_key_id="string",
        labels={
            "string": "string",
        },
        crypto_key_backend="string",
        next_rotation_time="string",
        project="string",
        purpose=google_native.cloudkms.v1.CryptoKeyPurpose.CRYPTO_KEY_PURPOSE_UNSPECIFIED,
        rotation_period="string",
        skip_initial_version_creation=False,
        version_template={
            "algorithm": google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED,
            "protection_level": google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.PROTECTION_LEVEL_UNSPECIFIED,
        })
    
    const cryptoKeyResource = new google_native.cloudkms.v1.CryptoKey("cryptoKeyResource", {
        keyRingId: "string",
        location: "string",
        destroyScheduledDuration: "string",
        importOnly: false,
        cryptoKeyId: "string",
        labels: {
            string: "string",
        },
        cryptoKeyBackend: "string",
        nextRotationTime: "string",
        project: "string",
        purpose: google_native.cloudkms.v1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
        rotationPeriod: "string",
        skipInitialVersionCreation: false,
        versionTemplate: {
            algorithm: google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
            protectionLevel: google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
        },
    });
    
    type: google-native:cloudkms/v1:CryptoKey
    properties:
        cryptoKeyBackend: string
        cryptoKeyId: string
        destroyScheduledDuration: string
        importOnly: false
        keyRingId: string
        labels:
            string: string
        location: string
        nextRotationTime: string
        project: string
        purpose: CRYPTO_KEY_PURPOSE_UNSPECIFIED
        rotationPeriod: string
        skipInitialVersionCreation: false
        versionTemplate:
            algorithm: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
            protectionLevel: PROTECTION_LEVEL_UNSPECIFIED
    

    CryptoKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The CryptoKey resource accepts the following input properties:

    KeyRingId string
    CryptoKeyBackend string
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    CryptoKeyId string
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    DestroyScheduledDuration string
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    ImportOnly bool
    Immutable. Whether this key may contain imported versions only.
    Labels Dictionary<string, string>
    Labels with user-defined metadata. For more information, see Labeling Keys.
    Location string
    NextRotationTime string
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    Project string
    Purpose Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyPurpose
    Immutable. The immutable purpose of this CryptoKey.
    RotationPeriod string
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    VersionTemplate Pulumi.GoogleNative.Cloudkms.V1.Inputs.CryptoKeyVersionTemplate
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
    KeyRingId string
    CryptoKeyBackend string
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    CryptoKeyId string
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    DestroyScheduledDuration string
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    ImportOnly bool
    Immutable. Whether this key may contain imported versions only.
    Labels map[string]string
    Labels with user-defined metadata. For more information, see Labeling Keys.
    Location string
    NextRotationTime string
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    Project string
    Purpose CryptoKeyPurpose
    Immutable. The immutable purpose of this CryptoKey.
    RotationPeriod string
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    VersionTemplate CryptoKeyVersionTemplateArgs
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
    keyRingId String
    cryptoKeyBackend String
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    cryptoKeyId String
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    destroyScheduledDuration String
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    importOnly Boolean
    Immutable. Whether this key may contain imported versions only.
    labels Map<String,String>
    Labels with user-defined metadata. For more information, see Labeling Keys.
    location String
    nextRotationTime String
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    project String
    purpose CryptoKeyPurpose
    Immutable. The immutable purpose of this CryptoKey.
    rotationPeriod String
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
    keyRingId string
    cryptoKeyBackend string
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    cryptoKeyId string
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    destroyScheduledDuration string
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    importOnly boolean
    Immutable. Whether this key may contain imported versions only.
    labels {[key: string]: string}
    Labels with user-defined metadata. For more information, see Labeling Keys.
    location string
    nextRotationTime string
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    project string
    purpose CryptoKeyPurpose
    Immutable. The immutable purpose of this CryptoKey.
    rotationPeriod string
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    skipInitialVersionCreation boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
    key_ring_id str
    crypto_key_backend str
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    crypto_key_id str
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    destroy_scheduled_duration str
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    import_only bool
    Immutable. Whether this key may contain imported versions only.
    labels Mapping[str, str]
    Labels with user-defined metadata. For more information, see Labeling Keys.
    location str
    next_rotation_time str
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    project str
    purpose CryptoKeyPurpose
    Immutable. The immutable purpose of this CryptoKey.
    rotation_period str
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    skip_initial_version_creation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    version_template CryptoKeyVersionTemplateArgs
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
    keyRingId String
    cryptoKeyBackend String
    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
    cryptoKeyId String
    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
    destroyScheduledDuration String
    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
    importOnly Boolean
    Immutable. Whether this key may contain imported versions only.
    labels Map<String>
    Labels with user-defined metadata. For more information, see Labeling Keys.
    location String
    nextRotationTime String
    At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    project String
    purpose "CRYPTO_KEY_PURPOSE_UNSPECIFIED" | "ENCRYPT_DECRYPT" | "ASYMMETRIC_SIGN" | "ASYMMETRIC_DECRYPT" | "RAW_ENCRYPT_DECRYPT" | "MAC"
    Immutable. The immutable purpose of this CryptoKey.
    rotationPeriod String
    next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
    versionTemplate Property Map
    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:

    CreateTime string
    The time at which this CryptoKey was created.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    Primary Pulumi.GoogleNative.Cloudkms.V1.Outputs.CryptoKeyVersionResponse
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
    CreateTime string
    The time at which this CryptoKey was created.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    Primary CryptoKeyVersionResponse
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
    createTime String
    The time at which this CryptoKey was created.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    primary CryptoKeyVersionResponse
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
    createTime string
    The time at which this CryptoKey was created.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    primary CryptoKeyVersionResponse
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
    create_time str
    The time at which this CryptoKey was created.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    primary CryptoKeyVersionResponse
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
    createTime String
    The time at which this CryptoKey was created.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
    primary Property Map
    A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

    Supporting Types

    CertificateChainsResponse, CertificateChainsResponseArgs

    CaviumCerts List<string>
    Cavium certificate chain corresponding to the attestation.
    GoogleCardCerts List<string>
    Google card certificate chain corresponding to the attestation.
    GooglePartitionCerts List<string>
    Google partition certificate chain corresponding to the attestation.
    CaviumCerts []string
    Cavium certificate chain corresponding to the attestation.
    GoogleCardCerts []string
    Google card certificate chain corresponding to the attestation.
    GooglePartitionCerts []string
    Google partition certificate chain corresponding to the attestation.
    caviumCerts List<String>
    Cavium certificate chain corresponding to the attestation.
    googleCardCerts List<String>
    Google card certificate chain corresponding to the attestation.
    googlePartitionCerts List<String>
    Google partition certificate chain corresponding to the attestation.
    caviumCerts string[]
    Cavium certificate chain corresponding to the attestation.
    googleCardCerts string[]
    Google card certificate chain corresponding to the attestation.
    googlePartitionCerts string[]
    Google partition certificate chain corresponding to the attestation.
    cavium_certs Sequence[str]
    Cavium certificate chain corresponding to the attestation.
    google_card_certs Sequence[str]
    Google card certificate chain corresponding to the attestation.
    google_partition_certs Sequence[str]
    Google partition certificate chain corresponding to the attestation.
    caviumCerts List<String>
    Cavium certificate chain corresponding to the attestation.
    googleCardCerts List<String>
    Google card certificate chain corresponding to the attestation.
    googlePartitionCerts List<String>
    Google partition certificate chain corresponding to the attestation.

    CryptoKeyPurpose, CryptoKeyPurposeArgs

    CryptoKeyPurposeUnspecified
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    EncryptDecrypt
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    AsymmetricSign
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    AsymmetricDecrypt
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    RawEncryptDecrypt
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    Mac
    MACCryptoKeys with this purpose may be used with MacSign.
    CryptoKeyPurposeCryptoKeyPurposeUnspecified
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    CryptoKeyPurposeEncryptDecrypt
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    CryptoKeyPurposeAsymmetricSign
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    CryptoKeyPurposeAsymmetricDecrypt
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    CryptoKeyPurposeRawEncryptDecrypt
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    CryptoKeyPurposeMac
    MACCryptoKeys with this purpose may be used with MacSign.
    CryptoKeyPurposeUnspecified
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    EncryptDecrypt
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    AsymmetricSign
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    AsymmetricDecrypt
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    RawEncryptDecrypt
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    Mac
    MACCryptoKeys with this purpose may be used with MacSign.
    CryptoKeyPurposeUnspecified
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    EncryptDecrypt
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    AsymmetricSign
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    AsymmetricDecrypt
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    RawEncryptDecrypt
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    Mac
    MACCryptoKeys with this purpose may be used with MacSign.
    CRYPTO_KEY_PURPOSE_UNSPECIFIED
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    ENCRYPT_DECRYPT
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    ASYMMETRIC_SIGN
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    ASYMMETRIC_DECRYPT
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    RAW_ENCRYPT_DECRYPT
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    MAC
    MACCryptoKeys with this purpose may be used with MacSign.
    "CRYPTO_KEY_PURPOSE_UNSPECIFIED"
    CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
    "ENCRYPT_DECRYPT"
    ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
    "ASYMMETRIC_SIGN"
    ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
    "ASYMMETRIC_DECRYPT"
    ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
    "RAW_ENCRYPT_DECRYPT"
    RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    "MAC"
    MACCryptoKeys with this purpose may be used with MacSign.

    CryptoKeyVersionResponse, CryptoKeyVersionResponseArgs

    Algorithm string
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    Attestation Pulumi.GoogleNative.Cloudkms.V1.Inputs.KeyOperationAttestationResponse
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    CreateTime string
    The time at which this CryptoKeyVersion was created.
    DestroyEventTime string
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    DestroyTime string
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    ExternalDestructionFailureReason string
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    ExternalProtectionLevelOptions Pulumi.GoogleNative.Cloudkms.V1.Inputs.ExternalProtectionLevelOptionsResponse
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    GenerateTime string
    The time this CryptoKeyVersion's key material was generated.
    GenerationFailureReason string
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    ImportFailureReason string
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    ImportJob string
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    ImportTime string
    The time at which this CryptoKeyVersion's key material was most recently imported.
    Name string
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    ProtectionLevel string
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    ReimportEligible bool
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    State string
    The current state of the CryptoKeyVersion.
    Algorithm string
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    Attestation KeyOperationAttestationResponse
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    CreateTime string
    The time at which this CryptoKeyVersion was created.
    DestroyEventTime string
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    DestroyTime string
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    ExternalDestructionFailureReason string
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    ExternalProtectionLevelOptions ExternalProtectionLevelOptionsResponse
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    GenerateTime string
    The time this CryptoKeyVersion's key material was generated.
    GenerationFailureReason string
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    ImportFailureReason string
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    ImportJob string
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    ImportTime string
    The time at which this CryptoKeyVersion's key material was most recently imported.
    Name string
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    ProtectionLevel string
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    ReimportEligible bool
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    State string
    The current state of the CryptoKeyVersion.
    algorithm String
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    attestation KeyOperationAttestationResponse
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    createTime String
    The time at which this CryptoKeyVersion was created.
    destroyEventTime String
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    destroyTime String
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    externalDestructionFailureReason String
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    externalProtectionLevelOptions ExternalProtectionLevelOptionsResponse
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    generateTime String
    The time this CryptoKeyVersion's key material was generated.
    generationFailureReason String
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    importFailureReason String
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    importJob String
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    importTime String
    The time at which this CryptoKeyVersion's key material was most recently imported.
    name String
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    protectionLevel String
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    reimportEligible Boolean
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    state String
    The current state of the CryptoKeyVersion.
    algorithm string
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    attestation KeyOperationAttestationResponse
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    createTime string
    The time at which this CryptoKeyVersion was created.
    destroyEventTime string
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    destroyTime string
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    externalDestructionFailureReason string
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    externalProtectionLevelOptions ExternalProtectionLevelOptionsResponse
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    generateTime string
    The time this CryptoKeyVersion's key material was generated.
    generationFailureReason string
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    importFailureReason string
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    importJob string
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    importTime string
    The time at which this CryptoKeyVersion's key material was most recently imported.
    name string
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    protectionLevel string
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    reimportEligible boolean
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    state string
    The current state of the CryptoKeyVersion.
    algorithm str
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    attestation KeyOperationAttestationResponse
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    create_time str
    The time at which this CryptoKeyVersion was created.
    destroy_event_time str
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    destroy_time str
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    external_destruction_failure_reason str
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    external_protection_level_options ExternalProtectionLevelOptionsResponse
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    generate_time str
    The time this CryptoKeyVersion's key material was generated.
    generation_failure_reason str
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    import_failure_reason str
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    import_job str
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    import_time str
    The time at which this CryptoKeyVersion's key material was most recently imported.
    name str
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    protection_level str
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    reimport_eligible bool
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    state str
    The current state of the CryptoKeyVersion.
    algorithm String
    The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
    attestation Property Map
    Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
    createTime String
    The time at which this CryptoKeyVersion was created.
    destroyEventTime String
    The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
    destroyTime String
    The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
    externalDestructionFailureReason String
    The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
    externalProtectionLevelOptions Property Map
    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
    generateTime String
    The time this CryptoKeyVersion's key material was generated.
    generationFailureReason String
    The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
    importFailureReason String
    The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
    importJob String
    The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
    importTime String
    The time at which this CryptoKeyVersion's key material was most recently imported.
    name String
    The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    protectionLevel String
    The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
    reimportEligible Boolean
    Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
    state String
    The current state of the CryptoKeyVersion.

    CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs

    Algorithm Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateAlgorithm
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    ProtectionLevel Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateProtectionLevel
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    Algorithm CryptoKeyVersionTemplateAlgorithm
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    ProtectionLevel CryptoKeyVersionTemplateProtectionLevel
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm CryptoKeyVersionTemplateAlgorithm
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel CryptoKeyVersionTemplateProtectionLevel
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm CryptoKeyVersionTemplateAlgorithm
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel CryptoKeyVersionTemplateProtectionLevel
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm CryptoKeyVersionTemplateAlgorithm
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protection_level CryptoKeyVersionTemplateProtectionLevel
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED" | "GOOGLE_SYMMETRIC_ENCRYPTION" | "AES_128_GCM" | "AES_256_GCM" | "AES_128_CBC" | "AES_256_CBC" | "AES_128_CTR" | "AES_256_CTR" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "RSA_SIGN_RAW_PKCS1_2048" | "RSA_SIGN_RAW_PKCS1_3072" | "RSA_SIGN_RAW_PKCS1_4096" | "RSA_DECRYPT_OAEP_2048_SHA256" | "RSA_DECRYPT_OAEP_3072_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA512" | "RSA_DECRYPT_OAEP_2048_SHA1" | "RSA_DECRYPT_OAEP_3072_SHA1" | "RSA_DECRYPT_OAEP_4096_SHA1" | "EC_SIGN_P256_SHA256" | "EC_SIGN_P384_SHA384" | "EC_SIGN_SECP256K1_SHA256" | "HMAC_SHA256" | "HMAC_SHA1" | "HMAC_SHA384" | "HMAC_SHA512" | "HMAC_SHA224" | "EXTERNAL_SYMMETRIC_ENCRYPTION"
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel "PROTECTION_LEVEL_UNSPECIFIED" | "SOFTWARE" | "HSM" | "EXTERNAL" | "EXTERNAL_VPC"
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

    CryptoKeyVersionTemplateAlgorithm, CryptoKeyVersionTemplateAlgorithmArgs

    CryptoKeyVersionAlgorithmUnspecified
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    GoogleSymmetricEncryption
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    Aes128Gcm
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    Aes256Gcm
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    Aes128Cbc
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    Aes256Cbc
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    Aes128Ctr
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    Aes256Ctr
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    RsaSignRawPkcs12048
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    RsaSignRawPkcs13072
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    RsaSignRawPkcs14096
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    RsaDecryptOaep2048Sha256
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    RsaDecryptOaep3072Sha256
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha256
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha512
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    RsaDecryptOaep2048Sha1
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    RsaDecryptOaep3072Sha1
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    RsaDecryptOaep4096Sha1
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignSecp256k1Sha256
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    HmacSha256
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    HmacSha1
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    HmacSha384
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    HmacSha512
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    HmacSha224
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    ExternalSymmetricEncryption
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
    CryptoKeyVersionTemplateAlgorithmCryptoKeyVersionAlgorithmUnspecified
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    CryptoKeyVersionTemplateAlgorithmGoogleSymmetricEncryption
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    CryptoKeyVersionTemplateAlgorithmAes128Gcm
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    CryptoKeyVersionTemplateAlgorithmAes256Gcm
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    CryptoKeyVersionTemplateAlgorithmAes128Cbc
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    CryptoKeyVersionTemplateAlgorithmAes256Cbc
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    CryptoKeyVersionTemplateAlgorithmAes128Ctr
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    CryptoKeyVersionTemplateAlgorithmAes256Ctr
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    CryptoKeyVersionTemplateAlgorithmRsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs12048
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs13072
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs14096
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep2048Sha256
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep3072Sha256
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha256
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha512
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep2048Sha1
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep3072Sha1
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha1
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    CryptoKeyVersionTemplateAlgorithmEcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    CryptoKeyVersionTemplateAlgorithmEcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    CryptoKeyVersionTemplateAlgorithmEcSignSecp256k1Sha256
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    CryptoKeyVersionTemplateAlgorithmHmacSha256
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    CryptoKeyVersionTemplateAlgorithmHmacSha1
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    CryptoKeyVersionTemplateAlgorithmHmacSha384
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    CryptoKeyVersionTemplateAlgorithmHmacSha512
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    CryptoKeyVersionTemplateAlgorithmHmacSha224
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    CryptoKeyVersionTemplateAlgorithmExternalSymmetricEncryption
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
    CryptoKeyVersionAlgorithmUnspecified
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    GoogleSymmetricEncryption
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    Aes128Gcm
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    Aes256Gcm
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    Aes128Cbc
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    Aes256Cbc
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    Aes128Ctr
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    Aes256Ctr
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    RsaSignRawPkcs12048
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    RsaSignRawPkcs13072
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    RsaSignRawPkcs14096
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    RsaDecryptOaep2048Sha256
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    RsaDecryptOaep3072Sha256
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha256
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha512
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    RsaDecryptOaep2048Sha1
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    RsaDecryptOaep3072Sha1
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    RsaDecryptOaep4096Sha1
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignSecp256k1Sha256
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    HmacSha256
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    HmacSha1
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    HmacSha384
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    HmacSha512
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    HmacSha224
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    ExternalSymmetricEncryption
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
    CryptoKeyVersionAlgorithmUnspecified
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    GoogleSymmetricEncryption
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    Aes128Gcm
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    Aes256Gcm
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    Aes128Cbc
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    Aes256Cbc
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    Aes128Ctr
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    Aes256Ctr
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    RsaSignRawPkcs12048
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    RsaSignRawPkcs13072
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    RsaSignRawPkcs14096
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    RsaDecryptOaep2048Sha256
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    RsaDecryptOaep3072Sha256
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha256
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    RsaDecryptOaep4096Sha512
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    RsaDecryptOaep2048Sha1
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    RsaDecryptOaep3072Sha1
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    RsaDecryptOaep4096Sha1
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EcSignSecp256k1Sha256
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    HmacSha256
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    HmacSha1
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    HmacSha384
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    HmacSha512
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    HmacSha224
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    ExternalSymmetricEncryption
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    GOOGLE_SYMMETRIC_ENCRYPTION
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    AES128_GCM
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    AES256_GCM
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    AES128_CBC
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    AES256_CBC
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    AES128_CTR
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    AES256_CTR
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    RSA_SIGN_PSS2048_SHA256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RSA_SIGN_PSS3072_SHA256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RSA_SIGN_PSS4096_SHA256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RSA_SIGN_PSS4096_SHA512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RSA_SIGN_PKCS12048_SHA256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RSA_SIGN_PKCS13072_SHA256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RSA_SIGN_PKCS14096_SHA256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RSA_SIGN_PKCS14096_SHA512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    RSA_SIGN_RAW_PKCS12048
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    RSA_SIGN_RAW_PKCS13072
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    RSA_SIGN_RAW_PKCS14096
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    RSA_DECRYPT_OAEP2048_SHA256
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    RSA_DECRYPT_OAEP3072_SHA256
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    RSA_DECRYPT_OAEP4096_SHA256
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    RSA_DECRYPT_OAEP4096_SHA512
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    RSA_DECRYPT_OAEP2048_SHA1
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    RSA_DECRYPT_OAEP3072_SHA1
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    RSA_DECRYPT_OAEP4096_SHA1
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    EC_SIGN_P256_SHA256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EC_SIGN_P384_SHA384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    EC_SIGN_SECP256K1_SHA256
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    HMAC_SHA256
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    HMAC_SHA1
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    HMAC_SHA384
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    HMAC_SHA512
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    HMAC_SHA224
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    EXTERNAL_SYMMETRIC_ENCRYPTION
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
    "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED"
    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
    "GOOGLE_SYMMETRIC_ENCRYPTION"
    GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
    "AES_128_GCM"
    AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
    "AES_256_GCM"
    AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
    "AES_128_CBC"
    AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
    "AES_256_CBC"
    AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
    "AES_128_CTR"
    AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
    "AES_256_CTR"
    AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
    "RSA_SIGN_PSS_2048_SHA256"
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_3072_SHA256"
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_4096_SHA256"
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_4096_SHA512"
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    "RSA_SIGN_PKCS1_2048_SHA256"
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_3072_SHA256"
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_4096_SHA256"
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_4096_SHA512"
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    "RSA_SIGN_RAW_PKCS1_2048"
    RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
    "RSA_SIGN_RAW_PKCS1_3072"
    RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
    "RSA_SIGN_RAW_PKCS1_4096"
    RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
    "RSA_DECRYPT_OAEP_2048_SHA256"
    RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
    "RSA_DECRYPT_OAEP_3072_SHA256"
    RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
    "RSA_DECRYPT_OAEP_4096_SHA256"
    RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
    "RSA_DECRYPT_OAEP_4096_SHA512"
    RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
    "RSA_DECRYPT_OAEP_2048_SHA1"
    RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
    "RSA_DECRYPT_OAEP_3072_SHA1"
    RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
    "RSA_DECRYPT_OAEP_4096_SHA1"
    RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
    "EC_SIGN_P256_SHA256"
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    "EC_SIGN_P384_SHA384"
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    "EC_SIGN_SECP256K1_SHA256"
    EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
    "HMAC_SHA256"
    HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
    "HMAC_SHA1"
    HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
    "HMAC_SHA384"
    HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
    "HMAC_SHA512"
    HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
    "HMAC_SHA224"
    HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
    "EXTERNAL_SYMMETRIC_ENCRYPTION"
    EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

    CryptoKeyVersionTemplateProtectionLevel, CryptoKeyVersionTemplateProtectionLevelArgs

    ProtectionLevelUnspecified
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    Software
    SOFTWARECrypto operations are performed in software.
    Hsm
    HSMCrypto operations are performed in a Hardware Security Module.
    External
    EXTERNALCrypto operations are performed by an external key manager.
    ExternalVpc
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
    CryptoKeyVersionTemplateProtectionLevelProtectionLevelUnspecified
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    CryptoKeyVersionTemplateProtectionLevelSoftware
    SOFTWARECrypto operations are performed in software.
    CryptoKeyVersionTemplateProtectionLevelHsm
    HSMCrypto operations are performed in a Hardware Security Module.
    CryptoKeyVersionTemplateProtectionLevelExternal
    EXTERNALCrypto operations are performed by an external key manager.
    CryptoKeyVersionTemplateProtectionLevelExternalVpc
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
    ProtectionLevelUnspecified
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    Software
    SOFTWARECrypto operations are performed in software.
    Hsm
    HSMCrypto operations are performed in a Hardware Security Module.
    External
    EXTERNALCrypto operations are performed by an external key manager.
    ExternalVpc
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
    ProtectionLevelUnspecified
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    Software
    SOFTWARECrypto operations are performed in software.
    Hsm
    HSMCrypto operations are performed in a Hardware Security Module.
    External
    EXTERNALCrypto operations are performed by an external key manager.
    ExternalVpc
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
    PROTECTION_LEVEL_UNSPECIFIED
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    SOFTWARE
    SOFTWARECrypto operations are performed in software.
    HSM
    HSMCrypto operations are performed in a Hardware Security Module.
    EXTERNAL
    EXTERNALCrypto operations are performed by an external key manager.
    EXTERNAL_VPC
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
    "PROTECTION_LEVEL_UNSPECIFIED"
    PROTECTION_LEVEL_UNSPECIFIEDNot specified.
    "SOFTWARE"
    SOFTWARECrypto operations are performed in software.
    "HSM"
    HSMCrypto operations are performed in a Hardware Security Module.
    "EXTERNAL"
    EXTERNALCrypto operations are performed by an external key manager.
    "EXTERNAL_VPC"
    EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

    CryptoKeyVersionTemplateResponse, CryptoKeyVersionTemplateResponseArgs

    Algorithm string
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    ProtectionLevel string
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    Algorithm string
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    ProtectionLevel string
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm String
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel String
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm string
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel string
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm str
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protection_level str
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
    algorithm String
    Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
    protectionLevel String
    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

    ExternalProtectionLevelOptionsResponse, ExternalProtectionLevelOptionsResponseArgs

    EkmConnectionKeyPath string
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    ExternalKeyUri string
    The URI for an external resource that this CryptoKeyVersion represents.
    EkmConnectionKeyPath string
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    ExternalKeyUri string
    The URI for an external resource that this CryptoKeyVersion represents.
    ekmConnectionKeyPath String
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    externalKeyUri String
    The URI for an external resource that this CryptoKeyVersion represents.
    ekmConnectionKeyPath string
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    externalKeyUri string
    The URI for an external resource that this CryptoKeyVersion represents.
    ekm_connection_key_path str
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    external_key_uri str
    The URI for an external resource that this CryptoKeyVersion represents.
    ekmConnectionKeyPath String
    The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
    externalKeyUri String
    The URI for an external resource that this CryptoKeyVersion represents.

    KeyOperationAttestationResponse, KeyOperationAttestationResponseArgs

    CertChains Pulumi.GoogleNative.Cloudkms.V1.Inputs.CertificateChainsResponse
    The certificate chains needed to validate the attestation
    Content string
    The attestation data provided by the HSM when the key operation was performed.
    Format string
    The format of the attestation data.
    CertChains CertificateChainsResponse
    The certificate chains needed to validate the attestation
    Content string
    The attestation data provided by the HSM when the key operation was performed.
    Format string
    The format of the attestation data.
    certChains CertificateChainsResponse
    The certificate chains needed to validate the attestation
    content String
    The attestation data provided by the HSM when the key operation was performed.
    format String
    The format of the attestation data.
    certChains CertificateChainsResponse
    The certificate chains needed to validate the attestation
    content string
    The attestation data provided by the HSM when the key operation was performed.
    format string
    The format of the attestation data.
    cert_chains CertificateChainsResponse
    The certificate chains needed to validate the attestation
    content str
    The attestation data provided by the HSM when the key operation was performed.
    format str
    The format of the attestation data.
    certChains Property Map
    The certificate chains needed to validate the attestation
    content String
    The attestation data provided by the HSM when the key operation was performed.
    format String
    The format of the attestation data.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi