Skip to main content

crypto_key_versions

Creates, updates, deletes, gets or lists a crypto_key_versions resource.

Overview

Namecrypto_key_versions
TypeResource
Idgoogle.cloudkms.crypto_key_versions

Fields

NameDatatypeDescription
namestringOutput only. The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
algorithmstringOutput only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestationobjectContains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).
createTimestringOutput only. The time at which this CryptoKeyVersion was created.
destroyEventTimestringOutput only. The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
destroyTimestringOutput only. The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
externalDestructionFailureReasonstringOutput only. The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
externalProtectionLevelOptionsobjectExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
generateTimestringOutput only. The time this CryptoKeyVersion's key material was generated.
generationFailureReasonstringOutput only. The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
importFailureReasonstringOutput only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
importJobstringOutput only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
importTimestringOutput only. The time at which this CryptoKeyVersion's key material was most recently imported.
protectionLevelstringOutput only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
reimportEligiblebooleanOutput only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
statestringThe current state of the CryptoKeyVersion.

Methods

NameAccessible byRequired ParamsDescription
getSELECTcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdReturns metadata for a given CryptoKeyVersion.
listSELECTcryptoKeysId, keyRingsId, locationsId, projectsIdLists CryptoKeyVersions.
createINSERTcryptoKeysId, keyRingsId, locationsId, projectsIdCreate a new CryptoKeyVersion in a CryptoKey. The server will assign the next sequential id. If unset, state will be set to ENABLED.
destroyDELETEcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdSchedule a CryptoKeyVersion for destruction. Upon calling this method, CryptoKeyVersion.state will be set to DESTROY_SCHEDULED, and destroy_time will be set to the time destroy_scheduled_duration in the future. At that time, the state will automatically change to DESTROYED, and the key material will be irrevocably destroyed. Before the destroy_time is reached, RestoreCryptoKeyVersion may be called to reverse the process.
patchUPDATEcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdUpdate a CryptoKeyVersion's metadata. state may be changed between ENABLED and DISABLED using this method. See DestroyCryptoKeyVersion and RestoreCryptoKeyVersion to move between other states.
asymmetric_decryptEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdDecrypts data that was encrypted with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.
asymmetric_signEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdSigns data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from GetPublicKey.
importEXECcryptoKeysId, keyRingsId, locationsId, projectsIdImport wrapped key material into a CryptoKeyVersion. All requests must specify a CryptoKey. If a CryptoKeyVersion is additionally specified in the request, key material will be reimported into that version. Otherwise, a new version will be created, and will be assigned the next sequential id within the CryptoKey.
mac_signEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdSigns data using a CryptoKeyVersion with CryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.
mac_verifyEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdVerifies MAC tag using a CryptoKeyVersion with CryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.
raw_decryptEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdDecrypts data that was originally encrypted using a raw cryptographic mechanism. The CryptoKey.purpose must be RAW_ENCRYPT_DECRYPT.
raw_encryptEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdEncrypts data using portable cryptographic primitives. Most users should choose Encrypt and Decrypt rather than their raw counterparts. The CryptoKey.purpose must be RAW_ENCRYPT_DECRYPT.
restoreEXECcryptoKeyVersionsId, cryptoKeysId, keyRingsId, locationsId, projectsIdRestore a CryptoKeyVersion in the DESTROY_SCHEDULED state. Upon restoration of the CryptoKeyVersion, state will be set to DISABLED, and destroy_time will be cleared.

SELECT examples

Lists CryptoKeyVersions.

SELECT
name,
algorithm,
attestation,
createTime,
destroyEventTime,
destroyTime,
externalDestructionFailureReason,
externalProtectionLevelOptions,
generateTime,
generationFailureReason,
importFailureReason,
importJob,
importTime,
protectionLevel,
reimportEligible,
state
FROM google.cloudkms.crypto_key_versions
WHERE cryptoKeysId = '{{ cryptoKeysId }}'
AND keyRingsId = '{{ keyRingsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';

INSERT example

Use the following StackQL query and manifest file to create a new crypto_key_versions resource.

/*+ create */
INSERT INTO google.cloudkms.crypto_key_versions (
cryptoKeysId,
keyRingsId,
locationsId,
projectsId,
state,
externalProtectionLevelOptions
)
SELECT 
'{{ cryptoKeysId }}',
'{{ keyRingsId }}',
'{{ locationsId }}',
'{{ projectsId }}',
'{{ state }}',
'{{ externalProtectionLevelOptions }}'
;

UPDATE example

Updates a crypto_key_versions resource.

/*+ update */
UPDATE google.cloudkms.crypto_key_versions
SET 
state = '{{ state }}',
externalProtectionLevelOptions = '{{ externalProtectionLevelOptions }}'
WHERE 
cryptoKeyVersionsId = '{{ cryptoKeyVersionsId }}'
AND cryptoKeysId = '{{ cryptoKeysId }}'
AND keyRingsId = '{{ keyRingsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';

DELETE example

Deletes the specified crypto_key_versions resource.

/*+ delete */
DELETE FROM google.cloudkms.crypto_key_versions
WHERE cryptoKeyVersionsId = '{{ cryptoKeyVersionsId }}'
AND cryptoKeysId = '{{ cryptoKeysId }}'
AND keyRingsId = '{{ keyRingsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';