Skip to main content

crypto_keys

Creates, updates, deletes, gets or lists a crypto_keys resource.

Overview

Namecrypto_keys
TypeResource
Idgoogle.cloudkms.crypto_keys

Fields

NameDatatypeDescription
namestringOutput only. The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
createTimestringOutput only. The time at which this CryptoKey was created.
cryptoKeyBackendstringImmutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
destroyScheduledDurationstringImmutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
importOnlybooleanImmutable. Whether this key may contain imported versions only.
keyAccessJustificationsPolicyobjectA KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey.
labelsobjectLabels with user-defined metadata. For more information, see Labeling Keys.
nextRotationTimestringAt next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
primaryobjectA CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
purposestringImmutable. The immutable purpose of this CryptoKey.
rotationPeriodstringnext_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
versionTemplateobjectA CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation.

Methods

NameAccessible byRequired ParamsDescription
getSELECTcryptoKeysId, keyRingsId, locationsId, projectsIdReturns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.
listSELECTkeyRingsId, locationsId, projectsIdLists CryptoKeys.
createINSERTkeyRingsId, locationsId, projectsIdCreate a new CryptoKey within a KeyRing. CryptoKey.purpose and CryptoKey.version_template.algorithm are required.
patchUPDATEcryptoKeysId, keyRingsId, locationsId, projectsIdUpdate a CryptoKey.
decryptEXECcryptoKeysId, keyRingsId, locationsId, projectsIdDecrypts data that was protected by Encrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.
encryptEXECcryptoKeysId, keyRingsId, locationsId, projectsIdEncrypts data, so that it can only be recovered by a call to Decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

SELECT examples

Lists CryptoKeys.

SELECT
name,
createTime,
cryptoKeyBackend,
destroyScheduledDuration,
importOnly,
keyAccessJustificationsPolicy,
labels,
nextRotationTime,
primary,
purpose,
rotationPeriod,
versionTemplate
FROM google.cloudkms.crypto_keys
WHERE keyRingsId = '{{ keyRingsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';

INSERT example

Use the following StackQL query and manifest file to create a new crypto_keys resource.

/*+ create */
INSERT INTO google.cloudkms.crypto_keys (
keyRingsId,
locationsId,
projectsId,
purpose,
nextRotationTime,
rotationPeriod,
versionTemplate,
labels,
importOnly,
destroyScheduledDuration,
cryptoKeyBackend,
keyAccessJustificationsPolicy
)
SELECT 
'{{ keyRingsId }}',
'{{ locationsId }}',
'{{ projectsId }}',
'{{ purpose }}',
'{{ nextRotationTime }}',
'{{ rotationPeriod }}',
'{{ versionTemplate }}',
'{{ labels }}',
{{ importOnly }},
'{{ destroyScheduledDuration }}',
'{{ cryptoKeyBackend }}',
'{{ keyAccessJustificationsPolicy }}'
;

UPDATE example

Updates a crypto_keys resource.

/*+ update */
UPDATE google.cloudkms.crypto_keys
SET 
purpose = '{{ purpose }}',
nextRotationTime = '{{ nextRotationTime }}',
rotationPeriod = '{{ rotationPeriod }}',
versionTemplate = '{{ versionTemplate }}',
labels = '{{ labels }}',
importOnly = true|false,
destroyScheduledDuration = '{{ destroyScheduledDuration }}',
cryptoKeyBackend = '{{ cryptoKeyBackend }}',
keyAccessJustificationsPolicy = '{{ keyAccessJustificationsPolicy }}'
WHERE 
cryptoKeysId = '{{ cryptoKeysId }}'
AND keyRingsId = '{{ keyRingsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';