google-cloud-kms-v1 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.yardopts +12 -0
- data/AUTHENTICATION.md +169 -0
- data/LICENSE.md +203 -0
- data/README.md +71 -0
- data/lib/google-cloud-kms-v1.rb +21 -0
- data/lib/google/cloud/kms/v1.rb +36 -0
- data/lib/google/cloud/kms/v1/iam_policy.rb +72 -0
- data/lib/google/cloud/kms/v1/iam_policy/client.rb +557 -0
- data/lib/google/cloud/kms/v1/iam_policy/credentials.rb +52 -0
- data/lib/google/cloud/kms/v1/key_management_service.rb +60 -0
- data/lib/google/cloud/kms/v1/key_management_service/client.rb +2393 -0
- data/lib/google/cloud/kms/v1/key_management_service/credentials.rb +52 -0
- data/lib/google/cloud/kms/v1/key_management_service/paths.rb +134 -0
- data/lib/google/cloud/kms/v1/resources_pb.rb +162 -0
- data/lib/google/cloud/kms/v1/service_pb.rb +210 -0
- data/lib/google/cloud/kms/v1/service_services_pb.rb +150 -0
- data/lib/google/cloud/kms/v1/version.rb +28 -0
- data/lib/google/iam/v1/iam_policy_services_pb.rb +81 -0
- data/proto_docs/README.md +4 -0
- data/proto_docs/google/api/field_behavior.rb +59 -0
- data/proto_docs/google/api/resource.rb +247 -0
- data/proto_docs/google/cloud/kms/v1/resources.rb +580 -0
- data/proto_docs/google/cloud/kms/v1/service.rb +594 -0
- data/proto_docs/google/iam/v1/iam_policy.rb +80 -0
- data/proto_docs/google/iam/v1/options.rb +40 -0
- data/proto_docs/google/iam/v1/policy.rb +248 -0
- data/proto_docs/google/protobuf/duration.rb +98 -0
- data/proto_docs/google/protobuf/field_mask.rb +229 -0
- data/proto_docs/google/protobuf/timestamp.rb +120 -0
- data/proto_docs/google/type/expr.rb +52 -0
- metadata +205 -0
@@ -0,0 +1,580 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Google
|
21
|
+
module Cloud
|
22
|
+
module Kms
|
23
|
+
module V1
|
24
|
+
# A {Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of {Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
|
25
|
+
# @!attribute [r] name
|
26
|
+
# @return [String]
|
27
|
+
# Output only. The resource name for the {Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
|
28
|
+
# `projects/*/locations/*/keyRings/*`.
|
29
|
+
# @!attribute [r] create_time
|
30
|
+
# @return [Google::Protobuf::Timestamp]
|
31
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::KeyRing KeyRing} was created.
|
32
|
+
class KeyRing
|
33
|
+
include Google::Protobuf::MessageExts
|
34
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
35
|
+
end
|
36
|
+
|
37
|
+
# A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that can be used for cryptographic
|
38
|
+
# operations.
|
39
|
+
#
|
40
|
+
# A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of one or more {Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which
|
41
|
+
# represent the actual key material used in cryptographic operations.
|
42
|
+
# @!attribute [r] name
|
43
|
+
# @return [String]
|
44
|
+
# Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
|
45
|
+
# `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
|
46
|
+
# @!attribute [r] primary
|
47
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersion]
|
48
|
+
# Output only. A copy of the "primary" {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
|
49
|
+
# by {Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given
|
50
|
+
# in {Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
|
51
|
+
#
|
52
|
+
# The {Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
|
53
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}.
|
54
|
+
#
|
55
|
+
# Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
56
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} may have a
|
57
|
+
# primary. For other keys, this field will be omitted.
|
58
|
+
# @!attribute [rw] purpose
|
59
|
+
# @return [Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
|
60
|
+
# Immutable. The immutable purpose of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
|
61
|
+
# @!attribute [r] create_time
|
62
|
+
# @return [Google::Protobuf::Timestamp]
|
63
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
|
64
|
+
# @!attribute [rw] next_rotation_time
|
65
|
+
# @return [Google::Protobuf::Timestamp]
|
66
|
+
# At {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}, the Key Management Service will automatically:
|
67
|
+
#
|
68
|
+
# 1. Create a new version of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
|
69
|
+
# 2. Mark the new version as primary.
|
70
|
+
#
|
71
|
+
# Key rotations performed manually via
|
72
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} and
|
73
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}
|
74
|
+
# do not affect {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
|
75
|
+
#
|
76
|
+
# Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
77
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
|
78
|
+
# automatic rotation. For other keys, this field must be omitted.
|
79
|
+
# @!attribute [rw] rotation_period
|
80
|
+
# @return [Google::Protobuf::Duration]
|
81
|
+
# {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
|
82
|
+
# automatically rotates a key. Must be at least 24 hours and at most
|
83
|
+
# 876,000 hours.
|
84
|
+
#
|
85
|
+
# If {Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
|
86
|
+
#
|
87
|
+
# Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
88
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
|
89
|
+
# automatic rotation. For other keys, this field must be omitted.
|
90
|
+
# @!attribute [rw] version_template
|
91
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
|
92
|
+
# A template describing settings for new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
|
93
|
+
# The properties of new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
|
94
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
|
95
|
+
# auto-rotation are controlled by this template.
|
96
|
+
# @!attribute [rw] labels
|
97
|
+
# @return [Google::Protobuf::Map{String => String}]
|
98
|
+
# Labels with user-defined metadata. For more information, see
|
99
|
+
# [Labeling Keys](/kms/docs/labeling-keys).
|
100
|
+
class CryptoKey
|
101
|
+
include Google::Protobuf::MessageExts
|
102
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
103
|
+
|
104
|
+
# @!attribute [rw] key
|
105
|
+
# @return [String]
|
106
|
+
# @!attribute [rw] value
|
107
|
+
# @return [String]
|
108
|
+
class LabelsEntry
|
109
|
+
include Google::Protobuf::MessageExts
|
110
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
111
|
+
end
|
112
|
+
|
113
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
|
114
|
+
# {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
|
115
|
+
# its purpose. For more information, see
|
116
|
+
# [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
|
117
|
+
module CryptoKeyPurpose
|
118
|
+
# Not specified.
|
119
|
+
CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
|
120
|
+
|
121
|
+
# {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
|
122
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
|
123
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt Decrypt}.
|
124
|
+
ENCRYPT_DECRYPT = 1
|
125
|
+
|
126
|
+
# {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
|
127
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign} and
|
128
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
129
|
+
ASYMMETRIC_SIGN = 5
|
130
|
+
|
131
|
+
# {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
|
132
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt} and
|
133
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
134
|
+
ASYMMETRIC_DECRYPT = 6
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
# A {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
|
139
|
+
# a new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
|
140
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
|
141
|
+
# automatically as a result of auto-rotation.
|
142
|
+
# @!attribute [rw] protection_level
|
143
|
+
# @return [Google::Cloud::Kms::V1::ProtectionLevel]
|
144
|
+
# {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
|
145
|
+
# this template. Immutable. Defaults to {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
|
146
|
+
# @!attribute [rw] algorithm
|
147
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
148
|
+
# Required. {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
|
149
|
+
# when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
|
150
|
+
#
|
151
|
+
# For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
|
152
|
+
# this field is omitted and {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
|
153
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
|
154
|
+
class CryptoKeyVersionTemplate
|
155
|
+
include Google::Protobuf::MessageExts
|
156
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
157
|
+
end
|
158
|
+
|
159
|
+
# Contains an HSM-generated attestation about a key operation. For more
|
160
|
+
# information, see [Verifying attestations]
|
161
|
+
# (https://cloud.google.com/kms/docs/attest-key).
|
162
|
+
# @!attribute [r] format
|
163
|
+
# @return [Google::Cloud::Kms::V1::KeyOperationAttestation::AttestationFormat]
|
164
|
+
# Output only. The format of the attestation data.
|
165
|
+
# @!attribute [r] content
|
166
|
+
# @return [String]
|
167
|
+
# Output only. The attestation data provided by the HSM when the key
|
168
|
+
# operation was performed.
|
169
|
+
class KeyOperationAttestation
|
170
|
+
include Google::Protobuf::MessageExts
|
171
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
172
|
+
|
173
|
+
# Attestation formats provided by the HSM.
|
174
|
+
module AttestationFormat
|
175
|
+
# Not specified.
|
176
|
+
ATTESTATION_FORMAT_UNSPECIFIED = 0
|
177
|
+
|
178
|
+
# Cavium HSM attestation compressed with gzip. Note that this format is
|
179
|
+
# defined by Cavium and subject to change at any time.
|
180
|
+
CAVIUM_V1_COMPRESSED = 3
|
181
|
+
|
182
|
+
# Cavium HSM attestation V2 compressed with gzip. This is a new format
|
183
|
+
# introduced in Cavium's version 3.2-08.
|
184
|
+
CAVIUM_V2_COMPRESSED = 4
|
185
|
+
end
|
186
|
+
end
|
187
|
+
|
188
|
+
# A {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
|
189
|
+
# associated key material.
|
190
|
+
#
|
191
|
+
# An {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
|
192
|
+
# used for cryptographic operations.
|
193
|
+
#
|
194
|
+
# For security reasons, the raw cryptographic key material represented by a
|
195
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
|
196
|
+
# encrypt, decrypt, or sign data when an authorized user or application invokes
|
197
|
+
# Cloud KMS.
|
198
|
+
# @!attribute [r] name
|
199
|
+
# @return [String]
|
200
|
+
# Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
|
201
|
+
# `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
|
202
|
+
# @!attribute [rw] state
|
203
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
|
204
|
+
# The current state of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
|
205
|
+
# @!attribute [r] protection_level
|
206
|
+
# @return [Google::Cloud::Kms::V1::ProtectionLevel]
|
207
|
+
# Output only. The {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
|
208
|
+
# performed with this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
|
209
|
+
# @!attribute [r] algorithm
|
210
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
211
|
+
# Output only. The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
|
212
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
|
213
|
+
# @!attribute [r] attestation
|
214
|
+
# @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
|
215
|
+
# Output only. Statement that was generated and signed by the HSM at key
|
216
|
+
# creation time. Use this statement to verify attributes of the key as stored
|
217
|
+
# on the HSM, independently of Google. Only provided for key versions with
|
218
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
|
219
|
+
# @!attribute [r] create_time
|
220
|
+
# @return [Google::Protobuf::Timestamp]
|
221
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
|
222
|
+
# @!attribute [r] generate_time
|
223
|
+
# @return [Google::Protobuf::Timestamp]
|
224
|
+
# Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
|
225
|
+
# generated.
|
226
|
+
# @!attribute [r] destroy_time
|
227
|
+
# @return [Google::Protobuf::Timestamp]
|
228
|
+
# Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
|
229
|
+
# for destruction. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
230
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
|
231
|
+
# @!attribute [r] destroy_event_time
|
232
|
+
# @return [Google::Protobuf::Timestamp]
|
233
|
+
# Output only. The time this CryptoKeyVersion's key material was
|
234
|
+
# destroyed. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
235
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
|
236
|
+
# @!attribute [r] import_job
|
237
|
+
# @return [String]
|
238
|
+
# Output only. The name of the {Google::Cloud::Kms::V1::ImportJob ImportJob} used to import this
|
239
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
|
240
|
+
# imported.
|
241
|
+
# @!attribute [r] import_time
|
242
|
+
# @return [Google::Protobuf::Timestamp]
|
243
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
|
244
|
+
# was imported.
|
245
|
+
# @!attribute [r] import_failure_reason
|
246
|
+
# @return [String]
|
247
|
+
# Output only. The root cause of an import failure. Only present if
|
248
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
249
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
|
250
|
+
# @!attribute [rw] external_protection_level_options
|
251
|
+
# @return [Google::Cloud::Kms::V1::ExternalProtectionLevelOptions]
|
252
|
+
# ExternalProtectionLevelOptions stores a group of additional fields for
|
253
|
+
# configuring a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
|
254
|
+
# {Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
|
255
|
+
class CryptoKeyVersion
|
256
|
+
include Google::Protobuf::MessageExts
|
257
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
258
|
+
|
259
|
+
# The algorithm of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
|
260
|
+
# parameters must be used for each cryptographic operation.
|
261
|
+
#
|
262
|
+
# The
|
263
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
|
264
|
+
# algorithm is usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
265
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
|
266
|
+
#
|
267
|
+
# Algorithms beginning with "RSA_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
268
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
|
269
|
+
#
|
270
|
+
# The fields in the name after "RSA_SIGN_" correspond to the following
|
271
|
+
# parameters: padding algorithm, modulus bit length, and digest algorithm.
|
272
|
+
#
|
273
|
+
# For PSS, the salt length used is equal to the length of digest
|
274
|
+
# algorithm. For example,
|
275
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::RSA_SIGN_PSS_2048_SHA256 RSA_SIGN_PSS_2048_SHA256}
|
276
|
+
# will use PSS with a salt length of 256 bits or 32 bytes.
|
277
|
+
#
|
278
|
+
# Algorithms beginning with "RSA_DECRYPT_" are usable with
|
279
|
+
# {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
280
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_DECRYPT ASYMMETRIC_DECRYPT}.
|
281
|
+
#
|
282
|
+
# The fields in the name after "RSA_DECRYPT_" correspond to the following
|
283
|
+
# parameters: padding algorithm, modulus bit length, and digest algorithm.
|
284
|
+
#
|
285
|
+
# Algorithms beginning with "EC_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
286
|
+
# {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
|
287
|
+
#
|
288
|
+
# The fields in the name after "EC_SIGN_" correspond to the following
|
289
|
+
# parameters: elliptic curve, digest algorithm.
|
290
|
+
#
|
291
|
+
# For more information, see [Key purposes and algorithms]
|
292
|
+
# (https://cloud.google.com/kms/docs/algorithms).
|
293
|
+
module CryptoKeyVersionAlgorithm
|
294
|
+
# Not specified.
|
295
|
+
CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
|
296
|
+
|
297
|
+
# Creates symmetric encryption keys.
|
298
|
+
GOOGLE_SYMMETRIC_ENCRYPTION = 1
|
299
|
+
|
300
|
+
# RSASSA-PSS 2048 bit key with a SHA256 digest.
|
301
|
+
RSA_SIGN_PSS_2048_SHA256 = 2
|
302
|
+
|
303
|
+
# RSASSA-PSS 3072 bit key with a SHA256 digest.
|
304
|
+
RSA_SIGN_PSS_3072_SHA256 = 3
|
305
|
+
|
306
|
+
# RSASSA-PSS 4096 bit key with a SHA256 digest.
|
307
|
+
RSA_SIGN_PSS_4096_SHA256 = 4
|
308
|
+
|
309
|
+
# RSASSA-PSS 4096 bit key with a SHA512 digest.
|
310
|
+
RSA_SIGN_PSS_4096_SHA512 = 15
|
311
|
+
|
312
|
+
# RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
|
313
|
+
RSA_SIGN_PKCS1_2048_SHA256 = 5
|
314
|
+
|
315
|
+
# RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
|
316
|
+
RSA_SIGN_PKCS1_3072_SHA256 = 6
|
317
|
+
|
318
|
+
# RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
|
319
|
+
RSA_SIGN_PKCS1_4096_SHA256 = 7
|
320
|
+
|
321
|
+
# RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
|
322
|
+
RSA_SIGN_PKCS1_4096_SHA512 = 16
|
323
|
+
|
324
|
+
# RSAES-OAEP 2048 bit key with a SHA256 digest.
|
325
|
+
RSA_DECRYPT_OAEP_2048_SHA256 = 8
|
326
|
+
|
327
|
+
# RSAES-OAEP 3072 bit key with a SHA256 digest.
|
328
|
+
RSA_DECRYPT_OAEP_3072_SHA256 = 9
|
329
|
+
|
330
|
+
# RSAES-OAEP 4096 bit key with a SHA256 digest.
|
331
|
+
RSA_DECRYPT_OAEP_4096_SHA256 = 10
|
332
|
+
|
333
|
+
# RSAES-OAEP 4096 bit key with a SHA512 digest.
|
334
|
+
RSA_DECRYPT_OAEP_4096_SHA512 = 17
|
335
|
+
|
336
|
+
# ECDSA on the NIST P-256 curve with a SHA256 digest.
|
337
|
+
EC_SIGN_P256_SHA256 = 12
|
338
|
+
|
339
|
+
# ECDSA on the NIST P-384 curve with a SHA384 digest.
|
340
|
+
EC_SIGN_P384_SHA384 = 13
|
341
|
+
|
342
|
+
# Algorithm representing symmetric encryption by an external key manager.
|
343
|
+
EXTERNAL_SYMMETRIC_ENCRYPTION = 18
|
344
|
+
end
|
345
|
+
|
346
|
+
# The state of a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
|
347
|
+
module CryptoKeyVersionState
|
348
|
+
# Not specified.
|
349
|
+
CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
|
350
|
+
|
351
|
+
# This version is still being generated. It may not be used, enabled,
|
352
|
+
# disabled, or destroyed yet. Cloud KMS will automatically mark this
|
353
|
+
# version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
|
354
|
+
PENDING_GENERATION = 5
|
355
|
+
|
356
|
+
# This version may be used for cryptographic operations.
|
357
|
+
ENABLED = 1
|
358
|
+
|
359
|
+
# This version may not be used, but the key material is still available,
|
360
|
+
# and the version can be placed back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} state.
|
361
|
+
DISABLED = 2
|
362
|
+
|
363
|
+
# This version is destroyed, and the key material is no longer stored.
|
364
|
+
# A version may not leave this state once entered.
|
365
|
+
DESTROYED = 3
|
366
|
+
|
367
|
+
# This version is scheduled for destruction, and will be destroyed soon.
|
368
|
+
# Call
|
369
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version RestoreCryptoKeyVersion}
|
370
|
+
# to put it back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
|
371
|
+
DESTROY_SCHEDULED = 4
|
372
|
+
|
373
|
+
# This version is still being imported. It may not be used, enabled,
|
374
|
+
# disabled, or destroyed yet. Cloud KMS will automatically mark this
|
375
|
+
# version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
|
376
|
+
PENDING_IMPORT = 6
|
377
|
+
|
378
|
+
# This version was not imported successfully. It may not be used, enabled,
|
379
|
+
# disabled, or destroyed. The submitted key material has been discarded.
|
380
|
+
# Additional details can be found in
|
381
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion#import_failure_reason CryptoKeyVersion.import_failure_reason}.
|
382
|
+
IMPORT_FAILED = 7
|
383
|
+
end
|
384
|
+
|
385
|
+
# A view for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
|
386
|
+
# for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
|
387
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions} and
|
388
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_keys KeyManagementService.ListCryptoKeys}.
|
389
|
+
module CryptoKeyVersionView
|
390
|
+
# Default view for each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
|
391
|
+
# the {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
|
392
|
+
CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
|
393
|
+
|
394
|
+
# Provides all fields in each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
|
395
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
|
396
|
+
FULL = 1
|
397
|
+
end
|
398
|
+
end
|
399
|
+
|
400
|
+
# The public key for a given {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
|
401
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
402
|
+
# @!attribute [rw] pem
|
403
|
+
# @return [String]
|
404
|
+
# The public key, encoded in PEM format. For more information, see the
|
405
|
+
# [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
|
406
|
+
# [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
|
407
|
+
# [Textual Encoding of Subject Public Key Info]
|
408
|
+
# (https://tools.ietf.org/html/rfc7468#section-13).
|
409
|
+
# @!attribute [rw] algorithm
|
410
|
+
# @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
411
|
+
# The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
|
412
|
+
# with this key.
|
413
|
+
class PublicKey
|
414
|
+
include Google::Protobuf::MessageExts
|
415
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
416
|
+
end
|
417
|
+
|
418
|
+
# An {Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
|
419
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing key material,
|
420
|
+
# generated outside of Cloud KMS.
|
421
|
+
#
|
422
|
+
# When an {Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will generate a "wrapping key",
|
423
|
+
# which is a public/private key pair. You use the wrapping key to encrypt (also
|
424
|
+
# known as wrap) the pre-existing key material to protect it during the import
|
425
|
+
# process. The nature of the wrapping key depends on the choice of
|
426
|
+
# {Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the wrapping key generation
|
427
|
+
# is complete, the {Google::Cloud::Kms::V1::ImportJob#state state} will be set to
|
428
|
+
# {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the {Google::Cloud::Kms::V1::ImportJob#public_key public_key}
|
429
|
+
# can be fetched. The fetched public key can then be used to wrap your
|
430
|
+
# pre-existing key material.
|
431
|
+
#
|
432
|
+
# Once the key material is wrapped, it can be imported into a new
|
433
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing {Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
|
434
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version ImportCryptoKeyVersion}.
|
435
|
+
# Multiple {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be imported with a single
|
436
|
+
# {Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS uses the private key portion of the wrapping key to
|
437
|
+
# unwrap the key material. Only Cloud KMS has access to the private key.
|
438
|
+
#
|
439
|
+
# An {Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is created. Once expired, Cloud KMS
|
440
|
+
# will no longer be able to import or unwrap any key material that was wrapped
|
441
|
+
# with the {Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
|
442
|
+
#
|
443
|
+
# For more information, see
|
444
|
+
# [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
|
445
|
+
# @!attribute [r] name
|
446
|
+
# @return [String]
|
447
|
+
# Output only. The resource name for this {Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
|
448
|
+
# `projects/*/locations/*/keyRings/*/importJobs/*`.
|
449
|
+
# @!attribute [rw] import_method
|
450
|
+
# @return [Google::Cloud::Kms::V1::ImportJob::ImportMethod]
|
451
|
+
# Required. Immutable. The wrapping method to be used for incoming key material.
|
452
|
+
# @!attribute [rw] protection_level
|
453
|
+
# @return [Google::Cloud::Kms::V1::ProtectionLevel]
|
454
|
+
# Required. Immutable. The protection level of the {Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
|
455
|
+
# {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level} of the
|
456
|
+
# {Google::Cloud::Kms::V1::CryptoKey#version_template version_template} on the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} you
|
457
|
+
# attempt to import into.
|
458
|
+
# @!attribute [r] create_time
|
459
|
+
# @return [Google::Protobuf::Timestamp]
|
460
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
|
461
|
+
# @!attribute [r] generate_time
|
462
|
+
# @return [Google::Protobuf::Timestamp]
|
463
|
+
# Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob}'s key material was generated.
|
464
|
+
# @!attribute [r] expire_time
|
465
|
+
# @return [Google::Protobuf::Timestamp]
|
466
|
+
# Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for
|
467
|
+
# expiration and can no longer be used to import key material.
|
468
|
+
# @!attribute [r] expire_event_time
|
469
|
+
# @return [Google::Protobuf::Timestamp]
|
470
|
+
# Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob} expired. Only present if
|
471
|
+
# {Google::Cloud::Kms::V1::ImportJob#state state} is {Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
|
472
|
+
# @!attribute [r] state
|
473
|
+
# @return [Google::Cloud::Kms::V1::ImportJob::ImportJobState]
|
474
|
+
# Output only. The current state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can
|
475
|
+
# be used.
|
476
|
+
# @!attribute [r] public_key
|
477
|
+
# @return [Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
|
478
|
+
# Output only. The public key with which to wrap key material prior to
|
479
|
+
# import. Only returned if {Google::Cloud::Kms::V1::ImportJob#state state} is
|
480
|
+
# {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE}.
|
481
|
+
# @!attribute [r] attestation
|
482
|
+
# @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
|
483
|
+
# Output only. Statement that was generated and signed by the key creator
|
484
|
+
# (for example, an HSM) at key creation time. Use this statement to verify
|
485
|
+
# attributes of the key as stored on the HSM, independently of Google.
|
486
|
+
# Only present if the chosen {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a protection
|
487
|
+
# level of {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
|
488
|
+
class ImportJob
|
489
|
+
include Google::Protobuf::MessageExts
|
490
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
491
|
+
|
492
|
+
# The public key component of the wrapping key. For details of the type of
|
493
|
+
# key this public key corresponds to, see the {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
|
494
|
+
# @!attribute [rw] pem
|
495
|
+
# @return [String]
|
496
|
+
# The public key, encoded in PEM format. For more information, see the [RFC
|
497
|
+
# 7468](https://tools.ietf.org/html/rfc7468) sections for [General
|
498
|
+
# Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
|
499
|
+
# [Textual Encoding of Subject Public Key Info]
|
500
|
+
# (https://tools.ietf.org/html/rfc7468#section-13).
|
501
|
+
class WrappingPublicKey
|
502
|
+
include Google::Protobuf::MessageExts
|
503
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
504
|
+
end
|
505
|
+
|
506
|
+
# {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the key wrapping method chosen for this
|
507
|
+
# {Google::Cloud::Kms::V1::ImportJob ImportJob}.
|
508
|
+
module ImportMethod
|
509
|
+
# Not specified.
|
510
|
+
IMPORT_METHOD_UNSPECIFIED = 0
|
511
|
+
|
512
|
+
# This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
|
513
|
+
# scheme defined in the PKCS #11 standard. In summary, this involves
|
514
|
+
# wrapping the raw key with an ephemeral AES key, and wrapping the
|
515
|
+
# ephemeral AES key with a 3072 bit RSA key. For more details, see
|
516
|
+
# [RSA AES key wrap
|
517
|
+
# mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
|
518
|
+
RSA_OAEP_3072_SHA1_AES_256 = 1
|
519
|
+
|
520
|
+
# This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
|
521
|
+
# scheme defined in the PKCS #11 standard. In summary, this involves
|
522
|
+
# wrapping the raw key with an ephemeral AES key, and wrapping the
|
523
|
+
# ephemeral AES key with a 4096 bit RSA key. For more details, see
|
524
|
+
# [RSA AES key wrap
|
525
|
+
# mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
|
526
|
+
RSA_OAEP_4096_SHA1_AES_256 = 2
|
527
|
+
end
|
528
|
+
|
529
|
+
# The state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
|
530
|
+
module ImportJobState
|
531
|
+
# Not specified.
|
532
|
+
IMPORT_JOB_STATE_UNSPECIFIED = 0
|
533
|
+
|
534
|
+
# The wrapping key for this job is still being generated. It may not be
|
535
|
+
# used. Cloud KMS will automatically mark this job as
|
536
|
+
# {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as the wrapping key is generated.
|
537
|
+
PENDING_GENERATION = 1
|
538
|
+
|
539
|
+
# This job may be used in
|
540
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey} and
|
541
|
+
# {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
542
|
+
# requests.
|
543
|
+
ACTIVE = 2
|
544
|
+
|
545
|
+
# This job can no longer be used and may not leave this state once entered.
|
546
|
+
EXPIRED = 3
|
547
|
+
end
|
548
|
+
end
|
549
|
+
|
550
|
+
# ExternalProtectionLevelOptions stores a group of additional fields for
|
551
|
+
# configuring a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
|
552
|
+
# {Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
|
553
|
+
# @!attribute [rw] external_key_uri
|
554
|
+
# @return [String]
|
555
|
+
# The URI for an external resource that this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
|
556
|
+
class ExternalProtectionLevelOptions
|
557
|
+
include Google::Protobuf::MessageExts
|
558
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
559
|
+
end
|
560
|
+
|
561
|
+
# {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
|
562
|
+
# For more information, see [Protection levels]
|
563
|
+
# (https://cloud.google.com/kms/docs/algorithms#protection_levels).
|
564
|
+
module ProtectionLevel
|
565
|
+
# Not specified.
|
566
|
+
PROTECTION_LEVEL_UNSPECIFIED = 0
|
567
|
+
|
568
|
+
# Crypto operations are performed in software.
|
569
|
+
SOFTWARE = 1
|
570
|
+
|
571
|
+
# Crypto operations are performed in a Hardware Security Module.
|
572
|
+
HSM = 2
|
573
|
+
|
574
|
+
# Crypto operations are performed by an external key manager.
|
575
|
+
EXTERNAL = 3
|
576
|
+
end
|
577
|
+
end
|
578
|
+
end
|
579
|
+
end
|
580
|
+
end
|