google-cloud-kms-v1 0.10.1 → 0.12.0

data/proto_docs/google/cloud/kms/v1/resources.rb

@@ -21,78 +21,96 @@ module Google
   module Cloud
     module Kms
       module V1
-        # A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
+        # A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of
+        # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
         # @!attribute [r] name
         #   @return [::String]
-        #     Output only. The resource name for the {::Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
+        #     Output only. The resource name for the
+        #     {::Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
         #     `projects/*/locations/*/keyRings/*`.
         # @!attribute [r] create_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing} was created.
+        #     Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing}
+        #     was created.
         class KeyRing
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that can be used for cryptographic
-        # operations.
+        # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that
+        # can be used for cryptographic operations.
         #
-        # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more {::Google::Cloud::Kms::V1::CryptoKeyVersion versions},
-        # which represent the actual key material used in cryptographic operations.
+        # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which represent the actual
+        # key material used in cryptographic operations.
         # @!attribute [r] name
         #   @return [::String]
-        #     Output only. The resource name for this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
+        #     Output only. The resource name for this
+        #     {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
         #     `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
         # @!attribute [r] primary
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion]
-        #     Output only. A copy of the "primary" {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
-        #     by {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given
-        #     in {::Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
+        #     Output only. A copy of the "primary"
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
+        #     by {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this
+        #     {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given in
+        #     {::Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
         #
-        #     The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
+        #     The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be
+        #     updated via
         #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}.
         #
         #     Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} may have a
-        #     primary. For other keys, this field will be omitted.
+        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
+        #     may have a primary. For other keys, this field will be omitted.
         # @!attribute [rw] purpose
         #   @return [::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
-        #     Immutable. The immutable purpose of this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
+        #     Immutable. The immutable purpose of this
+        #     {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
         # @!attribute [r] create_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
+        #     Output only. The time at which this
+        #     {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
         # @!attribute [rw] next_rotation_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}, the Key Management Service will automatically:
+        #     At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time},
+        #     the Key Management Service will automatically:
         #
         #     1. Create a new version of this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
         #     2. Mark the new version as primary.
         #
         #     Key rotations performed manually via
-        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} and
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
+        #     and
         #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}
-        #     do not affect {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
+        #     do not affect
+        #     {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
         #
         #     Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
-        #     automatic rotation. For other keys, this field must be omitted.
+        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
+        #     support automatic rotation. For other keys, this field must be omitted.
         # @!attribute [rw] rotation_period
         #   @return [::Google::Protobuf::Duration]
-        #     {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
-        #     automatically rotates a key. Must be at least 24 hours and at most
-        #     876,000 hours.
+        #     {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
+        #     will be advanced by this period when the service automatically rotates a
+        #     key. Must be at least 24 hours and at most 876,000 hours.
         #
-        #     If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
+        #     If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is
+        #     set,
+        #     {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
+        #     must also be set.
         #
         #     Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
-        #     automatic rotation. For other keys, this field must be omitted.
+        #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
+        #     support automatic rotation. For other keys, this field must be omitted.
         # @!attribute [rw] version_template
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
-        #     A template describing settings for new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
-        #     The properties of new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
-        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
-        #     auto-rotation are controlled by this template.
+        #     A template describing settings for new
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances. The
+        #     properties of new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
+        #     instances created by either
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
+        #     or auto-rotation are controlled by this template.
         # @!attribute [rw] labels
         #   @return [::Google::Protobuf::Map{::String => ::String}]
         #     Labels with user-defined metadata. For more information, see
@@ -105,8 +123,20 @@ module Google
         #     Immutable. The period of time that versions of this key spend in the
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}
         #     state before transitioning to
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}. If not
-        #     specified at creation time, the default duration is 24 hours.
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
+        #     If not specified at creation time, the default duration is 24 hours.
+        # @!attribute [rw] crypto_key_backend
+        #   @return [::String]
+        #     Immutable. The resource name of the backend environment where the key
+        #     material for all {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions}
+        #     associated with this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} reside and
+        #     where all related cryptographic operations are performed. Only applicable
+        #     if {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} have a
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of
+        #     [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
+        #     resource name in the format `projects/*/locations/*/ekmConnections/*`.
+        #     Note, this list is non-exhaustive and may apply to additional
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevels} in the future.
         class CryptoKey
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -120,50 +150,63 @@ module Google
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
-          # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
-          # its purpose. For more information, see
-          # [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
+          # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose}
+          # describes the cryptographic capabilities of a
+          # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used
+          # for the operations allowed by its purpose. For more information, see [Key
+          # purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
           module CryptoKeyPurpose
             # Not specified.
             CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
 
-            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
-            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
+            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
+            # with {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt Decrypt}.
             ENCRYPT_DECRYPT = 1
 
-            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
-            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign} and
+            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
+            # with
+            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign}
+            # and
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
             ASYMMETRIC_SIGN = 5
 
-            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
-            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt} and
+            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
+            # with
+            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt}
+            # and
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
             ASYMMETRIC_DECRYPT = 6
 
-            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
-            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
+            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
+            # with {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
             MAC = 9
           end
         end
 
-        # A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
-        # a new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
-        # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
-        # automatically as a result of auto-rotation.
+        # A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate}
+        # specifies the properties to use when creating a new
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually
+        # with
+        # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
+        # or automatically as a result of auto-rotation.
         # @!attribute [rw] protection_level
         #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
-        #     {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
-        #     this template. Immutable. Defaults to {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating
+        #     a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
+        #     template. Immutable. Defaults to
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
         # @!attribute [rw] algorithm
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     Required. {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
-        #     when creating a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
+        #     Required.
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
+        #     to use when creating a
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
+        #     template.
         #
         #     For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
-        #     this field is omitted and {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
+        #     this field is omitted and
+        #     {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
         #     {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
         class CryptoKeyVersionTemplate
           include ::Google::Protobuf::MessageExts
@@ -180,10 +223,30 @@ module Google
         #   @return [::String]
         #     Output only. The attestation data provided by the HSM when the key
         #     operation was performed.
+        # @!attribute [r] cert_chains
+        #   @return [::Google::Cloud::Kms::V1::KeyOperationAttestation::CertificateChains]
+        #     Output only. The certificate chains needed to validate the attestation
         class KeyOperationAttestation
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
 
+          # Certificate chains needed to verify the attestation.
+          # Certificates in chains are PEM-encoded and are ordered based on
+          # https://tools.ietf.org/html/rfc5246#section-7.4.2.
+          # @!attribute [rw] cavium_certs
+          #   @return [::Array<::String>]
+          #     Cavium certificate chain corresponding to the attestation.
+          # @!attribute [rw] google_card_certs
+          #   @return [::Array<::String>]
+          #     Google card certificate chain corresponding to the attestation.
+          # @!attribute [rw] google_partition_certs
+          #   @return [::Array<::String>]
+          #     Google partition certificate chain corresponding to the attestation.
+          class CertificateChains
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
           # Attestation formats provided by the HSM.
           module AttestationFormat
             # Not specified.
@@ -199,91 +262,111 @@ module Google
           end
         end
 
-        # A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
-        # associated key material.
+        # A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an
+        # individual cryptographic key, and the associated key material.
         #
-        # An {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
-        # used for cryptographic operations.
+        # An
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
+        # version can be used for cryptographic operations.
         #
         # For security reasons, the raw cryptographic key material represented by a
-        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
-        # encrypt, decrypt, or sign data when an authorized user or application invokes
-        # Cloud KMS.
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed
+        # or exported. It can only be used to encrypt, decrypt, or sign data when an
+        # authorized user or application invokes Cloud KMS.
         # @!attribute [r] name
         #   @return [::String]
-        #     Output only. The resource name for this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
+        #     Output only. The resource name for this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
         #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
         # @!attribute [rw] state
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
-        #     The current state of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        #     The current state of the
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
         # @!attribute [r] protection_level
         #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
-        #     Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
-        #     performed with this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        #     Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel}
+        #     describing how crypto operations are performed with this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
         # @!attribute [r] algorithm
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     Output only. The {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
+        #     Output only. The
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm}
+        #     that this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
+        #     supports.
         # @!attribute [r] attestation
         #   @return [::Google::Cloud::Kms::V1::KeyOperationAttestation]
         #     Output only. Statement that was generated and signed by the HSM at key
         #     creation time. Use this statement to verify attributes of the key as stored
         #     on the HSM, independently of Google. Only provided for key versions with
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level}
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
         # @!attribute [r] create_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
+        #     Output only. The time at which this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
         # @!attribute [r] generate_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
+        #     Output only. The time this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
         #     generated.
         # @!attribute [r] destroy_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
-        #     for destruction. Only present if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     Output only. The time this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is
+        #     scheduled for destruction. Only present if
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
         # @!attribute [r] destroy_event_time
         #   @return [::Google::Protobuf::Timestamp]
         #     Output only. The time this CryptoKeyVersion's key material was
-        #     destroyed. Only present if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     destroyed. Only present if
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
         # @!attribute [r] import_job
         #   @return [::String]
-        #     Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob} used in the most recent import of this
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
-        #     imported.
+        #     Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}
+        #     used in the most recent import of this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if
+        #     the underlying key material was imported.
         # @!attribute [r] import_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
-        #     was most recently imported.
+        #     Output only. The time at which this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
+        #     most recently imported.
         # @!attribute [r] import_failure_reason
         #   @return [::String]
-        #     Output only. The root cause of the most recent import failure. Only present if
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     Output only. The root cause of the most recent import failure. Only present
+        #     if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
         # @!attribute [rw] external_protection_level_options
         #   @return [::Google::Cloud::Kms::V1::ExternalProtectionLevelOptions]
         #     ExternalProtectionLevelOptions stores a group of additional fields for
-        #     configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
-        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
+        #     configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
+        #     are specific to the
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level
+        #     and {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC}
+        #     protection levels.
         # @!attribute [r] reimport_eligible
         #   @return [::Boolean]
-        #     Output only. Whether or not this key version is eligible for reimport, by being
-        #     specified as a target in
+        #     Output only. Whether or not this key version is eligible for reimport, by
+        #     being specified as a target in
         #     {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#crypto_key_version ImportCryptoKeyVersionRequest.crypto_key_version}.
         class CryptoKeyVersion
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
 
-          # The algorithm of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
+          # The algorithm of the
+          # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
           # parameters must be used for each cryptographic operation.
           #
           # The
           # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
-          # algorithm is usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
+          # algorithm is usable with
+          # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
           # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
           #
-          # Algorithms beginning with "RSA_SIGN_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
+          # Algorithms beginning with "RSA_SIGN_" are usable with
+          # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
           # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
           #
           # The fields in the name after "RSA_SIGN_" correspond to the following
@@ -301,13 +384,15 @@ module Google
           # The fields in the name after "RSA_DECRYPT_" correspond to the following
           # parameters: padding algorithm, modulus bit length, and digest algorithm.
           #
-          # Algorithms beginning with "EC_SIGN_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
+          # Algorithms beginning with "EC_SIGN_" are usable with
+          # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
           # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
           #
           # The fields in the name after "EC_SIGN_" correspond to the following
           # parameters: elliptic curve, digest algorithm.
           #
-          # Algorithms beginning with "HMAC_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
+          # Algorithms beginning with "HMAC_" are usable with
+          # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
           # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::MAC MAC}.
           #
           # The suffix following "HMAC_" corresponds to the hash algorithm being used
@@ -393,39 +478,50 @@ module Google
             EXTERNAL_SYMMETRIC_ENCRYPTION = 18
           end
 
-          # The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
+          # The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion},
+          # indicating if it can be used.
           module CryptoKeyVersionState
             # Not specified.
             CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
 
             # This version is still being generated. It may not be used, enabled,
             # disabled, or destroyed yet. Cloud KMS will automatically mark this
-            # version {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
+            # version
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
+            # as soon as the version is ready.
             PENDING_GENERATION = 5
 
             # This version may be used for cryptographic operations.
             ENABLED = 1
 
             # This version may not be used, but the key material is still available,
-            # and the version can be placed back into the {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} state.
+            # and the version can be placed back into the
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
+            # state.
             DISABLED = 2
 
             # This version is destroyed, and the key material is no longer stored.
-            # This version may only become {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} again if this version is
-            # {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible} and the original
-            # key material is reimported with a call to
+            # This version may only become
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
+            # again if this version is
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible}
+            # and the original key material is reimported with a call to
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version KeyManagementService.ImportCryptoKeyVersion}.
             DESTROYED = 3
 
             # This version is scheduled for destruction, and will be destroyed soon.
             # Call
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version RestoreCryptoKeyVersion}
-            # to put it back into the {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
+            # to put it back into the
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED}
+            # state.
             DESTROY_SCHEDULED = 4
 
             # This version is still being imported. It may not be used, enabled,
             # disabled, or destroyed yet. Cloud KMS will automatically mark this
-            # version {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
+            # version
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
+            # as soon as the version is ready.
             PENDING_IMPORT = 6
 
             # This version was not imported successfully. It may not be used, enabled,
@@ -435,22 +531,28 @@ module Google
             IMPORT_FAILED = 7
           end
 
-          # A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
-          # for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
-          # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions} and
+          # A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s.
+          # Controls the level of detail returned for
+          # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
+          # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions}
+          # and
           # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_keys KeyManagementService.ListCryptoKeys}.
           module CryptoKeyVersionView
-            # Default view for each {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
-            # the {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
+            # Default view for each
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not
+            # include the
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
             CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
 
-            # Provides all fields in each {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
+            # Provides all fields in each
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
             # {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
             FULL = 1
           end
         end
 
-        # The public key for a given {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
+        # The public key for a given
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
         # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
         # @!attribute [rw] pem
         #   @return [::String]
@@ -461,17 +563,19 @@ module Google
         #     (https://tools.ietf.org/html/rfc7468#section-13).
         # @!attribute [rw] algorithm
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     The {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
-        #     with this key.
+        #     The
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
+        #     associated with this key.
         # @!attribute [rw] pem_crc32c
         #   @return [::Google::Protobuf::Int64Value]
         #     Integrity verification field. A CRC32C checksum of the returned
-        #     {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} can be performed
-        #     by computing the CRC32C checksum of {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} and
-        #     comparing your results to this field. Discard the response in case of
-        #     non-matching checksum values, and perform a limited number of retries. A
-        #     persistent mismatch may indicate an issue in your computation of the CRC32C
-        #     checksum.
+        #     {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of
+        #     {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} can be performed by
+        #     computing the CRC32C checksum of
+        #     {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} and comparing your
+        #     results to this field. Discard the response in case of non-matching
+        #     checksum values, and perform a limited number of retries. A persistent
+        #     mismatch may indicate an issue in your computation of the CRC32C checksum.
         #     Note: This field is defined as int64 for reasons of compatibility across
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
@@ -480,76 +584,92 @@ module Google
         #     NOTE: This field is in Beta.
         # @!attribute [rw] name
         #   @return [::String]
-        #     The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
+        #     The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
         #     Provided here for verification.
         #
         #     NOTE: This field is in Beta.
         # @!attribute [rw] protection_level
         #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
-        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
         class PublicKey
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
-        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing key material,
-        # generated outside of Cloud KMS.
+        # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create
+        # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing
+        # key material, generated outside of Cloud KMS.
         #
-        # When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will generate a "wrapping key",
-        # which is a public/private key pair. You use the wrapping key to encrypt (also
-        # known as wrap) the pre-existing key material to protect it during the import
-        # process. The nature of the wrapping key depends on the choice of
-        # {::Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the wrapping key generation
-        # is complete, the {::Google::Cloud::Kms::V1::ImportJob#state state} will be set to
-        # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the {::Google::Cloud::Kms::V1::ImportJob#public_key public_key}
-        # can be fetched. The fetched public key can then be used to wrap your
-        # pre-existing key material.
+        # When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will
+        # generate a "wrapping key", which is a public/private key pair. You use the
+        # wrapping key to encrypt (also known as wrap) the pre-existing key material to
+        # protect it during the import process. The nature of the wrapping key depends
+        # on the choice of
+        # {::Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the
+        # wrapping key generation is complete, the
+        # {::Google::Cloud::Kms::V1::ImportJob#state state} will be set to
+        # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the
+        # {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} can be fetched. The
+        # fetched public key can then be used to wrap your pre-existing key material.
         #
         # Once the key material is wrapped, it can be imported into a new
-        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
+        # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing
+        # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
         # {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version ImportCryptoKeyVersion}.
-        # Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be imported with a single
-        # {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS uses the private key portion of the wrapping key to
-        # unwrap the key material. Only Cloud KMS has access to the private key.
+        # Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be
+        # imported with a single {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS
+        # uses the private key portion of the wrapping key to unwrap the key material.
+        # Only Cloud KMS has access to the private key.
         #
-        # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is created. Once expired, Cloud KMS
-        # will no longer be able to import or unwrap any key material that was wrapped
-        # with the {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
+        # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is
+        # created. Once expired, Cloud KMS will no longer be able to import or unwrap
+        # any key material that was wrapped with the
+        # {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
         #
         # For more information, see
         # [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
         # @!attribute [r] name
         #   @return [::String]
-        #     Output only. The resource name for this {::Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
+        #     Output only. The resource name for this
+        #     {::Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
         #     `projects/*/locations/*/keyRings/*/importJobs/*`.
         # @!attribute [rw] import_method
         #   @return [::Google::Cloud::Kms::V1::ImportJob::ImportMethod]
-        #     Required. Immutable. The wrapping method to be used for incoming key material.
+        #     Required. Immutable. The wrapping method to be used for incoming key
+        #     material.
         # @!attribute [rw] protection_level
         #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
-        #     Required. Immutable. The protection level of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
-        #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level} of the
-        #     {::Google::Cloud::Kms::V1::CryptoKey#version_template version_template} on the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} you
-        #     attempt to import into.
+        #     Required. Immutable. The protection level of the
+        #     {::Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}
+        #     of the {::Google::Cloud::Kms::V1::CryptoKey#version_template version_template}
+        #     on the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} you attempt to import
+        #     into.
         # @!attribute [r] create_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
+        #     Output only. The time at which this
+        #     {::Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
         # @!attribute [r] generate_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key material was generated.
+        #     Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key
+        #     material was generated.
         # @!attribute [r] expire_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {::Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for
-        #     expiration and can no longer be used to import key material.
+        #     Output only. The time at which this
+        #     {::Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for expiration and
+        #     can no longer be used to import key material.
         # @!attribute [r] expire_event_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob} expired. Only present if
-        #     {::Google::Cloud::Kms::V1::ImportJob#state state} is {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
+        #     Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}
+        #     expired. Only present if {::Google::Cloud::Kms::V1::ImportJob#state state} is
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
         # @!attribute [r] state
         #   @return [::Google::Cloud::Kms::V1::ImportJob::ImportJobState]
-        #     Output only. The current state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can
-        #     be used.
+        #     Output only. The current state of the
+        #     {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
         # @!attribute [r] public_key
         #   @return [::Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
         #     Output only. The public key with which to wrap key material prior to
@@ -560,14 +680,16 @@ module Google
         #     Output only. Statement that was generated and signed by the key creator
         #     (for example, an HSM) at key creation time. Use this statement to verify
         #     attributes of the key as stored on the HSM, independently of Google.
-        #     Only present if the chosen {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a protection
-        #     level of {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
+        #     Only present if the chosen
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a
+        #     protection level of {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
         class ImportJob
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
 
           # The public key component of the wrapping key. For details of the type of
-          # key this public key corresponds to, see the {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
+          # key this public key corresponds to, see the
+          # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
           # @!attribute [rw] pem
           #   @return [::String]
           #     The public key, encoded in PEM format. For more information, see the [RFC
@@ -580,7 +702,8 @@ module Google
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the key wrapping method chosen for this
+          # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the
+          # key wrapping method chosen for this
           # {::Google::Cloud::Kms::V1::ImportJob ImportJob}.
           module ImportMethod
             # Not specified.
@@ -603,18 +726,21 @@ module Google
             RSA_OAEP_4096_SHA1_AES_256 = 2
           end
 
-          # The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
+          # The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if
+          # it can be used.
           module ImportJobState
             # Not specified.
             IMPORT_JOB_STATE_UNSPECIFIED = 0
 
             # The wrapping key for this job is still being generated. It may not be
             # used. Cloud KMS will automatically mark this job as
-            # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as the wrapping key is generated.
+            # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as
+            # the wrapping key is generated.
             PENDING_GENERATION = 1
 
             # This job may be used in
-            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey} and
+            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey}
+            # and
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
             # requests.
             ACTIVE = 2
@@ -625,19 +751,29 @@ module Google
         end
 
         # ExternalProtectionLevelOptions stores a group of additional fields for
-        # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
-        # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
+        # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
+        # are specific to the {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}
+        # protection level and
+        # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} protection
+        # levels.
         # @!attribute [rw] external_key_uri
         #   @return [::String]
-        #     The URI for an external resource that this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
+        #     The URI for an external resource that this
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
+        # @!attribute [rw] ekm_connection_key_path
+        #   @return [::String]
+        #     The path to the external key material on the EKM when using
+        #     {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} e.g., "v0/my/key". Set
+        #     this field instead of external_key_uri when using an
+        #     {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
         class ExternalProtectionLevelOptions
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
-        # For more information, see [Protection levels]
-        # (https://cloud.google.com/kms/docs/algorithms#protection_levels).
+        # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
+        # cryptographic operations are performed. For more information, see [Protection
+        # levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
         module ProtectionLevel
           # Not specified.
           PROTECTION_LEVEL_UNSPECIFIED = 0
@@ -650,6 +786,9 @@ module Google
 
           # Crypto operations are performed by an external key manager.
           EXTERNAL = 3
+
+          # Crypto operations are performed in an EKM-over-VPC backend.
+          EXTERNAL_VPC = 4
         end
       end
     end