google-cloud-kms-v1 0.10.2 → 0.13.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +6 -6
- data/README.md +14 -9
- data/lib/google/cloud/kms/v1/ekm_service/client.rb +731 -0
- data/lib/google/cloud/kms/v1/ekm_service/credentials.rb +52 -0
- data/lib/google/cloud/kms/v1/ekm_service/paths.rb +90 -0
- data/lib/google/cloud/kms/v1/ekm_service.rb +53 -0
- data/lib/google/cloud/kms/v1/ekm_service_pb.rb +80 -0
- data/lib/google/cloud/kms/v1/ekm_service_services_pb.rb +57 -0
- data/lib/google/cloud/kms/v1/iam_policy/client.rb +13 -4
- data/lib/google/cloud/kms/v1/iam_policy.rb +2 -1
- data/lib/google/cloud/kms/v1/key_management_service/client.rb +427 -276
- data/lib/google/cloud/kms/v1/resources_pb.rb +12 -2
- data/lib/google/cloud/kms/v1/service_pb.rb +2 -1
- data/lib/google/cloud/kms/v1/service_services_pb.rb +84 -48
- data/lib/google/cloud/kms/v1/version.rb +1 -1
- data/lib/google/cloud/kms/v1.rb +4 -1
- data/proto_docs/google/cloud/kms/v1/ekm_service.rb +226 -0
- data/proto_docs/google/cloud/kms/v1/resources.rb +299 -160
- data/proto_docs/google/cloud/kms/v1/service.rb +653 -412
- data/proto_docs/google/iam/v1/iam_policy.rb +8 -1
- data/proto_docs/google/iam/v1/options.rb +14 -4
- data/proto_docs/google/iam/v1/policy.rb +208 -38
- metadata +23 -22
@@ -21,78 +21,96 @@ module Google
|
|
21
21
|
module Cloud
|
22
22
|
module Kms
|
23
23
|
module V1
|
24
|
-
# A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of
|
24
|
+
# A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of
|
25
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
|
25
26
|
# @!attribute [r] name
|
26
27
|
# @return [::String]
|
27
|
-
# Output only. The resource name for the
|
28
|
+
# Output only. The resource name for the
|
29
|
+
# {::Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
|
28
30
|
# `projects/*/locations/*/keyRings/*`.
|
29
31
|
# @!attribute [r] create_time
|
30
32
|
# @return [::Google::Protobuf::Timestamp]
|
31
|
-
# Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing}
|
33
|
+
# Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing}
|
34
|
+
# was created.
|
32
35
|
class KeyRing
|
33
36
|
include ::Google::Protobuf::MessageExts
|
34
37
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
35
38
|
end
|
36
39
|
|
37
|
-
# A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that
|
38
|
-
# operations.
|
40
|
+
# A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that
|
41
|
+
# can be used for cryptographic operations.
|
39
42
|
#
|
40
|
-
# A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more
|
41
|
-
# which represent the actual
|
43
|
+
# A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more
|
44
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which represent the actual
|
45
|
+
# key material used in cryptographic operations.
|
42
46
|
# @!attribute [r] name
|
43
47
|
# @return [::String]
|
44
|
-
# Output only. The resource name for this
|
48
|
+
# Output only. The resource name for this
|
49
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
|
45
50
|
# `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
|
46
51
|
# @!attribute [r] primary
|
47
52
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersion]
|
48
|
-
# Output only. A copy of the "primary"
|
49
|
-
#
|
50
|
-
#
|
53
|
+
# Output only. A copy of the "primary"
|
54
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
|
55
|
+
# by {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this
|
56
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given in
|
57
|
+
# {::Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
|
51
58
|
#
|
52
|
-
# The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be
|
59
|
+
# The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be
|
60
|
+
# updated via
|
53
61
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}.
|
54
62
|
#
|
55
63
|
# Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
56
|
-
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
57
|
-
# primary. For other keys, this field will be omitted.
|
64
|
+
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
65
|
+
# may have a primary. For other keys, this field will be omitted.
|
58
66
|
# @!attribute [rw] purpose
|
59
67
|
# @return [::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
|
60
|
-
# Immutable. The immutable purpose of this
|
68
|
+
# Immutable. The immutable purpose of this
|
69
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
|
61
70
|
# @!attribute [r] create_time
|
62
71
|
# @return [::Google::Protobuf::Timestamp]
|
63
|
-
# Output only. The time at which this
|
72
|
+
# Output only. The time at which this
|
73
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
|
64
74
|
# @!attribute [rw] next_rotation_time
|
65
75
|
# @return [::Google::Protobuf::Timestamp]
|
66
|
-
# At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time},
|
76
|
+
# At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time},
|
77
|
+
# the Key Management Service will automatically:
|
67
78
|
#
|
68
79
|
# 1. Create a new version of this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
|
69
80
|
# 2. Mark the new version as primary.
|
70
81
|
#
|
71
82
|
# Key rotations performed manually via
|
72
|
-
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
83
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
84
|
+
# and
|
73
85
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}
|
74
|
-
# do not affect
|
86
|
+
# do not affect
|
87
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
|
75
88
|
#
|
76
89
|
# Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
77
|
-
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
78
|
-
# automatic rotation. For other keys, this field must be omitted.
|
90
|
+
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
91
|
+
# support automatic rotation. For other keys, this field must be omitted.
|
79
92
|
# @!attribute [rw] rotation_period
|
80
93
|
# @return [::Google::Protobuf::Duration]
|
81
|
-
# {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
|
82
|
-
#
|
83
|
-
# 876,000 hours.
|
94
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
|
95
|
+
# will be advanced by this period when the service automatically rotates a
|
96
|
+
# key. Must be at least 24 hours and at most 876,000 hours.
|
84
97
|
#
|
85
|
-
# If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is
|
98
|
+
# If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is
|
99
|
+
# set,
|
100
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
|
101
|
+
# must also be set.
|
86
102
|
#
|
87
103
|
# Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
|
88
|
-
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
89
|
-
# automatic rotation. For other keys, this field must be omitted.
|
104
|
+
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
|
105
|
+
# support automatic rotation. For other keys, this field must be omitted.
|
90
106
|
# @!attribute [rw] version_template
|
91
107
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
|
92
|
-
# A template describing settings for new
|
93
|
-
#
|
94
|
-
# {::Google::Cloud::Kms::V1::
|
95
|
-
#
|
108
|
+
# A template describing settings for new
|
109
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances. The
|
110
|
+
# properties of new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
|
111
|
+
# instances created by either
|
112
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
113
|
+
# or auto-rotation are controlled by this template.
|
96
114
|
# @!attribute [rw] labels
|
97
115
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
98
116
|
# Labels with user-defined metadata. For more information, see
|
@@ -105,8 +123,20 @@ module Google
|
|
105
123
|
# Immutable. The period of time that versions of this key spend in the
|
106
124
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}
|
107
125
|
# state before transitioning to
|
108
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
|
109
|
-
# specified at creation time, the default duration is 24 hours.
|
126
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
|
127
|
+
# If not specified at creation time, the default duration is 24 hours.
|
128
|
+
# @!attribute [rw] crypto_key_backend
|
129
|
+
# @return [::String]
|
130
|
+
# Immutable. The resource name of the backend environment where the key
|
131
|
+
# material for all {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions}
|
132
|
+
# associated with this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} reside and
|
133
|
+
# where all related cryptographic operations are performed. Only applicable
|
134
|
+
# if {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} have a
|
135
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of
|
136
|
+
# [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
|
137
|
+
# resource name in the format `projects/*/locations/*/ekmConnections/*`.
|
138
|
+
# Note, this list is non-exhaustive and may apply to additional
|
139
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevels} in the future.
|
110
140
|
class CryptoKey
|
111
141
|
include ::Google::Protobuf::MessageExts
|
112
142
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -120,50 +150,63 @@ module Google
|
|
120
150
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
121
151
|
end
|
122
152
|
|
123
|
-
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose}
|
124
|
-
#
|
125
|
-
#
|
126
|
-
# [Key
|
153
|
+
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose}
|
154
|
+
# describes the cryptographic capabilities of a
|
155
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used
|
156
|
+
# for the operations allowed by its purpose. For more information, see [Key
|
157
|
+
# purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
|
127
158
|
module CryptoKeyPurpose
|
128
159
|
# Not specified.
|
129
160
|
CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
|
130
161
|
|
131
|
-
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
132
|
-
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
|
162
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
163
|
+
# with {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
|
133
164
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt Decrypt}.
|
134
165
|
ENCRYPT_DECRYPT = 1
|
135
166
|
|
136
|
-
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
137
|
-
#
|
167
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
168
|
+
# with
|
169
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign}
|
170
|
+
# and
|
138
171
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
139
172
|
ASYMMETRIC_SIGN = 5
|
140
173
|
|
141
|
-
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
142
|
-
#
|
174
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
175
|
+
# with
|
176
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt}
|
177
|
+
# and
|
143
178
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
144
179
|
ASYMMETRIC_DECRYPT = 6
|
145
180
|
|
146
|
-
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
147
|
-
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
|
181
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
|
182
|
+
# with {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
|
148
183
|
MAC = 9
|
149
184
|
end
|
150
185
|
end
|
151
186
|
|
152
|
-
# A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate}
|
153
|
-
#
|
154
|
-
# {::Google::Cloud::Kms::V1::
|
155
|
-
#
|
187
|
+
# A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate}
|
188
|
+
# specifies the properties to use when creating a new
|
189
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually
|
190
|
+
# with
|
191
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
192
|
+
# or automatically as a result of auto-rotation.
|
156
193
|
# @!attribute [rw] protection_level
|
157
194
|
# @return [::Google::Cloud::Kms::V1::ProtectionLevel]
|
158
|
-
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating
|
159
|
-
#
|
195
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating
|
196
|
+
# a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
|
197
|
+
# template. Immutable. Defaults to
|
198
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
|
160
199
|
# @!attribute [rw] algorithm
|
161
200
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
162
|
-
# Required.
|
163
|
-
#
|
201
|
+
# Required.
|
202
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
|
203
|
+
# to use when creating a
|
204
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
|
205
|
+
# template.
|
164
206
|
#
|
165
207
|
# For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
|
166
|
-
# this field is omitted and
|
208
|
+
# this field is omitted and
|
209
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
|
167
210
|
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
|
168
211
|
class CryptoKeyVersionTemplate
|
169
212
|
include ::Google::Protobuf::MessageExts
|
@@ -180,10 +223,30 @@ module Google
|
|
180
223
|
# @return [::String]
|
181
224
|
# Output only. The attestation data provided by the HSM when the key
|
182
225
|
# operation was performed.
|
226
|
+
# @!attribute [r] cert_chains
|
227
|
+
# @return [::Google::Cloud::Kms::V1::KeyOperationAttestation::CertificateChains]
|
228
|
+
# Output only. The certificate chains needed to validate the attestation
|
183
229
|
class KeyOperationAttestation
|
184
230
|
include ::Google::Protobuf::MessageExts
|
185
231
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
186
232
|
|
233
|
+
# Certificate chains needed to verify the attestation.
|
234
|
+
# Certificates in chains are PEM-encoded and are ordered based on
|
235
|
+
# https://tools.ietf.org/html/rfc5246#section-7.4.2.
|
236
|
+
# @!attribute [rw] cavium_certs
|
237
|
+
# @return [::Array<::String>]
|
238
|
+
# Cavium certificate chain corresponding to the attestation.
|
239
|
+
# @!attribute [rw] google_card_certs
|
240
|
+
# @return [::Array<::String>]
|
241
|
+
# Google card certificate chain corresponding to the attestation.
|
242
|
+
# @!attribute [rw] google_partition_certs
|
243
|
+
# @return [::Array<::String>]
|
244
|
+
# Google partition certificate chain corresponding to the attestation.
|
245
|
+
class CertificateChains
|
246
|
+
include ::Google::Protobuf::MessageExts
|
247
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
248
|
+
end
|
249
|
+
|
187
250
|
# Attestation formats provided by the HSM.
|
188
251
|
module AttestationFormat
|
189
252
|
# Not specified.
|
@@ -199,91 +262,111 @@ module Google
|
|
199
262
|
end
|
200
263
|
end
|
201
264
|
|
202
|
-
# A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an
|
203
|
-
# associated key material.
|
265
|
+
# A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an
|
266
|
+
# individual cryptographic key, and the associated key material.
|
204
267
|
#
|
205
|
-
# An
|
206
|
-
#
|
268
|
+
# An
|
269
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
|
270
|
+
# version can be used for cryptographic operations.
|
207
271
|
#
|
208
272
|
# For security reasons, the raw cryptographic key material represented by a
|
209
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed
|
210
|
-
# encrypt, decrypt, or sign data when an
|
211
|
-
# Cloud KMS.
|
273
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed
|
274
|
+
# or exported. It can only be used to encrypt, decrypt, or sign data when an
|
275
|
+
# authorized user or application invokes Cloud KMS.
|
212
276
|
# @!attribute [r] name
|
213
277
|
# @return [::String]
|
214
|
-
# Output only. The resource name for this
|
278
|
+
# Output only. The resource name for this
|
279
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
|
215
280
|
# `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
|
216
281
|
# @!attribute [rw] state
|
217
282
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
|
218
|
-
# The current state of the
|
283
|
+
# The current state of the
|
284
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
|
219
285
|
# @!attribute [r] protection_level
|
220
286
|
# @return [::Google::Cloud::Kms::V1::ProtectionLevel]
|
221
|
-
# Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel}
|
222
|
-
# performed with this
|
287
|
+
# Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel}
|
288
|
+
# describing how crypto operations are performed with this
|
289
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
|
223
290
|
# @!attribute [r] algorithm
|
224
291
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
225
|
-
# Output only. The
|
226
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion
|
292
|
+
# Output only. The
|
293
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm}
|
294
|
+
# that this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
|
295
|
+
# supports.
|
227
296
|
# @!attribute [r] attestation
|
228
297
|
# @return [::Google::Cloud::Kms::V1::KeyOperationAttestation]
|
229
298
|
# Output only. Statement that was generated and signed by the HSM at key
|
230
299
|
# creation time. Use this statement to verify attributes of the key as stored
|
231
300
|
# on the HSM, independently of Google. Only provided for key versions with
|
232
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level}
|
301
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level}
|
302
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
|
233
303
|
# @!attribute [r] create_time
|
234
304
|
# @return [::Google::Protobuf::Timestamp]
|
235
|
-
# Output only. The time at which this
|
305
|
+
# Output only. The time at which this
|
306
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
|
236
307
|
# @!attribute [r] generate_time
|
237
308
|
# @return [::Google::Protobuf::Timestamp]
|
238
|
-
# Output only. The time this
|
309
|
+
# Output only. The time this
|
310
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
|
239
311
|
# generated.
|
240
312
|
# @!attribute [r] destroy_time
|
241
313
|
# @return [::Google::Protobuf::Timestamp]
|
242
|
-
# Output only. The time this
|
243
|
-
#
|
314
|
+
# Output only. The time this
|
315
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is
|
316
|
+
# scheduled for destruction. Only present if
|
317
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
244
318
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
|
245
319
|
# @!attribute [r] destroy_event_time
|
246
320
|
# @return [::Google::Protobuf::Timestamp]
|
247
321
|
# Output only. The time this CryptoKeyVersion's key material was
|
248
|
-
# destroyed. Only present if
|
322
|
+
# destroyed. Only present if
|
323
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
249
324
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
|
250
325
|
# @!attribute [r] import_job
|
251
326
|
# @return [::String]
|
252
|
-
# Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}
|
253
|
-
#
|
254
|
-
#
|
327
|
+
# Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}
|
328
|
+
# used in the most recent import of this
|
329
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if
|
330
|
+
# the underlying key material was imported.
|
255
331
|
# @!attribute [r] import_time
|
256
332
|
# @return [::Google::Protobuf::Timestamp]
|
257
|
-
# Output only. The time at which this
|
258
|
-
#
|
333
|
+
# Output only. The time at which this
|
334
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
|
335
|
+
# most recently imported.
|
259
336
|
# @!attribute [r] import_failure_reason
|
260
337
|
# @return [::String]
|
261
|
-
# Output only. The root cause of the most recent import failure. Only present
|
262
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
338
|
+
# Output only. The root cause of the most recent import failure. Only present
|
339
|
+
# if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
|
263
340
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
|
264
341
|
# @!attribute [rw] external_protection_level_options
|
265
342
|
# @return [::Google::Cloud::Kms::V1::ExternalProtectionLevelOptions]
|
266
343
|
# ExternalProtectionLevelOptions stores a group of additional fields for
|
267
|
-
# configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
|
268
|
-
#
|
344
|
+
# configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
|
345
|
+
# are specific to the
|
346
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level
|
347
|
+
# and {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC}
|
348
|
+
# protection levels.
|
269
349
|
# @!attribute [r] reimport_eligible
|
270
350
|
# @return [::Boolean]
|
271
|
-
# Output only. Whether or not this key version is eligible for reimport, by
|
272
|
-
# specified as a target in
|
351
|
+
# Output only. Whether or not this key version is eligible for reimport, by
|
352
|
+
# being specified as a target in
|
273
353
|
# {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#crypto_key_version ImportCryptoKeyVersionRequest.crypto_key_version}.
|
274
354
|
class CryptoKeyVersion
|
275
355
|
include ::Google::Protobuf::MessageExts
|
276
356
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
277
357
|
|
278
|
-
# The algorithm of the
|
358
|
+
# The algorithm of the
|
359
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
|
279
360
|
# parameters must be used for each cryptographic operation.
|
280
361
|
#
|
281
362
|
# The
|
282
363
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
|
283
|
-
# algorithm is usable with
|
364
|
+
# algorithm is usable with
|
365
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
284
366
|
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
|
285
367
|
#
|
286
|
-
# Algorithms beginning with "RSA_SIGN_" are usable with
|
368
|
+
# Algorithms beginning with "RSA_SIGN_" are usable with
|
369
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
287
370
|
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
|
288
371
|
#
|
289
372
|
# The fields in the name after "RSA_SIGN_" correspond to the following
|
@@ -301,13 +384,15 @@ module Google
|
|
301
384
|
# The fields in the name after "RSA_DECRYPT_" correspond to the following
|
302
385
|
# parameters: padding algorithm, modulus bit length, and digest algorithm.
|
303
386
|
#
|
304
|
-
# Algorithms beginning with "EC_SIGN_" are usable with
|
387
|
+
# Algorithms beginning with "EC_SIGN_" are usable with
|
388
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
305
389
|
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
|
306
390
|
#
|
307
391
|
# The fields in the name after "EC_SIGN_" correspond to the following
|
308
392
|
# parameters: elliptic curve, digest algorithm.
|
309
393
|
#
|
310
|
-
# Algorithms beginning with "HMAC_" are usable with
|
394
|
+
# Algorithms beginning with "HMAC_" are usable with
|
395
|
+
# {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
|
311
396
|
# {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::MAC MAC}.
|
312
397
|
#
|
313
398
|
# The suffix following "HMAC_" corresponds to the hash algorithm being used
|
@@ -393,39 +478,50 @@ module Google
|
|
393
478
|
EXTERNAL_SYMMETRIC_ENCRYPTION = 18
|
394
479
|
end
|
395
480
|
|
396
|
-
# The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion},
|
481
|
+
# The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion},
|
482
|
+
# indicating if it can be used.
|
397
483
|
module CryptoKeyVersionState
|
398
484
|
# Not specified.
|
399
485
|
CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
|
400
486
|
|
401
487
|
# This version is still being generated. It may not be used, enabled,
|
402
488
|
# disabled, or destroyed yet. Cloud KMS will automatically mark this
|
403
|
-
# version
|
489
|
+
# version
|
490
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
|
491
|
+
# as soon as the version is ready.
|
404
492
|
PENDING_GENERATION = 5
|
405
493
|
|
406
494
|
# This version may be used for cryptographic operations.
|
407
495
|
ENABLED = 1
|
408
496
|
|
409
497
|
# This version may not be used, but the key material is still available,
|
410
|
-
# and the version can be placed back into the
|
498
|
+
# and the version can be placed back into the
|
499
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
|
500
|
+
# state.
|
411
501
|
DISABLED = 2
|
412
502
|
|
413
503
|
# This version is destroyed, and the key material is no longer stored.
|
414
|
-
# This version may only become
|
415
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion
|
416
|
-
#
|
504
|
+
# This version may only become
|
505
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
|
506
|
+
# again if this version is
|
507
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible}
|
508
|
+
# and the original key material is reimported with a call to
|
417
509
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version KeyManagementService.ImportCryptoKeyVersion}.
|
418
510
|
DESTROYED = 3
|
419
511
|
|
420
512
|
# This version is scheduled for destruction, and will be destroyed soon.
|
421
513
|
# Call
|
422
514
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version RestoreCryptoKeyVersion}
|
423
|
-
# to put it back into the
|
515
|
+
# to put it back into the
|
516
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED}
|
517
|
+
# state.
|
424
518
|
DESTROY_SCHEDULED = 4
|
425
519
|
|
426
520
|
# This version is still being imported. It may not be used, enabled,
|
427
521
|
# disabled, or destroyed yet. Cloud KMS will automatically mark this
|
428
|
-
# version
|
522
|
+
# version
|
523
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
|
524
|
+
# as soon as the version is ready.
|
429
525
|
PENDING_IMPORT = 6
|
430
526
|
|
431
527
|
# This version was not imported successfully. It may not be used, enabled,
|
@@ -435,22 +531,28 @@ module Google
|
|
435
531
|
IMPORT_FAILED = 7
|
436
532
|
end
|
437
533
|
|
438
|
-
# A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s.
|
439
|
-
#
|
440
|
-
# {::Google::Cloud::Kms::V1::
|
534
|
+
# A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s.
|
535
|
+
# Controls the level of detail returned for
|
536
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
|
537
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions}
|
538
|
+
# and
|
441
539
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_keys KeyManagementService.ListCryptoKeys}.
|
442
540
|
module CryptoKeyVersionView
|
443
|
-
# Default view for each
|
444
|
-
#
|
541
|
+
# Default view for each
|
542
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not
|
543
|
+
# include the
|
544
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
|
445
545
|
CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
|
446
546
|
|
447
|
-
# Provides all fields in each
|
547
|
+
# Provides all fields in each
|
548
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
|
448
549
|
# {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
|
449
550
|
FULL = 1
|
450
551
|
end
|
451
552
|
end
|
452
553
|
|
453
|
-
# The public key for a given
|
554
|
+
# The public key for a given
|
555
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
|
454
556
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
|
455
557
|
# @!attribute [rw] pem
|
456
558
|
# @return [::String]
|
@@ -461,17 +563,19 @@ module Google
|
|
461
563
|
# (https://tools.ietf.org/html/rfc7468#section-13).
|
462
564
|
# @!attribute [rw] algorithm
|
463
565
|
# @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
|
464
|
-
# The
|
465
|
-
#
|
566
|
+
# The
|
567
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
|
568
|
+
# associated with this key.
|
466
569
|
# @!attribute [rw] pem_crc32c
|
467
570
|
# @return [::Google::Protobuf::Int64Value]
|
468
571
|
# Integrity verification field. A CRC32C checksum of the returned
|
469
|
-
# {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of
|
470
|
-
#
|
471
|
-
#
|
472
|
-
#
|
473
|
-
#
|
474
|
-
# checksum.
|
572
|
+
# {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of
|
573
|
+
# {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} can be performed by
|
574
|
+
# computing the CRC32C checksum of
|
575
|
+
# {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} and comparing your
|
576
|
+
# results to this field. Discard the response in case of non-matching
|
577
|
+
# checksum values, and perform a limited number of retries. A persistent
|
578
|
+
# mismatch may indicate an issue in your computation of the CRC32C checksum.
|
475
579
|
# Note: This field is defined as int64 for reasons of compatibility across
|
476
580
|
# different languages. However, it is a non-negative integer, which will
|
477
581
|
# never exceed 2^32-1, and can be safely downconverted to uint32 in languages
|
@@ -480,76 +584,92 @@ module Google
|
|
480
584
|
# NOTE: This field is in Beta.
|
481
585
|
# @!attribute [rw] name
|
482
586
|
# @return [::String]
|
483
|
-
# The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the
|
587
|
+
# The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the
|
588
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
|
484
589
|
# Provided here for verification.
|
485
590
|
#
|
486
591
|
# NOTE: This field is in Beta.
|
487
592
|
# @!attribute [rw] protection_level
|
488
593
|
# @return [::Google::Cloud::Kms::V1::ProtectionLevel]
|
489
|
-
# The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the
|
594
|
+
# The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the
|
595
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
|
490
596
|
class PublicKey
|
491
597
|
include ::Google::Protobuf::MessageExts
|
492
598
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
493
599
|
end
|
494
600
|
|
495
|
-
# An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create
|
496
|
-
# {::Google::Cloud::Kms::V1::
|
497
|
-
#
|
601
|
+
# An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create
|
602
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
|
603
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing
|
604
|
+
# key material, generated outside of Cloud KMS.
|
498
605
|
#
|
499
|
-
# When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will
|
500
|
-
# which is a public/private key pair. You use the
|
501
|
-
# known as wrap) the pre-existing key material to
|
502
|
-
# process. The nature of the wrapping key depends
|
503
|
-
#
|
504
|
-
#
|
505
|
-
#
|
506
|
-
#
|
507
|
-
#
|
606
|
+
# When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will
|
607
|
+
# generate a "wrapping key", which is a public/private key pair. You use the
|
608
|
+
# wrapping key to encrypt (also known as wrap) the pre-existing key material to
|
609
|
+
# protect it during the import process. The nature of the wrapping key depends
|
610
|
+
# on the choice of
|
611
|
+
# {::Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the
|
612
|
+
# wrapping key generation is complete, the
|
613
|
+
# {::Google::Cloud::Kms::V1::ImportJob#state state} will be set to
|
614
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the
|
615
|
+
# {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} can be fetched. The
|
616
|
+
# fetched public key can then be used to wrap your pre-existing key material.
|
508
617
|
#
|
509
618
|
# Once the key material is wrapped, it can be imported into a new
|
510
|
-
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing
|
619
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing
|
620
|
+
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
|
511
621
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version ImportCryptoKeyVersion}.
|
512
|
-
# Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be
|
513
|
-
# {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS
|
514
|
-
#
|
622
|
+
# Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be
|
623
|
+
# imported with a single {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS
|
624
|
+
# uses the private key portion of the wrapping key to unwrap the key material.
|
625
|
+
# Only Cloud KMS has access to the private key.
|
515
626
|
#
|
516
|
-
# An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is
|
517
|
-
# will no longer be able to import or unwrap
|
518
|
-
#
|
627
|
+
# An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is
|
628
|
+
# created. Once expired, Cloud KMS will no longer be able to import or unwrap
|
629
|
+
# any key material that was wrapped with the
|
630
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
|
519
631
|
#
|
520
632
|
# For more information, see
|
521
633
|
# [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
|
522
634
|
# @!attribute [r] name
|
523
635
|
# @return [::String]
|
524
|
-
# Output only. The resource name for this
|
636
|
+
# Output only. The resource name for this
|
637
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
|
525
638
|
# `projects/*/locations/*/keyRings/*/importJobs/*`.
|
526
639
|
# @!attribute [rw] import_method
|
527
640
|
# @return [::Google::Cloud::Kms::V1::ImportJob::ImportMethod]
|
528
|
-
# Required. Immutable. The wrapping method to be used for incoming key
|
641
|
+
# Required. Immutable. The wrapping method to be used for incoming key
|
642
|
+
# material.
|
529
643
|
# @!attribute [rw] protection_level
|
530
644
|
# @return [::Google::Cloud::Kms::V1::ProtectionLevel]
|
531
|
-
# Required. Immutable. The protection level of the
|
532
|
-
# {::Google::Cloud::Kms::V1::
|
533
|
-
# {::Google::Cloud::Kms::V1::
|
534
|
-
#
|
645
|
+
# Required. Immutable. The protection level of the
|
646
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
|
647
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}
|
648
|
+
# of the {::Google::Cloud::Kms::V1::CryptoKey#version_template version_template}
|
649
|
+
# on the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} you attempt to import
|
650
|
+
# into.
|
535
651
|
# @!attribute [r] create_time
|
536
652
|
# @return [::Google::Protobuf::Timestamp]
|
537
|
-
# Output only. The time at which this
|
653
|
+
# Output only. The time at which this
|
654
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
|
538
655
|
# @!attribute [r] generate_time
|
539
656
|
# @return [::Google::Protobuf::Timestamp]
|
540
|
-
# Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key
|
657
|
+
# Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key
|
658
|
+
# material was generated.
|
541
659
|
# @!attribute [r] expire_time
|
542
660
|
# @return [::Google::Protobuf::Timestamp]
|
543
|
-
# Output only. The time at which this
|
544
|
-
#
|
661
|
+
# Output only. The time at which this
|
662
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for expiration and
|
663
|
+
# can no longer be used to import key material.
|
545
664
|
# @!attribute [r] expire_event_time
|
546
665
|
# @return [::Google::Protobuf::Timestamp]
|
547
|
-
# Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}
|
548
|
-
# {::Google::Cloud::Kms::V1::ImportJob#state state} is
|
666
|
+
# Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}
|
667
|
+
# expired. Only present if {::Google::Cloud::Kms::V1::ImportJob#state state} is
|
668
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
|
549
669
|
# @!attribute [r] state
|
550
670
|
# @return [::Google::Cloud::Kms::V1::ImportJob::ImportJobState]
|
551
|
-
# Output only. The current state of the
|
552
|
-
# be used.
|
671
|
+
# Output only. The current state of the
|
672
|
+
# {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
|
553
673
|
# @!attribute [r] public_key
|
554
674
|
# @return [::Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
|
555
675
|
# Output only. The public key with which to wrap key material prior to
|
@@ -560,14 +680,16 @@ module Google
|
|
560
680
|
# Output only. Statement that was generated and signed by the key creator
|
561
681
|
# (for example, an HSM) at key creation time. Use this statement to verify
|
562
682
|
# attributes of the key as stored on the HSM, independently of Google.
|
563
|
-
# Only present if the chosen
|
564
|
-
#
|
683
|
+
# Only present if the chosen
|
684
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a
|
685
|
+
# protection level of {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
|
565
686
|
class ImportJob
|
566
687
|
include ::Google::Protobuf::MessageExts
|
567
688
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
568
689
|
|
569
690
|
# The public key component of the wrapping key. For details of the type of
|
570
|
-
# key this public key corresponds to, see the
|
691
|
+
# key this public key corresponds to, see the
|
692
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
|
571
693
|
# @!attribute [rw] pem
|
572
694
|
# @return [::String]
|
573
695
|
# The public key, encoded in PEM format. For more information, see the [RFC
|
@@ -580,7 +702,8 @@ module Google
|
|
580
702
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
581
703
|
end
|
582
704
|
|
583
|
-
# {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the
|
705
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the
|
706
|
+
# key wrapping method chosen for this
|
584
707
|
# {::Google::Cloud::Kms::V1::ImportJob ImportJob}.
|
585
708
|
module ImportMethod
|
586
709
|
# Not specified.
|
@@ -603,18 +726,21 @@ module Google
|
|
603
726
|
RSA_OAEP_4096_SHA1_AES_256 = 2
|
604
727
|
end
|
605
728
|
|
606
|
-
# The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if
|
729
|
+
# The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if
|
730
|
+
# it can be used.
|
607
731
|
module ImportJobState
|
608
732
|
# Not specified.
|
609
733
|
IMPORT_JOB_STATE_UNSPECIFIED = 0
|
610
734
|
|
611
735
|
# The wrapping key for this job is still being generated. It may not be
|
612
736
|
# used. Cloud KMS will automatically mark this job as
|
613
|
-
# {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as
|
737
|
+
# {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as
|
738
|
+
# the wrapping key is generated.
|
614
739
|
PENDING_GENERATION = 1
|
615
740
|
|
616
741
|
# This job may be used in
|
617
|
-
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey}
|
742
|
+
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey}
|
743
|
+
# and
|
618
744
|
# {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
|
619
745
|
# requests.
|
620
746
|
ACTIVE = 2
|
@@ -625,19 +751,29 @@ module Google
|
|
625
751
|
end
|
626
752
|
|
627
753
|
# ExternalProtectionLevelOptions stores a group of additional fields for
|
628
|
-
# configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
|
629
|
-
# {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}
|
754
|
+
# configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
|
755
|
+
# are specific to the {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}
|
756
|
+
# protection level and
|
757
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} protection
|
758
|
+
# levels.
|
630
759
|
# @!attribute [rw] external_key_uri
|
631
760
|
# @return [::String]
|
632
|
-
# The URI for an external resource that this
|
761
|
+
# The URI for an external resource that this
|
762
|
+
# {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
|
763
|
+
# @!attribute [rw] ekm_connection_key_path
|
764
|
+
# @return [::String]
|
765
|
+
# The path to the external key material on the EKM when using
|
766
|
+
# {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} e.g., "v0/my/key". Set
|
767
|
+
# this field instead of external_key_uri when using an
|
768
|
+
# {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
|
633
769
|
class ExternalProtectionLevelOptions
|
634
770
|
include ::Google::Protobuf::MessageExts
|
635
771
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
636
772
|
end
|
637
773
|
|
638
|
-
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
|
639
|
-
# For more information, see [Protection
|
640
|
-
# (https://cloud.google.com/kms/docs/algorithms#protection_levels).
|
774
|
+
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
|
775
|
+
# cryptographic operations are performed. For more information, see [Protection
|
776
|
+
# levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
|
641
777
|
module ProtectionLevel
|
642
778
|
# Not specified.
|
643
779
|
PROTECTION_LEVEL_UNSPECIFIED = 0
|
@@ -650,6 +786,9 @@ module Google
|
|
650
786
|
|
651
787
|
# Crypto operations are performed by an external key manager.
|
652
788
|
EXTERNAL = 3
|
789
|
+
|
790
|
+
# Crypto operations are performed in an EKM-over-VPC backend.
|
791
|
+
EXTERNAL_VPC = 4
|
653
792
|
end
|
654
793
|
end
|
655
794
|
end
|