google-cloud-kms-v1 0.10.2 → 0.13.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -21,78 +21,96 @@ module Google
21
21
  module Cloud
22
22
  module Kms
23
23
  module V1
24
- # A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
24
+ # A {::Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of
25
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
25
26
  # @!attribute [r] name
26
27
  # @return [::String]
27
- # Output only. The resource name for the {::Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
28
+ # Output only. The resource name for the
29
+ # {::Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
28
30
  # `projects/*/locations/*/keyRings/*`.
29
31
  # @!attribute [r] create_time
30
32
  # @return [::Google::Protobuf::Timestamp]
31
- # Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing} was created.
33
+ # Output only. The time at which this {::Google::Cloud::Kms::V1::KeyRing KeyRing}
34
+ # was created.
32
35
  class KeyRing
33
36
  include ::Google::Protobuf::MessageExts
34
37
  extend ::Google::Protobuf::MessageExts::ClassMethods
35
38
  end
36
39
 
37
- # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that can be used for cryptographic
38
- # operations.
40
+ # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that
41
+ # can be used for cryptographic operations.
39
42
  #
40
- # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more {::Google::Cloud::Kms::V1::CryptoKeyVersion versions},
41
- # which represent the actual key material used in cryptographic operations.
43
+ # A {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of zero or more
44
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which represent the actual
45
+ # key material used in cryptographic operations.
42
46
  # @!attribute [r] name
43
47
  # @return [::String]
44
- # Output only. The resource name for this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
48
+ # Output only. The resource name for this
49
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
45
50
  # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
46
51
  # @!attribute [r] primary
47
52
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersion]
48
- # Output only. A copy of the "primary" {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
49
- # by {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given
50
- # in {::Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
53
+ # Output only. A copy of the "primary"
54
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
55
+ # by {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this
56
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given in
57
+ # {::Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
51
58
  #
52
- # The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
59
+ # The {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be
60
+ # updated via
53
61
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}.
54
62
  #
55
63
  # Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
56
- # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} may have a
57
- # primary. For other keys, this field will be omitted.
64
+ # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
65
+ # may have a primary. For other keys, this field will be omitted.
58
66
  # @!attribute [rw] purpose
59
67
  # @return [::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
60
- # Immutable. The immutable purpose of this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
68
+ # Immutable. The immutable purpose of this
69
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
61
70
  # @!attribute [r] create_time
62
71
  # @return [::Google::Protobuf::Timestamp]
63
- # Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
72
+ # Output only. The time at which this
73
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
64
74
  # @!attribute [rw] next_rotation_time
65
75
  # @return [::Google::Protobuf::Timestamp]
66
- # At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}, the Key Management Service will automatically:
76
+ # At {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time},
77
+ # the Key Management Service will automatically:
67
78
  #
68
79
  # 1. Create a new version of this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
69
80
  # 2. Mark the new version as primary.
70
81
  #
71
82
  # Key rotations performed manually via
72
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} and
83
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
84
+ # and
73
85
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}
74
- # do not affect {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
86
+ # do not affect
87
+ # {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
75
88
  #
76
89
  # Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
77
- # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
78
- # automatic rotation. For other keys, this field must be omitted.
90
+ # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
91
+ # support automatic rotation. For other keys, this field must be omitted.
79
92
  # @!attribute [rw] rotation_period
80
93
  # @return [::Google::Protobuf::Duration]
81
- # {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
82
- # automatically rotates a key. Must be at least 24 hours and at most
83
- # 876,000 hours.
94
+ # {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
95
+ # will be advanced by this period when the service automatically rotates a
96
+ # key. Must be at least 24 hours and at most 876,000 hours.
84
97
  #
85
- # If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
98
+ # If {::Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is
99
+ # set,
100
+ # {::Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
101
+ # must also be set.
86
102
  #
87
103
  # Keys with {::Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
88
- # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
89
- # automatic rotation. For other keys, this field must be omitted.
104
+ # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
105
+ # support automatic rotation. For other keys, this field must be omitted.
90
106
  # @!attribute [rw] version_template
91
107
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
92
- # A template describing settings for new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
93
- # The properties of new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
94
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
95
- # auto-rotation are controlled by this template.
108
+ # A template describing settings for new
109
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances. The
110
+ # properties of new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
111
+ # instances created by either
112
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
113
+ # or auto-rotation are controlled by this template.
96
114
  # @!attribute [rw] labels
97
115
  # @return [::Google::Protobuf::Map{::String => ::String}]
98
116
  # Labels with user-defined metadata. For more information, see
@@ -105,8 +123,20 @@ module Google
105
123
  # Immutable. The period of time that versions of this key spend in the
106
124
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}
107
125
  # state before transitioning to
108
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}. If not
109
- # specified at creation time, the default duration is 24 hours.
126
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
127
+ # If not specified at creation time, the default duration is 24 hours.
128
+ # @!attribute [rw] crypto_key_backend
129
+ # @return [::String]
130
+ # Immutable. The resource name of the backend environment where the key
131
+ # material for all {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions}
132
+ # associated with this {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} reside and
133
+ # where all related cryptographic operations are performed. Only applicable
134
+ # if {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} have a
135
+ # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of
136
+ # [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
137
+ # resource name in the format `projects/*/locations/*/ekmConnections/*`.
138
+ # Note, this list is non-exhaustive and may apply to additional
139
+ # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevels} in the future.
110
140
  class CryptoKey
111
141
  include ::Google::Protobuf::MessageExts
112
142
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -120,50 +150,63 @@ module Google
120
150
  extend ::Google::Protobuf::MessageExts::ClassMethods
121
151
  end
122
152
 
123
- # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
124
- # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
125
- # its purpose. For more information, see
126
- # [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
153
+ # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose}
154
+ # describes the cryptographic capabilities of a
155
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used
156
+ # for the operations allowed by its purpose. For more information, see [Key
157
+ # purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
127
158
  module CryptoKeyPurpose
128
159
  # Not specified.
129
160
  CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
130
161
 
131
- # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
132
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
162
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
163
+ # with {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
133
164
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt Decrypt}.
134
165
  ENCRYPT_DECRYPT = 1
135
166
 
136
- # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
137
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign} and
167
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
168
+ # with
169
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign}
170
+ # and
138
171
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
139
172
  ASYMMETRIC_SIGN = 5
140
173
 
141
- # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
142
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt} and
174
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
175
+ # with
176
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt}
177
+ # and
143
178
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
144
179
  ASYMMETRIC_DECRYPT = 6
145
180
 
146
- # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
147
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
181
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
182
+ # with {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
148
183
  MAC = 9
149
184
  end
150
185
  end
151
186
 
152
- # A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
153
- # a new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
154
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
155
- # automatically as a result of auto-rotation.
187
+ # A {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate}
188
+ # specifies the properties to use when creating a new
189
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually
190
+ # with
191
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
192
+ # or automatically as a result of auto-rotation.
156
193
  # @!attribute [rw] protection_level
157
194
  # @return [::Google::Cloud::Kms::V1::ProtectionLevel]
158
- # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
159
- # this template. Immutable. Defaults to {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
195
+ # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating
196
+ # a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
197
+ # template. Immutable. Defaults to
198
+ # {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
160
199
  # @!attribute [rw] algorithm
161
200
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
162
- # Required. {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
163
- # when creating a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
201
+ # Required.
202
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
203
+ # to use when creating a
204
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
205
+ # template.
164
206
  #
165
207
  # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
166
- # this field is omitted and {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
208
+ # this field is omitted and
209
+ # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
167
210
  # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
168
211
  class CryptoKeyVersionTemplate
169
212
  include ::Google::Protobuf::MessageExts
@@ -180,10 +223,30 @@ module Google
180
223
  # @return [::String]
181
224
  # Output only. The attestation data provided by the HSM when the key
182
225
  # operation was performed.
226
+ # @!attribute [r] cert_chains
227
+ # @return [::Google::Cloud::Kms::V1::KeyOperationAttestation::CertificateChains]
228
+ # Output only. The certificate chains needed to validate the attestation
183
229
  class KeyOperationAttestation
184
230
  include ::Google::Protobuf::MessageExts
185
231
  extend ::Google::Protobuf::MessageExts::ClassMethods
186
232
 
233
+ # Certificate chains needed to verify the attestation.
234
+ # Certificates in chains are PEM-encoded and are ordered based on
235
+ # https://tools.ietf.org/html/rfc5246#section-7.4.2.
236
+ # @!attribute [rw] cavium_certs
237
+ # @return [::Array<::String>]
238
+ # Cavium certificate chain corresponding to the attestation.
239
+ # @!attribute [rw] google_card_certs
240
+ # @return [::Array<::String>]
241
+ # Google card certificate chain corresponding to the attestation.
242
+ # @!attribute [rw] google_partition_certs
243
+ # @return [::Array<::String>]
244
+ # Google partition certificate chain corresponding to the attestation.
245
+ class CertificateChains
246
+ include ::Google::Protobuf::MessageExts
247
+ extend ::Google::Protobuf::MessageExts::ClassMethods
248
+ end
249
+
187
250
  # Attestation formats provided by the HSM.
188
251
  module AttestationFormat
189
252
  # Not specified.
@@ -199,91 +262,111 @@ module Google
199
262
  end
200
263
  end
201
264
 
202
- # A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
203
- # associated key material.
265
+ # A {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an
266
+ # individual cryptographic key, and the associated key material.
204
267
  #
205
- # An {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
206
- # used for cryptographic operations.
268
+ # An
269
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
270
+ # version can be used for cryptographic operations.
207
271
  #
208
272
  # For security reasons, the raw cryptographic key material represented by a
209
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
210
- # encrypt, decrypt, or sign data when an authorized user or application invokes
211
- # Cloud KMS.
273
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed
274
+ # or exported. It can only be used to encrypt, decrypt, or sign data when an
275
+ # authorized user or application invokes Cloud KMS.
212
276
  # @!attribute [r] name
213
277
  # @return [::String]
214
- # Output only. The resource name for this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
278
+ # Output only. The resource name for this
279
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
215
280
  # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
216
281
  # @!attribute [rw] state
217
282
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
218
- # The current state of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
283
+ # The current state of the
284
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
219
285
  # @!attribute [r] protection_level
220
286
  # @return [::Google::Cloud::Kms::V1::ProtectionLevel]
221
- # Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
222
- # performed with this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
287
+ # Output only. The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel}
288
+ # describing how crypto operations are performed with this
289
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
223
290
  # @!attribute [r] algorithm
224
291
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
225
- # Output only. The {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
226
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
292
+ # Output only. The
293
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm}
294
+ # that this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
295
+ # supports.
227
296
  # @!attribute [r] attestation
228
297
  # @return [::Google::Cloud::Kms::V1::KeyOperationAttestation]
229
298
  # Output only. Statement that was generated and signed by the HSM at key
230
299
  # creation time. Use this statement to verify attributes of the key as stored
231
300
  # on the HSM, independently of Google. Only provided for key versions with
232
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
301
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level}
302
+ # {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
233
303
  # @!attribute [r] create_time
234
304
  # @return [::Google::Protobuf::Timestamp]
235
- # Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
305
+ # Output only. The time at which this
306
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
236
307
  # @!attribute [r] generate_time
237
308
  # @return [::Google::Protobuf::Timestamp]
238
- # Output only. The time this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
309
+ # Output only. The time this
310
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
239
311
  # generated.
240
312
  # @!attribute [r] destroy_time
241
313
  # @return [::Google::Protobuf::Timestamp]
242
- # Output only. The time this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
243
- # for destruction. Only present if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
314
+ # Output only. The time this
315
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is
316
+ # scheduled for destruction. Only present if
317
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
244
318
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
245
319
  # @!attribute [r] destroy_event_time
246
320
  # @return [::Google::Protobuf::Timestamp]
247
321
  # Output only. The time this CryptoKeyVersion's key material was
248
- # destroyed. Only present if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
322
+ # destroyed. Only present if
323
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
249
324
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
250
325
  # @!attribute [r] import_job
251
326
  # @return [::String]
252
- # Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob} used in the most recent import of this
253
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
254
- # imported.
327
+ # Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}
328
+ # used in the most recent import of this
329
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if
330
+ # the underlying key material was imported.
255
331
  # @!attribute [r] import_time
256
332
  # @return [::Google::Protobuf::Timestamp]
257
- # Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
258
- # was most recently imported.
333
+ # Output only. The time at which this
334
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
335
+ # most recently imported.
259
336
  # @!attribute [r] import_failure_reason
260
337
  # @return [::String]
261
- # Output only. The root cause of the most recent import failure. Only present if
262
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
338
+ # Output only. The root cause of the most recent import failure. Only present
339
+ # if {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
263
340
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
264
341
  # @!attribute [rw] external_protection_level_options
265
342
  # @return [::Google::Cloud::Kms::V1::ExternalProtectionLevelOptions]
266
343
  # ExternalProtectionLevelOptions stores a group of additional fields for
267
- # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
268
- # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
344
+ # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
345
+ # are specific to the
346
+ # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level
347
+ # and {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC}
348
+ # protection levels.
269
349
  # @!attribute [r] reimport_eligible
270
350
  # @return [::Boolean]
271
- # Output only. Whether or not this key version is eligible for reimport, by being
272
- # specified as a target in
351
+ # Output only. Whether or not this key version is eligible for reimport, by
352
+ # being specified as a target in
273
353
  # {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#crypto_key_version ImportCryptoKeyVersionRequest.crypto_key_version}.
274
354
  class CryptoKeyVersion
275
355
  include ::Google::Protobuf::MessageExts
276
356
  extend ::Google::Protobuf::MessageExts::ClassMethods
277
357
 
278
- # The algorithm of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
358
+ # The algorithm of the
359
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
279
360
  # parameters must be used for each cryptographic operation.
280
361
  #
281
362
  # The
282
363
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
283
- # algorithm is usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
364
+ # algorithm is usable with
365
+ # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
284
366
  # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
285
367
  #
286
- # Algorithms beginning with "RSA_SIGN_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
368
+ # Algorithms beginning with "RSA_SIGN_" are usable with
369
+ # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
287
370
  # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
288
371
  #
289
372
  # The fields in the name after "RSA_SIGN_" correspond to the following
@@ -301,13 +384,15 @@ module Google
301
384
  # The fields in the name after "RSA_DECRYPT_" correspond to the following
302
385
  # parameters: padding algorithm, modulus bit length, and digest algorithm.
303
386
  #
304
- # Algorithms beginning with "EC_SIGN_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
387
+ # Algorithms beginning with "EC_SIGN_" are usable with
388
+ # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
305
389
  # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
306
390
  #
307
391
  # The fields in the name after "EC_SIGN_" correspond to the following
308
392
  # parameters: elliptic curve, digest algorithm.
309
393
  #
310
- # Algorithms beginning with "HMAC_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
394
+ # Algorithms beginning with "HMAC_" are usable with
395
+ # {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
311
396
  # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::MAC MAC}.
312
397
  #
313
398
  # The suffix following "HMAC_" corresponds to the hash algorithm being used
@@ -393,39 +478,50 @@ module Google
393
478
  EXTERNAL_SYMMETRIC_ENCRYPTION = 18
394
479
  end
395
480
 
396
- # The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
481
+ # The state of a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion},
482
+ # indicating if it can be used.
397
483
  module CryptoKeyVersionState
398
484
  # Not specified.
399
485
  CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
400
486
 
401
487
  # This version is still being generated. It may not be used, enabled,
402
488
  # disabled, or destroyed yet. Cloud KMS will automatically mark this
403
- # version {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
489
+ # version
490
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
491
+ # as soon as the version is ready.
404
492
  PENDING_GENERATION = 5
405
493
 
406
494
  # This version may be used for cryptographic operations.
407
495
  ENABLED = 1
408
496
 
409
497
  # This version may not be used, but the key material is still available,
410
- # and the version can be placed back into the {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} state.
498
+ # and the version can be placed back into the
499
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
500
+ # state.
411
501
  DISABLED = 2
412
502
 
413
503
  # This version is destroyed, and the key material is no longer stored.
414
- # This version may only become {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} again if this version is
415
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible} and the original
416
- # key material is reimported with a call to
504
+ # This version may only become
505
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
506
+ # again if this version is
507
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible}
508
+ # and the original key material is reimported with a call to
417
509
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version KeyManagementService.ImportCryptoKeyVersion}.
418
510
  DESTROYED = 3
419
511
 
420
512
  # This version is scheduled for destruction, and will be destroyed soon.
421
513
  # Call
422
514
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version RestoreCryptoKeyVersion}
423
- # to put it back into the {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
515
+ # to put it back into the
516
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED}
517
+ # state.
424
518
  DESTROY_SCHEDULED = 4
425
519
 
426
520
  # This version is still being imported. It may not be used, enabled,
427
521
  # disabled, or destroyed yet. Cloud KMS will automatically mark this
428
- # version {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
522
+ # version
523
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
524
+ # as soon as the version is ready.
429
525
  PENDING_IMPORT = 6
430
526
 
431
527
  # This version was not imported successfully. It may not be used, enabled,
@@ -435,22 +531,28 @@ module Google
435
531
  IMPORT_FAILED = 7
436
532
  end
437
533
 
438
- # A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
439
- # for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
440
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions} and
534
+ # A view for {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s.
535
+ # Controls the level of detail returned for
536
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
537
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions}
538
+ # and
441
539
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_keys KeyManagementService.ListCryptoKeys}.
442
540
  module CryptoKeyVersionView
443
- # Default view for each {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
444
- # the {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
541
+ # Default view for each
542
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not
543
+ # include the
544
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
445
545
  CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
446
546
 
447
- # Provides all fields in each {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
547
+ # Provides all fields in each
548
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
448
549
  # {::Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
449
550
  FULL = 1
450
551
  end
451
552
  end
452
553
 
453
- # The public key for a given {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
554
+ # The public key for a given
555
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
454
556
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
455
557
  # @!attribute [rw] pem
456
558
  # @return [::String]
@@ -461,17 +563,19 @@ module Google
461
563
  # (https://tools.ietf.org/html/rfc7468#section-13).
462
564
  # @!attribute [rw] algorithm
463
565
  # @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
464
- # The {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
465
- # with this key.
566
+ # The
567
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
568
+ # associated with this key.
466
569
  # @!attribute [rw] pem_crc32c
467
570
  # @return [::Google::Protobuf::Int64Value]
468
571
  # Integrity verification field. A CRC32C checksum of the returned
469
- # {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} can be performed
470
- # by computing the CRC32C checksum of {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} and
471
- # comparing your results to this field. Discard the response in case of
472
- # non-matching checksum values, and perform a limited number of retries. A
473
- # persistent mismatch may indicate an issue in your computation of the CRC32C
474
- # checksum.
572
+ # {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem}. An integrity check of
573
+ # {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} can be performed by
574
+ # computing the CRC32C checksum of
575
+ # {::Google::Cloud::Kms::V1::PublicKey#pem PublicKey.pem} and comparing your
576
+ # results to this field. Discard the response in case of non-matching
577
+ # checksum values, and perform a limited number of retries. A persistent
578
+ # mismatch may indicate an issue in your computation of the CRC32C checksum.
475
579
  # Note: This field is defined as int64 for reasons of compatibility across
476
580
  # different languages. However, it is a non-negative integer, which will
477
581
  # never exceed 2^32-1, and can be safely downconverted to uint32 in languages
@@ -480,76 +584,92 @@ module Google
480
584
  # NOTE: This field is in Beta.
481
585
  # @!attribute [rw] name
482
586
  # @return [::String]
483
- # The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
587
+ # The {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the
588
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
484
589
  # Provided here for verification.
485
590
  #
486
591
  # NOTE: This field is in Beta.
487
592
  # @!attribute [rw] protection_level
488
593
  # @return [::Google::Cloud::Kms::V1::ProtectionLevel]
489
- # The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
594
+ # The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the
595
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
490
596
  class PublicKey
491
597
  include ::Google::Protobuf::MessageExts
492
598
  extend ::Google::Protobuf::MessageExts::ClassMethods
493
599
  end
494
600
 
495
- # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
496
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing key material,
497
- # generated outside of Cloud KMS.
601
+ # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create
602
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
603
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing
604
+ # key material, generated outside of Cloud KMS.
498
605
  #
499
- # When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will generate a "wrapping key",
500
- # which is a public/private key pair. You use the wrapping key to encrypt (also
501
- # known as wrap) the pre-existing key material to protect it during the import
502
- # process. The nature of the wrapping key depends on the choice of
503
- # {::Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the wrapping key generation
504
- # is complete, the {::Google::Cloud::Kms::V1::ImportJob#state state} will be set to
505
- # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the {::Google::Cloud::Kms::V1::ImportJob#public_key public_key}
506
- # can be fetched. The fetched public key can then be used to wrap your
507
- # pre-existing key material.
606
+ # When an {::Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will
607
+ # generate a "wrapping key", which is a public/private key pair. You use the
608
+ # wrapping key to encrypt (also known as wrap) the pre-existing key material to
609
+ # protect it during the import process. The nature of the wrapping key depends
610
+ # on the choice of
611
+ # {::Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the
612
+ # wrapping key generation is complete, the
613
+ # {::Google::Cloud::Kms::V1::ImportJob#state state} will be set to
614
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the
615
+ # {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} can be fetched. The
616
+ # fetched public key can then be used to wrap your pre-existing key material.
508
617
  #
509
618
  # Once the key material is wrapped, it can be imported into a new
510
- # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
619
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing
620
+ # {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
511
621
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version ImportCryptoKeyVersion}.
512
- # Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be imported with a single
513
- # {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS uses the private key portion of the wrapping key to
514
- # unwrap the key material. Only Cloud KMS has access to the private key.
622
+ # Multiple {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be
623
+ # imported with a single {::Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS
624
+ # uses the private key portion of the wrapping key to unwrap the key material.
625
+ # Only Cloud KMS has access to the private key.
515
626
  #
516
- # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is created. Once expired, Cloud KMS
517
- # will no longer be able to import or unwrap any key material that was wrapped
518
- # with the {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
627
+ # An {::Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is
628
+ # created. Once expired, Cloud KMS will no longer be able to import or unwrap
629
+ # any key material that was wrapped with the
630
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
519
631
  #
520
632
  # For more information, see
521
633
  # [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
522
634
  # @!attribute [r] name
523
635
  # @return [::String]
524
- # Output only. The resource name for this {::Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
636
+ # Output only. The resource name for this
637
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
525
638
  # `projects/*/locations/*/keyRings/*/importJobs/*`.
526
639
  # @!attribute [rw] import_method
527
640
  # @return [::Google::Cloud::Kms::V1::ImportJob::ImportMethod]
528
- # Required. Immutable. The wrapping method to be used for incoming key material.
641
+ # Required. Immutable. The wrapping method to be used for incoming key
642
+ # material.
529
643
  # @!attribute [rw] protection_level
530
644
  # @return [::Google::Cloud::Kms::V1::ProtectionLevel]
531
- # Required. Immutable. The protection level of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
532
- # {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level} of the
533
- # {::Google::Cloud::Kms::V1::CryptoKey#version_template version_template} on the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} you
534
- # attempt to import into.
645
+ # Required. Immutable. The protection level of the
646
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
647
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}
648
+ # of the {::Google::Cloud::Kms::V1::CryptoKey#version_template version_template}
649
+ # on the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} you attempt to import
650
+ # into.
535
651
  # @!attribute [r] create_time
536
652
  # @return [::Google::Protobuf::Timestamp]
537
- # Output only. The time at which this {::Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
653
+ # Output only. The time at which this
654
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
538
655
  # @!attribute [r] generate_time
539
656
  # @return [::Google::Protobuf::Timestamp]
540
- # Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key material was generated.
657
+ # Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}'s key
658
+ # material was generated.
541
659
  # @!attribute [r] expire_time
542
660
  # @return [::Google::Protobuf::Timestamp]
543
- # Output only. The time at which this {::Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for
544
- # expiration and can no longer be used to import key material.
661
+ # Output only. The time at which this
662
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for expiration and
663
+ # can no longer be used to import key material.
545
664
  # @!attribute [r] expire_event_time
546
665
  # @return [::Google::Protobuf::Timestamp]
547
- # Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob} expired. Only present if
548
- # {::Google::Cloud::Kms::V1::ImportJob#state state} is {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
666
+ # Output only. The time this {::Google::Cloud::Kms::V1::ImportJob ImportJob}
667
+ # expired. Only present if {::Google::Cloud::Kms::V1::ImportJob#state state} is
668
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
549
669
  # @!attribute [r] state
550
670
  # @return [::Google::Cloud::Kms::V1::ImportJob::ImportJobState]
551
- # Output only. The current state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can
552
- # be used.
671
+ # Output only. The current state of the
672
+ # {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
553
673
  # @!attribute [r] public_key
554
674
  # @return [::Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
555
675
  # Output only. The public key with which to wrap key material prior to
@@ -560,14 +680,16 @@ module Google
560
680
  # Output only. Statement that was generated and signed by the key creator
561
681
  # (for example, an HSM) at key creation time. Use this statement to verify
562
682
  # attributes of the key as stored on the HSM, independently of Google.
563
- # Only present if the chosen {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a protection
564
- # level of {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
683
+ # Only present if the chosen
684
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a
685
+ # protection level of {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
565
686
  class ImportJob
566
687
  include ::Google::Protobuf::MessageExts
567
688
  extend ::Google::Protobuf::MessageExts::ClassMethods
568
689
 
569
690
  # The public key component of the wrapping key. For details of the type of
570
- # key this public key corresponds to, see the {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
691
+ # key this public key corresponds to, see the
692
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
571
693
  # @!attribute [rw] pem
572
694
  # @return [::String]
573
695
  # The public key, encoded in PEM format. For more information, see the [RFC
@@ -580,7 +702,8 @@ module Google
580
702
  extend ::Google::Protobuf::MessageExts::ClassMethods
581
703
  end
582
704
 
583
- # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the key wrapping method chosen for this
705
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the
706
+ # key wrapping method chosen for this
584
707
  # {::Google::Cloud::Kms::V1::ImportJob ImportJob}.
585
708
  module ImportMethod
586
709
  # Not specified.
@@ -603,18 +726,21 @@ module Google
603
726
  RSA_OAEP_4096_SHA1_AES_256 = 2
604
727
  end
605
728
 
606
- # The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
729
+ # The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if
730
+ # it can be used.
607
731
  module ImportJobState
608
732
  # Not specified.
609
733
  IMPORT_JOB_STATE_UNSPECIFIED = 0
610
734
 
611
735
  # The wrapping key for this job is still being generated. It may not be
612
736
  # used. Cloud KMS will automatically mark this job as
613
- # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as the wrapping key is generated.
737
+ # {::Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as
738
+ # the wrapping key is generated.
614
739
  PENDING_GENERATION = 1
615
740
 
616
741
  # This job may be used in
617
- # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey} and
742
+ # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey}
743
+ # and
618
744
  # {::Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
619
745
  # requests.
620
746
  ACTIVE = 2
@@ -625,19 +751,29 @@ module Google
625
751
  end
626
752
 
627
753
  # ExternalProtectionLevelOptions stores a group of additional fields for
628
- # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
629
- # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
754
+ # configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that
755
+ # are specific to the {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}
756
+ # protection level and
757
+ # {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} protection
758
+ # levels.
630
759
  # @!attribute [rw] external_key_uri
631
760
  # @return [::String]
632
- # The URI for an external resource that this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
761
+ # The URI for an external resource that this
762
+ # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
763
+ # @!attribute [rw] ekm_connection_key_path
764
+ # @return [::String]
765
+ # The path to the external key material on the EKM when using
766
+ # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} e.g., "v0/my/key". Set
767
+ # this field instead of external_key_uri when using an
768
+ # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
633
769
  class ExternalProtectionLevelOptions
634
770
  include ::Google::Protobuf::MessageExts
635
771
  extend ::Google::Protobuf::MessageExts::ClassMethods
636
772
  end
637
773
 
638
- # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
639
- # For more information, see [Protection levels]
640
- # (https://cloud.google.com/kms/docs/algorithms#protection_levels).
774
+ # {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
775
+ # cryptographic operations are performed. For more information, see [Protection
776
+ # levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
641
777
  module ProtectionLevel
642
778
  # Not specified.
643
779
  PROTECTION_LEVEL_UNSPECIFIED = 0
@@ -650,6 +786,9 @@ module Google
650
786
 
651
787
  # Crypto operations are performed by an external key manager.
652
788
  EXTERNAL = 3
789
+
790
+ # Crypto operations are performed in an EKM-over-VPC backend.
791
+ EXTERNAL_VPC = 4
653
792
  end
654
793
  end
655
794
  end