google-cloud-kms-v1 0.6.0 → 0.8.0

data/lib/google/cloud/kms/v1/resources_pb.rb

@@ -23,6 +23,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :next_rotation_time, :message, 7, "google.protobuf.Timestamp"
       optional :version_template, :message, 11, "google.cloud.kms.v1.CryptoKeyVersionTemplate"
       map :labels, :string, :string, 10
+      optional :import_only, :bool, 13
+      optional :destroy_scheduled_duration, :message, 14, "google.protobuf.Duration"
       oneof :rotation_schedule do
         optional :rotation_period, :message, 8, "google.protobuf.Duration"
       end
@@ -32,6 +34,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       value :ENCRYPT_DECRYPT, 1
       value :ASYMMETRIC_SIGN, 5
       value :ASYMMETRIC_DECRYPT, 6
+      value :MAC, 9
     end
     add_message "google.cloud.kms.v1.CryptoKeyVersionTemplate" do
       optional :protection_level, :enum, 1, "google.cloud.kms.v1.ProtectionLevel"
@@ -60,6 +63,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :import_time, :message, 15, "google.protobuf.Timestamp"
       optional :import_failure_reason, :string, 16
       optional :external_protection_level_options, :message, 17, "google.cloud.kms.v1.ExternalProtectionLevelOptions"
+      optional :reimport_eligible, :bool, 18
     end
     add_enum "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm" do
       value :CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED, 0
@@ -79,6 +83,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       value :EC_SIGN_P256_SHA256, 12
       value :EC_SIGN_P384_SHA384, 13
       value :EC_SIGN_SECP256K1_SHA256, 31
+      value :HMAC_SHA256, 32
       value :EXTERNAL_SYMMETRIC_ENCRYPTION, 18
     end
     add_enum "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState" do
@@ -100,6 +105,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :algorithm, :enum, 2, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
       optional :pem_crc32c, :message, 3, "google.protobuf.Int64Value"
       optional :name, :string, 4
+      optional :protection_level, :enum, 5, "google.cloud.kms.v1.ProtectionLevel"
     end
     add_message "google.cloud.kms.v1.ImportJob" do
       optional :name, :string, 1

data/lib/google/cloud/kms/v1/service_pb.rb

@@ -94,6 +94,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     end
     add_message "google.cloud.kms.v1.ImportCryptoKeyVersionRequest" do
       optional :parent, :string, 1
+      optional :crypto_key_version, :string, 6
       optional :algorithm, :enum, 2, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
       optional :import_job, :string, 4
       oneof :wrapped_key_material do
@@ -113,6 +114,16 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :crypto_key_version, :message, 1, "google.cloud.kms.v1.CryptoKeyVersion"
       optional :update_mask, :message, 2, "google.protobuf.FieldMask"
     end
+    add_message "google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest" do
+      optional :name, :string, 1
+      optional :crypto_key_version_id, :string, 2
+    end
+    add_message "google.cloud.kms.v1.DestroyCryptoKeyVersionRequest" do
+      optional :name, :string, 1
+    end
+    add_message "google.cloud.kms.v1.RestoreCryptoKeyVersionRequest" do
+      optional :name, :string, 1
+    end
     add_message "google.cloud.kms.v1.EncryptRequest" do
       optional :name, :string, 1
       optional :plaintext, :bytes, 2
@@ -137,9 +148,22 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :ciphertext, :bytes, 3
       optional :ciphertext_crc32c, :message, 4, "google.protobuf.Int64Value"
     end
-    add_message "google.cloud.kms.v1.DecryptResponse" do
-      optional :plaintext, :bytes, 1
-      optional :plaintext_crc32c, :message, 2, "google.protobuf.Int64Value"
+    add_message "google.cloud.kms.v1.MacSignRequest" do
+      optional :name, :string, 1
+      optional :data, :bytes, 2
+      optional :data_crc32c, :message, 3, "google.protobuf.Int64Value"
+    end
+    add_message "google.cloud.kms.v1.MacVerifyRequest" do
+      optional :name, :string, 1
+      optional :data, :bytes, 2
+      optional :data_crc32c, :message, 3, "google.protobuf.Int64Value"
+      optional :mac, :bytes, 4
+      optional :mac_crc32c, :message, 5, "google.protobuf.Int64Value"
+    end
+    add_message "google.cloud.kms.v1.GenerateRandomBytesRequest" do
+      optional :location, :string, 1
+      optional :length_bytes, :int32, 2
+      optional :protection_level, :enum, 3, "google.cloud.kms.v1.ProtectionLevel"
     end
     add_message "google.cloud.kms.v1.EncryptResponse" do
       optional :name, :string, 1
@@ -147,27 +171,45 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :ciphertext_crc32c, :message, 4, "google.protobuf.Int64Value"
       optional :verified_plaintext_crc32c, :bool, 5
       optional :verified_additional_authenticated_data_crc32c, :bool, 6
+      optional :protection_level, :enum, 7, "google.cloud.kms.v1.ProtectionLevel"
+    end
+    add_message "google.cloud.kms.v1.DecryptResponse" do
+      optional :plaintext, :bytes, 1
+      optional :plaintext_crc32c, :message, 2, "google.protobuf.Int64Value"
+      optional :used_primary, :bool, 3
+      optional :protection_level, :enum, 4, "google.cloud.kms.v1.ProtectionLevel"
     end
     add_message "google.cloud.kms.v1.AsymmetricSignResponse" do
       optional :signature, :bytes, 1
       optional :signature_crc32c, :message, 2, "google.protobuf.Int64Value"
       optional :verified_digest_crc32c, :bool, 3
       optional :name, :string, 4
+      optional :protection_level, :enum, 6, "google.cloud.kms.v1.ProtectionLevel"
     end
     add_message "google.cloud.kms.v1.AsymmetricDecryptResponse" do
       optional :plaintext, :bytes, 1
       optional :plaintext_crc32c, :message, 2, "google.protobuf.Int64Value"
       optional :verified_ciphertext_crc32c, :bool, 3
+      optional :protection_level, :enum, 4, "google.cloud.kms.v1.ProtectionLevel"
     end
-    add_message "google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest" do
+    add_message "google.cloud.kms.v1.MacSignResponse" do
       optional :name, :string, 1
-      optional :crypto_key_version_id, :string, 2
+      optional :mac, :bytes, 2
+      optional :mac_crc32c, :message, 3, "google.protobuf.Int64Value"
+      optional :verified_data_crc32c, :bool, 4
+      optional :protection_level, :enum, 5, "google.cloud.kms.v1.ProtectionLevel"
     end
-    add_message "google.cloud.kms.v1.DestroyCryptoKeyVersionRequest" do
+    add_message "google.cloud.kms.v1.MacVerifyResponse" do
       optional :name, :string, 1
+      optional :success, :bool, 2
+      optional :verified_data_crc32c, :bool, 3
+      optional :verified_mac_crc32c, :bool, 4
+      optional :verified_success_integrity, :bool, 5
+      optional :protection_level, :enum, 6, "google.cloud.kms.v1.ProtectionLevel"
     end
-    add_message "google.cloud.kms.v1.RestoreCryptoKeyVersionRequest" do
-      optional :name, :string, 1
+    add_message "google.cloud.kms.v1.GenerateRandomBytesResponse" do
+      optional :data, :bytes, 1
+      optional :data_crc32c, :message, 3, "google.protobuf.Int64Value"
     end
     add_message "google.cloud.kms.v1.Digest" do
       oneof :digest do
@@ -207,17 +249,23 @@ module Google
         CreateImportJobRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CreateImportJobRequest").msgclass
         UpdateCryptoKeyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyRequest").msgclass
         UpdateCryptoKeyVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyVersionRequest").msgclass
+        UpdateCryptoKeyPrimaryVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest").msgclass
+        DestroyCryptoKeyVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DestroyCryptoKeyVersionRequest").msgclass
+        RestoreCryptoKeyVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.RestoreCryptoKeyVersionRequest").msgclass
         EncryptRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.EncryptRequest").msgclass
         DecryptRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DecryptRequest").msgclass
         AsymmetricSignRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricSignRequest").msgclass
         AsymmetricDecryptRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricDecryptRequest").msgclass
-        DecryptResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DecryptResponse").msgclass
+        MacSignRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.MacSignRequest").msgclass
+        MacVerifyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.MacVerifyRequest").msgclass
+        GenerateRandomBytesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GenerateRandomBytesRequest").msgclass
         EncryptResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.EncryptResponse").msgclass
+        DecryptResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DecryptResponse").msgclass
         AsymmetricSignResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricSignResponse").msgclass
         AsymmetricDecryptResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricDecryptResponse").msgclass
-        UpdateCryptoKeyPrimaryVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest").msgclass
-        DestroyCryptoKeyVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DestroyCryptoKeyVersionRequest").msgclass
-        RestoreCryptoKeyVersionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.RestoreCryptoKeyVersionRequest").msgclass
+        MacSignResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.MacSignResponse").msgclass
+        MacVerifyResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.MacVerifyResponse").msgclass
+        GenerateRandomBytesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GenerateRandomBytesResponse").msgclass
         Digest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.Digest").msgclass
         LocationMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.LocationMetadata").msgclass
       end

data/lib/google/cloud/kms/v1/service_services_pb.rb

@@ -38,7 +38,7 @@ module Google
           # [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
           class Service
 
-            include ::GRPC::GenericService
+            include GRPC::GenericService
 
             self.marshal_class_method = :encode
             self.unmarshal_class_method = :decode
@@ -80,11 +80,12 @@ module Google
             # [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
             # [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
             rpc :CreateCryptoKeyVersion, ::Google::Cloud::Kms::V1::CreateCryptoKeyVersionRequest, ::Google::Cloud::Kms::V1::CryptoKeyVersion
-            # Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
-            # wrapped key material provided in the request.
+            # Import wrapped key material into a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
             #
-            # The version ID will be assigned the next sequential id within the
-            # [CryptoKey][google.cloud.kms.v1.CryptoKey].
+            # All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is
+            # additionally specified in the request, key material will be reimported into
+            # that version. Otherwise, a new version will be created, and will be
+            # assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
             rpc :ImportCryptoKeyVersion, ::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest, ::Google::Cloud::Kms::V1::CryptoKeyVersion
             # Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
             #
@@ -100,21 +101,6 @@ module Google
             # method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to
             # move between other states.
             rpc :UpdateCryptoKeyVersion, ::Google::Cloud::Kms::V1::UpdateCryptoKeyVersionRequest, ::Google::Cloud::Kms::V1::CryptoKeyVersion
-            # Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
-            # The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
-            # [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
-            rpc :Encrypt, ::Google::Cloud::Kms::V1::EncryptRequest, ::Google::Cloud::Kms::V1::EncryptResponse
-            # Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
-            # must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
-            rpc :Decrypt, ::Google::Cloud::Kms::V1::DecryptRequest, ::Google::Cloud::Kms::V1::DecryptResponse
-            # Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
-            # ASYMMETRIC_SIGN, producing a signature that can be verified with the public
-            # key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
-            rpc :AsymmetricSign, ::Google::Cloud::Kms::V1::AsymmetricSignRequest, ::Google::Cloud::Kms::V1::AsymmetricSignResponse
-            # Decrypts data that was encrypted with a public key retrieved from
-            # [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
-            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
-            rpc :AsymmetricDecrypt, ::Google::Cloud::Kms::V1::AsymmetricDecryptRequest, ::Google::Cloud::Kms::V1::AsymmetricDecryptResponse
             # Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
             #
             # Returns an error if called on a key whose purpose is not
@@ -123,10 +109,11 @@ module Google
             # Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
             #
             # Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
-            # [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
-            # and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24
-            # hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state]
-            # will be changed to
+            # [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
+            # and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to the time
+            # [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration] in the
+            # future. At that time, the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will
+            # automatically change to
             # [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key
             # material will be irrevocably destroyed.
             #
@@ -141,6 +128,32 @@ module Google
             # will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
             # and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
             rpc :RestoreCryptoKeyVersion, ::Google::Cloud::Kms::V1::RestoreCryptoKeyVersionRequest, ::Google::Cloud::Kms::V1::CryptoKeyVersion
+            # Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+            # The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+            # [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+            rpc :Encrypt, ::Google::Cloud::Kms::V1::EncryptRequest, ::Google::Cloud::Kms::V1::EncryptResponse
+            # Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+            rpc :Decrypt, ::Google::Cloud::Kms::V1::DecryptRequest, ::Google::Cloud::Kms::V1::DecryptResponse
+            # Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # ASYMMETRIC_SIGN, producing a signature that can be verified with the public
+            # key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+            rpc :AsymmetricSign, ::Google::Cloud::Kms::V1::AsymmetricSignRequest, ::Google::Cloud::Kms::V1::AsymmetricSignResponse
+            # Decrypts data that was encrypted with a public key retrieved from
+            # [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
+            rpc :AsymmetricDecrypt, ::Google::Cloud::Kms::V1::AsymmetricDecryptRequest, ::Google::Cloud::Kms::V1::AsymmetricDecryptResponse
+            # Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # MAC, producing a tag that can be verified by another source with the
+            # same key.
+            rpc :MacSign, ::Google::Cloud::Kms::V1::MacSignRequest, ::Google::Cloud::Kms::V1::MacSignResponse
+            # Verifies MAC tag using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # MAC, and returns a response that indicates whether or not the verification
+            # was successful.
+            rpc :MacVerify, ::Google::Cloud::Kms::V1::MacVerifyRequest, ::Google::Cloud::Kms::V1::MacVerifyResponse
+            # Generate random bytes using the Cloud KMS randomness source in the provided
+            # location.
+            rpc :GenerateRandomBytes, ::Google::Cloud::Kms::V1::GenerateRandomBytesRequest, ::Google::Cloud::Kms::V1::GenerateRandomBytesResponse
           end
 
           Stub = Service.rpc_stub_class

data/lib/google/cloud/kms/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Kms
       module V1
-        VERSION = "0.6.0"
+        VERSION = "0.8.0"
       end
     end
   end

data/proto_docs/google/api/field_behavior.rb

@@ -57,9 +57,15 @@ module Google
 
       # Denotes that a (repeated) field is an unordered list.
       # This indicates that the service may provide the elements of the list
-      # in any arbitrary order, rather than the order the user originally
+      # in any arbitrary  order, rather than the order the user originally
       # provided. Additionally, the list's order may or may not be stable.
       UNORDERED_LIST = 6
+
+      # Denotes that this field returns a non-empty default value if not set.
+      # This indicates that if the user provides the empty value in a request,
+      # a non-empty value will be returned. The user will not be aware of what
+      # non-empty value to expect.
+      NON_EMPTY_DEFAULT = 7
     end
   end
 end

data/proto_docs/google/cloud/kms/v1/resources.rb

@@ -97,6 +97,16 @@ module Google
         #   @return [::Google::Protobuf::Map{::String => ::String}]
         #     Labels with user-defined metadata. For more information, see
         #     [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
+        # @!attribute [rw] import_only
+        #   @return [::Boolean]
+        #     Immutable. Whether this key may contain imported versions only.
+        # @!attribute [rw] destroy_scheduled_duration
+        #   @return [::Google::Protobuf::Duration]
+        #     Immutable. The period of time that versions of this key spend in the
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}
+        #     state before transitioning to
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}. If not
+        #     specified at creation time, the default duration is 24 hours.
         class CryptoKey
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -132,6 +142,10 @@ module Google
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt} and
             # {::Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
             ASYMMETRIC_DECRYPT = 6
+
+            # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign MacSign}.
+            MAC = 9
           end
         end
 
@@ -235,16 +249,16 @@ module Google
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
         # @!attribute [r] import_job
         #   @return [::String]
-        #     Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob} used to import this
+        #     Output only. The name of the {::Google::Cloud::Kms::V1::ImportJob ImportJob} used in the most recent import of this
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
         #     imported.
         # @!attribute [r] import_time
         #   @return [::Google::Protobuf::Timestamp]
         #     Output only. The time at which this {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
-        #     was imported.
+        #     was most recently imported.
         # @!attribute [r] import_failure_reason
         #   @return [::String]
-        #     Output only. The root cause of an import failure. Only present if
+        #     Output only. The root cause of the most recent import failure. Only present if
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
         # @!attribute [rw] external_protection_level_options
@@ -252,6 +266,11 @@ module Google
         #     ExternalProtectionLevelOptions stores a group of additional fields for
         #     configuring a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
         #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
+        # @!attribute [r] reimport_eligible
+        #   @return [::Boolean]
+        #     Output only. Whether or not this key version is eligible for reimport, by being
+        #     specified as a target in
+        #     {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#crypto_key_version ImportCryptoKeyVersionRequest.crypto_key_version}.
         class CryptoKeyVersion
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -288,6 +307,12 @@ module Google
           # The fields in the name after "EC_SIGN_" correspond to the following
           # parameters: elliptic curve, digest algorithm.
           #
+          # Algorithms beginning with "HMAC_" are usable with {::Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
+          # {::Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::MAC MAC}.
+          #
+          # The suffix following "HMAC_" corresponds to the hash algorithm being used
+          # (eg. SHA256).
+          #
           # For more information, see [Key purposes and algorithms]
           # (https://cloud.google.com/kms/docs/algorithms).
           module CryptoKeyVersionAlgorithm
@@ -343,6 +368,9 @@ module Google
             # HSM protection level.
             EC_SIGN_SECP256K1_SHA256 = 31
 
+            # HMAC-SHA256 signing with a 256 bit key.
+            HMAC_SHA256 = 32
+
             # Algorithm representing symmetric encryption by an external key manager.
             EXTERNAL_SYMMETRIC_ENCRYPTION = 18
           end
@@ -365,7 +393,10 @@ module Google
             DISABLED = 2
 
             # This version is destroyed, and the key material is no longer stored.
-            # A version may not leave this state once entered.
+            # This version may only become {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} again if this version is
+            # {::Google::Cloud::Kms::V1::CryptoKeyVersion#reimport_eligible reimport_eligible} and the original
+            # key material is reimported with a call to
+            # {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version KeyManagementService.ImportCryptoKeyVersion}.
             DESTROYED = 3
 
             # This version is scheduled for destruction, and will be destroyed soon.
@@ -435,6 +466,9 @@ module Google
         #     Provided here for verification.
         #
         #     NOTE: This field is in Beta.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key.
         class PublicKey
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/kms/v1/service.rb

@@ -325,8 +325,27 @@ module Google
         # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version KeyManagementService.ImportCryptoKeyVersion}.
         # @!attribute [rw] parent
         #   @return [::String]
-        #     Required. The {::Google::Cloud::Kms::V1::CryptoKey#name name} of the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} to
-        #     be imported into.
+        #     Required. The {::Google::Cloud::Kms::V1::CryptoKey#name name} of the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} to be imported into.
+        #
+        #     The create permission is only required on this key when creating a new
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        # @!attribute [rw] crypto_key_version
+        #   @return [::String]
+        #     Optional. The optional {::Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of an existing
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to target for an import operation.
+        #     If this field is not present, a new {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} containing the
+        #     supplied key material is created.
+        #
+        #     If this field is present, the supplied key material is imported into
+        #     the existing {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. To import into an existing
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} must be a child of
+        #     {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#parent ImportCryptoKeyVersionRequest.parent}, have been previously created via
+        #     [ImportCryptoKeyVersion][], and be in
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED} or
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}
+        #     state. The key material and algorithm must match the previous
+        #     {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} exactly if the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} has ever contained
+        #     key material.
         # @!attribute [rw] algorithm
         #   @return [::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
         #     Required. The {::Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm algorithm} of
@@ -408,6 +427,36 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version KeyManagementService.UpdateCryptoKeyPrimaryVersion}.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} to update.
+        # @!attribute [rw] crypto_key_version_id
+        #   @return [::String]
+        #     Required. The id of the child {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use as primary.
+        class UpdateCryptoKeyPrimaryVersionRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#destroy_crypto_key_version KeyManagementService.DestroyCryptoKeyVersion}.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to destroy.
+        class DestroyCryptoKeyVersionRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version KeyManagementService.RestoreCryptoKeyVersion}.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to restore.
+        class RestoreCryptoKeyVersionRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt KeyManagementService.Encrypt}.
         # @!attribute [rw] name
         #   @return [::String]
@@ -452,8 +501,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] additional_authenticated_data_crc32c
         #   @return [::Google::Protobuf::Int64Value]
         #     Optional. An optional CRC32C checksum of the
@@ -470,8 +517,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         class EncryptRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -505,8 +550,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] additional_authenticated_data_crc32c
         #   @return [::Google::Protobuf::Int64Value]
         #     Optional. An optional CRC32C checksum of the
@@ -523,8 +566,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         class DecryptRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -554,8 +595,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         class AsymmetricSignRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -585,35 +624,99 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         class AsymmetricDecryptRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt KeyManagementService.Decrypt}.
-        # @!attribute [rw] plaintext
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign KeyManagementService.MacSign}.
+        # @!attribute [rw] name
         #   @return [::String]
-        #     The decrypted data originally supplied in {::Google::Cloud::Kms::V1::EncryptRequest#plaintext EncryptRequest.plaintext}.
-        # @!attribute [rw] plaintext_crc32c
+        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use for signing.
+        # @!attribute [rw] data
+        #   @return [::String]
+        #     Required. The data to sign. The MAC tag is computed over this data field based on
+        #     the specific algorithm.
+        # @!attribute [rw] data_crc32c
         #   @return [::Google::Protobuf::Int64Value]
-        #     Integrity verification field. A CRC32C checksum of the returned
-        #     {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext}. An integrity check of
-        #     {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext} can be performed by computing the CRC32C
-        #     checksum of {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext} and comparing your results to
-        #     this field. Discard the response in case of non-matching checksum values,
-        #     and perform a limited number of retries. A persistent mismatch may indicate
-        #     an issue in your computation of the CRC32C checksum. Note: receiving this
-        #     response message indicates that {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} is able to
-        #     successfully decrypt the {::Google::Cloud::Kms::V1::DecryptRequest#ciphertext ciphertext}.
+        #     Optional. An optional CRC32C checksum of the {::Google::Cloud::Kms::V1::MacSignRequest#data MacSignRequest.data}. If
+        #     specified, {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will verify the integrity of the
+        #     received {::Google::Cloud::Kms::V1::MacSignRequest#data MacSignRequest.data} using this checksum.
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will report an error if the checksum verification
+        #     fails. If you receive a checksum error, your client should verify that
+        #     CRC32C({::Google::Cloud::Kms::V1::MacSignRequest#data MacSignRequest.data}) is equal to
+        #     {::Google::Cloud::Kms::V1::MacSignRequest#data_crc32c MacSignRequest.data_crc32c}, and if so, perform a limited
+        #     number of retries. A persistent mismatch may indicate an issue in your
+        #     computation of the CRC32C checksum.
         #     Note: This field is defined as int64 for reasons of compatibility across
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
-        class DecryptResponse
+        class MacSignRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_verify KeyManagementService.MacVerify}.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use for verification.
+        # @!attribute [rw] data
+        #   @return [::String]
+        #     Required. The data used previously as a {::Google::Cloud::Kms::V1::MacSignRequest#data MacSignRequest.data} to generate the MAC
+        #     tag.
+        # @!attribute [rw] data_crc32c
+        #   @return [::Google::Protobuf::Int64Value]
+        #     Optional. An optional CRC32C checksum of the {::Google::Cloud::Kms::V1::MacVerifyRequest#data MacVerifyRequest.data}. If
+        #     specified, {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will verify the integrity of the
+        #     received {::Google::Cloud::Kms::V1::MacVerifyRequest#data MacVerifyRequest.data} using this checksum.
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will report an error if the checksum verification
+        #     fails. If you receive a checksum error, your client should verify that
+        #     CRC32C({::Google::Cloud::Kms::V1::MacVerifyRequest#data MacVerifyRequest.data}) is equal to
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#data_crc32c MacVerifyRequest.data_crc32c}, and if so, perform a limited
+        #     number of retries. A persistent mismatch may indicate an issue in your
+        #     computation of the CRC32C checksum.
+        #     Note: This field is defined as int64 for reasons of compatibility across
+        #     different languages. However, it is a non-negative integer, which will
+        #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+        #     that support this type.
+        # @!attribute [rw] mac
+        #   @return [::String]
+        #     Required. The signature to verify.
+        # @!attribute [rw] mac_crc32c
+        #   @return [::Google::Protobuf::Int64Value]
+        #     Optional. An optional CRC32C checksum of the {::Google::Cloud::Kms::V1::MacVerifyRequest#mac MacVerifyRequest.mac}. If
+        #     specified, {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will verify the integrity of the
+        #     received {::Google::Cloud::Kms::V1::MacVerifyRequest#mac MacVerifyRequest.mac} using this checksum.
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} will report an error if the checksum verification
+        #     fails. If you receive a checksum error, your client should verify that
+        #     CRC32C([MacVerifyRequest.tag][]) is equal to
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#mac_crc32c MacVerifyRequest.mac_crc32c}, and if so, perform a limited
+        #     number of retries. A persistent mismatch may indicate an issue in your
+        #     computation of the CRC32C checksum.
+        #     Note: This field is defined as int64 for reasons of compatibility across
+        #     different languages. However, it is a non-negative integer, which will
+        #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+        #     that support this type.
+        class MacVerifyRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#generate_random_bytes KeyManagementService.GenerateRandomBytes}.
+        # @!attribute [rw] location
+        #   @return [::String]
+        #     The project-specific location in which to generate random bytes.
+        #     For example, "projects/my-project/locations/us-central1".
+        # @!attribute [rw] length_bytes
+        #   @return [::Integer]
+        #     The length in bytes of the amount of randomness to retrieve.  Minimum 8
+        #     bytes, maximum 1024 bytes.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when generating the random data. Defaults to
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
+        class GenerateRandomBytesRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
@@ -639,8 +742,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] verified_plaintext_crc32c
         #   @return [::Boolean]
         #     Integrity verification field. A flag indicating whether
@@ -651,8 +752,6 @@ module Google
         #     that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've set
         #     {::Google::Cloud::Kms::V1::EncryptRequest#plaintext_crc32c EncryptRequest.plaintext_crc32c} but this field is still false, discard
         #     the response and perform a limited number of retries.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] verified_additional_authenticated_data_crc32c
         #   @return [::Boolean]
         #     Integrity verification field. A flag indicating whether
@@ -664,13 +763,44 @@ module Google
         #     that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've set
         #     {::Google::Cloud::Kms::V1::EncryptRequest#additional_authenticated_data_crc32c EncryptRequest.additional_authenticated_data_crc32c} but this field is
         #     still false, discard the response and perform a limited number of retries.
-        #
-        #     NOTE: This field is in Beta.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used in encryption.
         class EncryptResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt KeyManagementService.Decrypt}.
+        # @!attribute [rw] plaintext
+        #   @return [::String]
+        #     The decrypted data originally supplied in {::Google::Cloud::Kms::V1::EncryptRequest#plaintext EncryptRequest.plaintext}.
+        # @!attribute [rw] plaintext_crc32c
+        #   @return [::Google::Protobuf::Int64Value]
+        #     Integrity verification field. A CRC32C checksum of the returned
+        #     {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext}. An integrity check of
+        #     {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext} can be performed by computing the CRC32C
+        #     checksum of {::Google::Cloud::Kms::V1::DecryptResponse#plaintext DecryptResponse.plaintext} and comparing your results to
+        #     this field. Discard the response in case of non-matching checksum values,
+        #     and perform a limited number of retries. A persistent mismatch may indicate
+        #     an issue in your computation of the CRC32C checksum. Note: receiving this
+        #     response message indicates that {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} is able to
+        #     successfully decrypt the {::Google::Cloud::Kms::V1::DecryptRequest#ciphertext ciphertext}.
+        #     Note: This field is defined as int64 for reasons of compatibility across
+        #     different languages. However, it is a non-negative integer, which will
+        #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+        #     that support this type.
+        # @!attribute [rw] used_primary
+        #   @return [::Boolean]
+        #     Whether the Decryption was performed using the primary key version.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used in decryption.
+        class DecryptResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign KeyManagementService.AsymmetricSign}.
         # @!attribute [rw] signature
         #   @return [::String]
@@ -688,8 +818,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] verified_digest_crc32c
         #   @return [::Boolean]
         #     Integrity verification field. A flag indicating whether
@@ -700,14 +828,13 @@ module Google
         #     unset or that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've
         #     set {::Google::Cloud::Kms::V1::AsymmetricSignRequest#digest_crc32c AsymmetricSignRequest.digest_crc32c} but this field is still false,
         #     discard the response and perform a limited number of retries.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] name
         #   @return [::String]
         #     The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for signing. Check
         #     this field to verify that the intended resource was used for signing.
-        #
-        #     NOTE: This field is in Beta.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for signing.
         class AsymmetricSignResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -730,8 +857,6 @@ module Google
         #     different languages. However, it is a non-negative integer, which will
         #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
         #     that support this type.
-        #
-        #     NOTE: This field is in Beta.
         # @!attribute [rw] verified_ciphertext_crc32c
         #   @return [::Boolean]
         #     Integrity verification field. A flag indicating whether
@@ -742,39 +867,115 @@ module Google
         #     was left unset or that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If
         #     you've set {::Google::Cloud::Kms::V1::AsymmetricDecryptRequest#ciphertext_crc32c AsymmetricDecryptRequest.ciphertext_crc32c} but this field is
         #     still false, discard the response and perform a limited number of retries.
-        #
-        #     NOTE: This field is in Beta.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used in decryption.
         class AsymmetricDecryptResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version KeyManagementService.UpdateCryptoKeyPrimaryVersion}.
+        # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_sign KeyManagementService.MacSign}.
         # @!attribute [rw] name
         #   @return [::String]
-        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} to update.
-        # @!attribute [rw] crypto_key_version_id
+        #     The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for signing. Check
+        #     this field to verify that the intended resource was used for signing.
+        # @!attribute [rw] mac
         #   @return [::String]
-        #     Required. The id of the child {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use as primary.
-        class UpdateCryptoKeyPrimaryVersionRequest
+        #     The created signature.
+        # @!attribute [rw] mac_crc32c
+        #   @return [::Google::Protobuf::Int64Value]
+        #     Integrity verification field. A CRC32C checksum of the returned
+        #     {::Google::Cloud::Kms::V1::MacSignResponse#mac MacSignResponse.mac}. An integrity check of
+        #     {::Google::Cloud::Kms::V1::MacSignResponse#mac MacSignResponse.mac} can be performed by computing the
+        #     CRC32C checksum of {::Google::Cloud::Kms::V1::MacSignResponse#mac MacSignResponse.mac} and comparing your
+        #     results to this field. Discard the response in case of non-matching
+        #     checksum values, and perform a limited number of retries. A persistent
+        #     mismatch may indicate an issue in your computation of the CRC32C checksum.
+        #     Note: This field is defined as int64 for reasons of compatibility across
+        #     different languages. However, it is a non-negative integer, which will
+        #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+        #     that support this type.
+        # @!attribute [rw] verified_data_crc32c
+        #   @return [::Boolean]
+        #     Integrity verification field. A flag indicating whether
+        #     {::Google::Cloud::Kms::V1::MacSignRequest#data_crc32c MacSignRequest.data_crc32c} was received by
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} and used for the integrity verification of the
+        #     {::Google::Cloud::Kms::V1::MacSignRequest#data data}. A false value of this field
+        #     indicates either that {::Google::Cloud::Kms::V1::MacSignRequest#data_crc32c MacSignRequest.data_crc32c} was left
+        #     unset or that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've
+        #     set {::Google::Cloud::Kms::V1::MacSignRequest#data_crc32c MacSignRequest.data_crc32c} but this field is still false,
+        #     discard the response and perform a limited number of retries.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for signing.
+        class MacSignResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#destroy_crypto_key_version KeyManagementService.DestroyCryptoKeyVersion}.
+        # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#mac_verify KeyManagementService.MacVerify}.
         # @!attribute [rw] name
         #   @return [::String]
-        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to destroy.
-        class DestroyCryptoKeyVersionRequest
+        #     The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for verification.
+        #     Check this field to verify that the intended resource was used for
+        #     verification.
+        # @!attribute [rw] success
+        #   @return [::Boolean]
+        #     This field indicates whether or not the verification operation for
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#mac MacVerifyRequest.mac} over {::Google::Cloud::Kms::V1::MacVerifyRequest#data MacVerifyRequest.data} was successful.
+        # @!attribute [rw] verified_data_crc32c
+        #   @return [::Boolean]
+        #     Integrity verification field. A flag indicating whether
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#data_crc32c MacVerifyRequest.data_crc32c} was received by
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} and used for the integrity verification of the
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#data data}. A false value of this field
+        #     indicates either that {::Google::Cloud::Kms::V1::MacVerifyRequest#data_crc32c MacVerifyRequest.data_crc32c} was left
+        #     unset or that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've
+        #     set {::Google::Cloud::Kms::V1::MacVerifyRequest#data_crc32c MacVerifyRequest.data_crc32c} but this field is still false,
+        #     discard the response and perform a limited number of retries.
+        # @!attribute [rw] verified_mac_crc32c
+        #   @return [::Boolean]
+        #     Integrity verification field. A flag indicating whether
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#mac_crc32c MacVerifyRequest.mac_crc32c} was received by
+        #     {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService} and used for the integrity verification of the
+        #     {::Google::Cloud::Kms::V1::MacVerifyRequest#mac data}. A false value of this field
+        #     indicates either that {::Google::Cloud::Kms::V1::MacVerifyRequest#mac_crc32c MacVerifyRequest.mac_crc32c} was left
+        #     unset or that it was not delivered to {::Google::Cloud::Kms::V1::KeyManagementService::Client KeyManagementService}. If you've
+        #     set {::Google::Cloud::Kms::V1::MacVerifyRequest#mac_crc32c MacVerifyRequest.mac_crc32c} but this field is still false,
+        #     discard the response and perform a limited number of retries.
+        # @!attribute [rw] verified_success_integrity
+        #   @return [::Boolean]
+        #     Integrity verification field. This value is used for the integrity
+        #     verification of [MacVerifyResponse.success]. If the value of this field
+        #     contradicts the value of [MacVerifyResponse.success], discard the response
+        #     and perform a limited number of retries.
+        # @!attribute [rw] protection_level
+        #   @return [::Google::Cloud::Kms::V1::ProtectionLevel]
+        #     The {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} used for verification.
+        class MacVerifyResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version KeyManagementService.RestoreCryptoKeyVersion}.
-        # @!attribute [rw] name
+        # Response message for {::Google::Cloud::Kms::V1::KeyManagementService::Client#generate_random_bytes KeyManagementService.GenerateRandomBytes}.
+        # @!attribute [rw] data
         #   @return [::String]
-        #     Required. The resource name of the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to restore.
-        class RestoreCryptoKeyVersionRequest
+        #     The generated data.
+        # @!attribute [rw] data_crc32c
+        #   @return [::Google::Protobuf::Int64Value]
+        #     Integrity verification field. A CRC32C checksum of the returned
+        #     {::Google::Cloud::Kms::V1::GenerateRandomBytesResponse#data GenerateRandomBytesResponse.data}. An integrity check of
+        #     {::Google::Cloud::Kms::V1::GenerateRandomBytesResponse#data GenerateRandomBytesResponse.data} can be performed by computing the
+        #     CRC32C checksum of {::Google::Cloud::Kms::V1::GenerateRandomBytesResponse#data GenerateRandomBytesResponse.data} and comparing your
+        #     results to this field. Discard the response in case of non-matching
+        #     checksum values, and perform a limited number of retries. A persistent
+        #     mismatch may indicate an issue in your computation of the CRC32C checksum.
+        #     Note: This field is defined as int64 for reasons of compatibility across
+        #     different languages. However, it is a non-negative integer, which will
+        #     never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+        #     that support this type.
+        class GenerateRandomBytesResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end