google-cloud-kms 1.0.2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3435174d6d95af25a352f8a5c7f3eaca84d5dbb3a4ce314dda344fcaa8278006
-  data.tar.gz: aa981529b7c9903b2e845e9b5033ff65b2edcfe877ef6e85b8b4e39caa87e54c
+  metadata.gz: 5db965ca05a2730295562c67ca7aabba12f0514f65334cf8af4365393c4f74b3
+  data.tar.gz: 00e160157392f2daa985ff3f04ede025c587804b0cb8e850f8e391e9dc01097a
 SHA512:
-  metadata.gz: b95dcd8e9706515732428353da166177e7a872b3c307b2908dd68bf4f1e01f65d739316c5f0a0c814b908ce695a31c045f77a9413ffc114be4ee27e73d120b3a
-  data.tar.gz: 6344f662a0c796df9c643ff7826c135a72d4b9927cc300a852931a876206021d3c6453b700cc64ffe3e890ee8291e6b82bce75ceb127b3819f62cf9980317af0
+  metadata.gz: 68862a97c1900e8f9d36248332539527ac69c3308bca22d2329b7105acdb5044569f22d4a9098ac9490e2270341b34223154856cf256b81051247c8b5233068c
+  data.tar.gz: 0c27f690f539ecbd3df14dc7c83d5ecc7be332dbef9ce99e47dd0e121e2265236d5219549e901cb7f83314cb0d770f6ffba3c0d565b0048ec41b3b5b70534e5a

data/lib/google/cloud/kms/v1/credentials.rb

@@ -21,7 +21,8 @@ module Google
       module V1
         class Credentials < Google::Auth::Credentials
           SCOPE = [
-            "https://www.googleapis.com/auth/cloud-platform"
+            "https://www.googleapis.com/auth/cloud-platform",
+            "https://www.googleapis.com/auth/cloudkms"
           ].freeze
           PATH_ENV_VARS = %w(KMS_CREDENTIALS
                              KMS_KEYFILE

data/lib/google/cloud/kms/v1/doc/google/cloud/kms/v1/resources.rb

@@ -17,153 +17,125 @@ module Google
   module Cloud
     module Kms
       module V1
-        # A {Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of
-        # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
+        # A {Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of {Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
         # @!attribute [rw] name
         #   @return [String]
-        #     Output only. The resource name for the
-        #     {Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
+        #     Output only. The resource name for the {Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
         #     `projects/*/locations/*/keyRings/*`.
         # @!attribute [rw] create_time
         #   @return [Google::Protobuf::Timestamp]
-        #     Output only. The time at which this {Google::Cloud::Kms::V1::KeyRing KeyRing}
-        #     was created.
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::KeyRing KeyRing} was created.
         class KeyRing; end
 
-        # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that
-        # can be used for cryptographic operations.
+        # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that can be used for cryptographic
+        # operations.
         #
-        # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of one or more
-        # {Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which represent the actual
-        # key material used in cryptographic operations.
+        # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of one or more {Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which
+        # represent the actual key material used in cryptographic operations.
         # @!attribute [rw] name
         #   @return [String]
-        #     Output only. The resource name for this
-        #     {Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
+        #     Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
         #     `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
         # @!attribute [rw] primary
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion]
-        #     Output only. A copy of the "primary"
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
-        #     by {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} when this
-        #     {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given in
-        #     {Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest#name}.
+        #     Output only. A copy of the "primary" {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
+        #     by {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} when this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given
+        #     in {Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest#name}.
         #
-        #     The {Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be
-        #     updated via
+        #     The {Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
         #     {Google::Cloud::Kms::V1::KeyManagementService::UpdateCryptoKeyPrimaryVersion UpdateCryptoKeyPrimaryVersion}.
         #
         #     All keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
-        #     have a primary. For other keys, this field will be omitted.
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} have a
+        #     primary. For other keys, this field will be omitted.
         # @!attribute [rw] purpose
         #   @return [Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
         #     The immutable purpose of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
         # @!attribute [rw] create_time
         #   @return [Google::Protobuf::Timestamp]
-        #     Output only. The time at which this
-        #     {Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
         # @!attribute [rw] next_rotation_time
         #   @return [Google::Protobuf::Timestamp]
-        #     At {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time},
-        #     the Key Management Service will automatically:
+        #     At {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}, the Key Management Service will automatically:
         #
         #     1. Create a new version of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
         #     2. Mark the new version as primary.
         #
         #     Key rotations performed manually via
-        #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion}
-        #     and
+        #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} and
         #     {Google::Cloud::Kms::V1::KeyManagementService::UpdateCryptoKeyPrimaryVersion UpdateCryptoKeyPrimaryVersion}
-        #     do not affect
-        #     {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
+        #     do not affect {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
         #
         #     Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
-        #     support automatic rotation. For other keys, this field must be omitted.
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
+        #     automatic rotation. For other keys, this field must be omitted.
         # @!attribute [rw] rotation_period
         #   @return [Google::Protobuf::Duration]
-        #     {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
-        #     will be advanced by this period when the service automatically rotates a
-        #     key. Must be at least one day.
+        #     {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
+        #     automatically rotates a key. Must be at least one day.
         #
-        #     If {Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is
-        #     set,
-        #     {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}
-        #     must also be set.
+        #     If {Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
         #
         #     Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
-        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}
-        #     support automatic rotation. For other keys, this field must be omitted.
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
+        #     automatic rotation. For other keys, this field must be omitted.
         # @!attribute [rw] version_template
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
-        #     A template describing settings for new
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances. The
-        #     properties of new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
-        #     instances created by either
-        #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion}
-        #     or auto-rotation are controlled by this template.
+        #     A template describing settings for new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
+        #     The properties of new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
+        #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} or
+        #     auto-rotation are controlled by this template.
         # @!attribute [rw] labels
         #   @return [Hash{String => String}]
         #     Labels with user-defined metadata. For more information, see
         #     [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
         class CryptoKey
-          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose}
-          # describes the cryptographic capabilities of a
-          # {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used
-          # for the operations allowed by its purpose.
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
+          # {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
+          # its purpose. For more information, see
+          # [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
           module CryptoKeyPurpose
             # Not specified.
             CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
 
-            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
-            # with {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} and
+            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} and
             # {Google::Cloud::Kms::V1::KeyManagementService::Decrypt Decrypt}.
             ENCRYPT_DECRYPT = 1
 
-            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
-            # with
-            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricSign AsymmetricSign}
-            # and
+            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricSign AsymmetricSign} and
             # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
             ASYMMETRIC_SIGN = 5
 
-            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used
-            # with
-            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricDecrypt AsymmetricDecrypt}
-            # and
+            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricDecrypt AsymmetricDecrypt} and
             # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
             ASYMMETRIC_DECRYPT = 6
           end
         end
 
-        # A {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate}
-        # specifies the properties to use when creating a new
-        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually
-        # with
-        # {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion}
-        # or automatically as a result of auto-rotation.
+        # A {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
+        # a new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
+        # {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} or
+        # automatically as a result of auto-rotation.
         # @!attribute [rw] protection_level
         #   @return [Google::Cloud::Kms::V1::ProtectionLevel]
-        #     {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating
-        #     a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
-        #     template. Immutable. Defaults to
-        #     {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
+        #     {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
+        #     this template. Immutable. Defaults to {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
         # @!attribute [rw] algorithm
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     Required.
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
-        #     to use when creating a
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this
-        #     template.
+        #     Required. {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
+        #     when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
         #
         #     For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
-        #     this field is omitted and
-        #     {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} is
+        #     this field is omitted and {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} is
         #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
         class CryptoKeyVersionTemplate; end
 
-        # Contains an HSM-generated attestation about a key operation.
+        # Contains an HSM-generated attestation about a key operation. For more
+        # information, see [Verifying attestations]
+        # (https://cloud.google.com/kms/docs/attest-key).
         # @!attribute [rw] format
         #   @return [Google::Cloud::Kms::V1::KeyOperationAttestation::AttestationFormat]
         #     Output only. The format of the attestation data.
@@ -172,8 +144,9 @@ module Google
         #     Output only. The attestation data provided by the HSM when the key
         #     operation was performed.
         class KeyOperationAttestation
-          # Attestion formats provided by the HSM.
+          # Attestation formats provided by the HSM.
           module AttestationFormat
+            # Not specified.
             ATTESTATION_FORMAT_UNSPECIFIED = 0
 
             # Cavium HSM attestation compressed with gzip. Note that this format is
@@ -181,84 +154,83 @@ module Google
             CAVIUM_V1_COMPRESSED = 3
 
             # Cavium HSM attestation V2 compressed with gzip. This is a new format
-            # Introduced in Cavium's version 3.2-08
+            # introduced in Cavium's version 3.2-08.
             CAVIUM_V2_COMPRESSED = 4
           end
         end
 
-        # A {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an
-        # individual cryptographic key, and the associated key material.
+        # A {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
+        # associated key material.
         #
-        # An
-        # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
-        # version can be used for cryptographic operations.
+        # An {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
+        # used for cryptographic operations.
         #
         # For security reasons, the raw cryptographic key material represented by a
-        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed
-        # or exported. It can only be used to encrypt, decrypt, or sign data when an
-        # authorized user or application invokes Cloud KMS.
+        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
+        # encrypt, decrypt, or sign data when an authorized user or application invokes
+        # Cloud KMS.
         # @!attribute [rw] name
         #   @return [String]
-        #     Output only. The resource name for this
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
+        #     Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
         #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
         # @!attribute [rw] state
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
-        #     The current state of the
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        #     The current state of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
         # @!attribute [rw] protection_level
         #   @return [Google::Cloud::Kms::V1::ProtectionLevel]
-        #     Output only. The {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel}
-        #     describing how crypto operations are performed with this
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        #     Output only. The {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
+        #     performed with this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
         # @!attribute [rw] algorithm
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     Output only. The
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm}
-        #     that this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
-        #     supports.
+        #     Output only. The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
         # @!attribute [rw] attestation
         #   @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
         #     Output only. Statement that was generated and signed by the HSM at key
         #     creation time. Use this statement to verify attributes of the key as stored
         #     on the HSM, independently of Google. Only provided for key versions with
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level}
-        #     {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
         # @!attribute [rw] create_time
         #   @return [Google::Protobuf::Timestamp]
-        #     Output only. The time at which this
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
         # @!attribute [rw] generate_time
         #   @return [Google::Protobuf::Timestamp]
-        #     Output only. The time this
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
+        #     Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
         #     generated.
         # @!attribute [rw] destroy_time
         #   @return [Google::Protobuf::Timestamp]
-        #     Output only. The time this
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is
-        #     scheduled for destruction. Only present if
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
+        #     for destruction. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
         # @!attribute [rw] destroy_event_time
         #   @return [Google::Protobuf::Timestamp]
         #     Output only. The time this CryptoKeyVersion's key material was
-        #     destroyed. Only present if
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     destroyed. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
+        # @!attribute [rw] import_job
+        #   @return [String]
+        #     Output only. The name of the {Google::Cloud::Kms::V1::ImportJob ImportJob} used to import this
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
+        #     imported.
+        # @!attribute [rw] import_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
+        #     was imported.
+        # @!attribute [rw] import_failure_reason
+        #   @return [String]
+        #     Output only. The root cause of an import failure. Only present if
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
         class CryptoKeyVersion
-          # The algorithm of the
-          # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
+          # The algorithm of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
           # parameters must be used for each cryptographic operation.
           #
           # The
           # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
-          # algorithm is usable with
-          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # algorithm is usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
           # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
           #
-          # Algorithms beginning with "RSA_SIGN_" are usable with
-          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # Algorithms beginning with "RSA_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
           # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
           #
           # The fields in the name after "RSA_SIGN_" correspond to the following
@@ -276,12 +248,14 @@ module Google
           # The fields in the name after "RSA_DECRYPT_" correspond to the following
           # parameters: padding algorithm, modulus bit length, and digest algorithm.
           #
-          # Algorithms beginning with "EC_SIGN_" are usable with
-          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # Algorithms beginning with "EC_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
           # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
           #
           # The fields in the name after "EC_SIGN_" correspond to the following
           # parameters: elliptic curve, digest algorithm.
+          #
+          # For more information, see [Key purposes and algorithms]
+          # (https://cloud.google.com/kms/docs/algorithms).
           module CryptoKeyVersionAlgorithm
             # Not specified.
             CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
@@ -298,6 +272,9 @@ module Google
             # RSASSA-PSS 4096 bit key with a SHA256 digest.
             RSA_SIGN_PSS_4096_SHA256 = 4
 
+            # RSASSA-PSS 4096 bit key with a SHA512 digest.
+            RSA_SIGN_PSS_4096_SHA512 = 15
+
             # RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
             RSA_SIGN_PKCS1_2048_SHA256 = 5
 
@@ -307,6 +284,9 @@ module Google
             # RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
             RSA_SIGN_PKCS1_4096_SHA256 = 7
 
+            # RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
+            RSA_SIGN_PKCS1_4096_SHA512 = 16
+
             # RSAES-OAEP 2048 bit key with a SHA256 digest.
             RSA_DECRYPT_OAEP_2048_SHA256 = 8
 
@@ -316,6 +296,9 @@ module Google
             # RSAES-OAEP 4096 bit key with a SHA256 digest.
             RSA_DECRYPT_OAEP_4096_SHA256 = 10
 
+            # RSAES-OAEP 4096 bit key with a SHA512 digest.
+            RSA_DECRYPT_OAEP_4096_SHA512 = 17
+
             # ECDSA on the NIST P-256 curve with a SHA256 digest.
             EC_SIGN_P256_SHA256 = 12
 
@@ -323,26 +306,21 @@ module Google
             EC_SIGN_P384_SHA384 = 13
           end
 
-          # The state of a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion},
-          # indicating if it can be used.
+          # The state of a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
           module CryptoKeyVersionState
             # Not specified.
             CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
 
             # This version is still being generated. It may not be used, enabled,
             # disabled, or destroyed yet. Cloud KMS will automatically mark this
-            # version
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
-            # as soon as the version is ready.
+            # version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
             PENDING_GENERATION = 5
 
             # This version may be used for cryptographic operations.
             ENABLED = 1
 
             # This version may not be used, but the key material is still available,
-            # and the version can be placed back into the
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED}
-            # state.
+            # and the version can be placed back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} state.
             DISABLED = 2
 
             # This version is destroyed, and the key material is no longer stored.
@@ -352,34 +330,37 @@ module Google
             # This version is scheduled for destruction, and will be destroyed soon.
             # Call
             # {Google::Cloud::Kms::V1::KeyManagementService::RestoreCryptoKeyVersion RestoreCryptoKeyVersion}
-            # to put it back into the
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED}
-            # state.
+            # to put it back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
             DESTROY_SCHEDULED = 4
+
+            # This version is still being imported. It may not be used, enabled,
+            # disabled, or destroyed yet. Cloud KMS will automatically mark this
+            # version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
+            PENDING_IMPORT = 6
+
+            # This version was not imported successfully. It may not be used, enabled,
+            # disabled, or destroyed. The submitted key material has been discarded.
+            # Additional details can be found in
+            # {Google::Cloud::Kms::V1::CryptoKeyVersion#import_failure_reason CryptoKeyVersion#import_failure_reason}.
+            IMPORT_FAILED = 7
           end
 
-          # A view for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s.
-          # Controls the level of detail returned for
-          # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
-          # {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeyVersions KeyManagementService::ListCryptoKeyVersions}
-          # and
+          # A view for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
+          # for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
+          # {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeyVersions KeyManagementService::ListCryptoKeyVersions} and
           # {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeys KeyManagementService::ListCryptoKeys}.
           module CryptoKeyVersionView
-            # Default view for each
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not
-            # include the
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
+            # Default view for each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
+            # the {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
             CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
 
-            # Provides all fields in each
-            # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
+            # Provides all fields in each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
             # {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
             FULL = 1
           end
         end
 
-        # The public key for a given
-        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
+        # The public key for a given {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
         # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
         # @!attribute [rw] pem
         #   @return [String]
@@ -390,13 +371,141 @@ module Google
         #     (https://tools.ietf.org/html/rfc7468#section-13).
         # @!attribute [rw] algorithm
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
-        #     The
-        #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm}
-        #     associated with this key.
+        #     The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
+        #     with this key.
         class PublicKey; end
 
-        # {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
-        # cryptographic operations are performed.
+        # An {Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
+        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing key material,
+        # generated outside of Cloud KMS.
+        #
+        # When an {Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will generate a "wrapping key",
+        # which is a public/private key pair. You use the wrapping key to encrypt (also
+        # known as wrap) the pre-existing key material to protect it during the import
+        # process. The nature of the wrapping key depends on the choice of
+        # {Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the wrapping key generation
+        # is complete, the {Google::Cloud::Kms::V1::ImportJob#state state} will be set to
+        # {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the {Google::Cloud::Kms::V1::ImportJob#public_key public_key}
+        # can be fetched. The fetched public key can then be used to wrap your
+        # pre-existing key material.
+        #
+        # Once the key material is wrapped, it can be imported into a new
+        # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing {Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
+        # {Google::Cloud::Kms::V1::KeyManagementService::ImportCryptoKeyVersion ImportCryptoKeyVersion}.
+        # Multiple {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be imported with a single
+        # {Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS uses the private key portion of the wrapping key to
+        # unwrap the key material. Only Cloud KMS has access to the private key.
+        #
+        # An {Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is created. Once expired, Cloud KMS
+        # will no longer be able to import or unwrap any key material that was wrapped
+        # with the {Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
+        #
+        # For more information, see
+        # [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
+        # @!attribute [rw] name
+        #   @return [String]
+        #     Output only. The resource name for this {Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
+        #     `projects/*/locations/*/keyRings/*/importJobs/*`.
+        # @!attribute [rw] import_method
+        #   @return [Google::Cloud::Kms::V1::ImportJob::ImportMethod]
+        #     Required and immutable. The wrapping method to be used for incoming
+        #     key material.
+        # @!attribute [rw] protection_level
+        #   @return [Google::Cloud::Kms::V1::ProtectionLevel]
+        #     Required and immutable. The protection level of the {Google::Cloud::Kms::V1::ImportJob ImportJob}. This
+        #     must match the
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level} of the
+        #     {Google::Cloud::Kms::V1::CryptoKey#version_template version_template} on the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} you
+        #     attempt to import into.
+        # @!attribute [rw] create_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
+        # @!attribute [rw] generate_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob}'s key material was generated.
+        # @!attribute [rw] expire_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for
+        #     expiration and can no longer be used to import key material.
+        # @!attribute [rw] expire_event_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob} expired. Only present if
+        #     {Google::Cloud::Kms::V1::ImportJob#state state} is {Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
+        # @!attribute [rw] state
+        #   @return [Google::Cloud::Kms::V1::ImportJob::ImportJobState]
+        #     Output only. The current state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can
+        #     be used.
+        # @!attribute [rw] public_key
+        #   @return [Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
+        #     Output only. The public key with which to wrap key material prior to
+        #     import. Only returned if {Google::Cloud::Kms::V1::ImportJob#state state} is
+        #     {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE}.
+        # @!attribute [rw] attestation
+        #   @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
+        #     Output only. Statement that was generated and signed by the key creator
+        #     (for example, an HSM) at key creation time. Use this statement to verify
+        #     attributes of the key as stored on the HSM, independently of Google.
+        #     Only present if the chosen {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a protection
+        #     level of {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
+        class ImportJob
+          # The public key component of the wrapping key. For details of the type of
+          # key this public key corresponds to, see the {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
+          # @!attribute [rw] pem
+          #   @return [String]
+          #     The public key, encoded in PEM format. For more information, see the [RFC
+          #     7468](https://tools.ietf.org/html/rfc7468) sections for [General
+          #     Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+          #     [Textual Encoding of Subject Public Key Info]
+          #     (https://tools.ietf.org/html/rfc7468#section-13).
+          class WrappingPublicKey; end
+
+          # The state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
+          module ImportJobState
+            # Not specified.
+            IMPORT_JOB_STATE_UNSPECIFIED = 0
+
+            # The wrapping key for this job is still being generated. It may not be
+            # used. Cloud KMS will automatically mark this job as
+            # {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as the wrapping key is generated.
+            PENDING_GENERATION = 1
+
+            # This job may be used in
+            # {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKey CreateCryptoKey} and
+            # {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion}
+            # requests.
+            ACTIVE = 2
+
+            # This job can no longer be used and may not leave this state once entered.
+            EXPIRED = 3
+          end
+
+          # {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the key wrapping method chosen for this
+          # {Google::Cloud::Kms::V1::ImportJob ImportJob}.
+          module ImportMethod
+            # Not specified.
+            IMPORT_METHOD_UNSPECIFIED = 0
+
+            # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+            # scheme defined in the PKCS #11 standard. In summary, this involves
+            # wrapping the raw key with an ephemeral AES key, and wrapping the
+            # ephemeral AES key with a 3072 bit RSA key. For more details, see
+            # [RSA AES key wrap
+            # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+            RSA_OAEP_3072_SHA1_AES_256 = 1
+
+            # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+            # scheme defined in the PKCS #11 standard. In summary, this involves
+            # wrapping the raw key with an ephemeral AES key, and wrapping the
+            # ephemeral AES key with a 4096 bit RSA key. For more details, see
+            # [RSA AES key wrap
+            # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+            RSA_OAEP_4096_SHA1_AES_256 = 2
+          end
+        end
+
+        # {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
+        # For more information, see [Protection levels]
+        # (https://cloud.google.com/kms/docs/algorithms#protection_levels).
         module ProtectionLevel
           # Not specified.
           PROTECTION_LEVEL_UNSPECIFIED = 0