1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. kms
  5. CryptoKey
Google Cloud Classic v8.4.1 published on Tuesday, Oct 1, 2024 by Pulumi

gcp.kms.CryptoKey

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.4.1 published on Tuesday, Oct 1, 2024 by Pulumi

    A CryptoKey represents a logical key that can be used for cryptographic operations.

    Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you use Pulumi’s protect resource option.

    To get more information about CryptoKey, see:

    Example Usage

    Kms Crypto Key Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const keyring = new gcp.kms.KeyRing("keyring", {
        name: "keyring-example",
        location: "global",
    });
    const example_key = new gcp.kms.CryptoKey("example-key", {
        name: "crypto-key-example",
        keyRing: keyring.id,
        rotationPeriod: "7776000s",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    keyring = gcp.kms.KeyRing("keyring",
        name="keyring-example",
        location="global")
    example_key = gcp.kms.CryptoKey("example-key",
        name="crypto-key-example",
        key_ring=keyring.id,
        rotation_period="7776000s")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
    			Name:     pulumi.String("keyring-example"),
    			Location: pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKey(ctx, "example-key", &kms.CryptoKeyArgs{
    			Name:           pulumi.String("crypto-key-example"),
    			KeyRing:        keyring.ID(),
    			RotationPeriod: pulumi.String("7776000s"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var keyring = new Gcp.Kms.KeyRing("keyring", new()
        {
            Name = "keyring-example",
            Location = "global",
        });
    
        var example_key = new Gcp.Kms.CryptoKey("example-key", new()
        {
            Name = "crypto-key-example",
            KeyRing = keyring.Id,
            RotationPeriod = "7776000s",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.kms.KeyRing;
    import com.pulumi.gcp.kms.KeyRingArgs;
    import com.pulumi.gcp.kms.CryptoKey;
    import com.pulumi.gcp.kms.CryptoKeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var keyring = new KeyRing("keyring", KeyRingArgs.builder()
                .name("keyring-example")
                .location("global")
                .build());
    
            var example_key = new CryptoKey("example-key", CryptoKeyArgs.builder()
                .name("crypto-key-example")
                .keyRing(keyring.id())
                .rotationPeriod("7776000s")
                .build());
    
        }
    }
    
    resources:
      keyring:
        type: gcp:kms:KeyRing
        properties:
          name: keyring-example
          location: global
      example-key:
        type: gcp:kms:CryptoKey
        properties:
          name: crypto-key-example
          keyRing: ${keyring.id}
          rotationPeriod: 7776000s
    

    Kms Crypto Key Asymmetric Sign

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const keyring = new gcp.kms.KeyRing("keyring", {
        name: "keyring-example",
        location: "global",
    });
    const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
        name: "crypto-key-example",
        keyRing: keyring.id,
        purpose: "ASYMMETRIC_SIGN",
        versionTemplate: {
            algorithm: "EC_SIGN_P384_SHA384",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    keyring = gcp.kms.KeyRing("keyring",
        name="keyring-example",
        location="global")
    example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
        name="crypto-key-example",
        key_ring=keyring.id,
        purpose="ASYMMETRIC_SIGN",
        version_template={
            "algorithm": "EC_SIGN_P384_SHA384",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
    			Name:     pulumi.String("keyring-example"),
    			Location: pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKey(ctx, "example-asymmetric-sign-key", &kms.CryptoKeyArgs{
    			Name:    pulumi.String("crypto-key-example"),
    			KeyRing: keyring.ID(),
    			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
    			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
    				Algorithm: pulumi.String("EC_SIGN_P384_SHA384"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var keyring = new Gcp.Kms.KeyRing("keyring", new()
        {
            Name = "keyring-example",
            Location = "global",
        });
    
        var example_asymmetric_sign_key = new Gcp.Kms.CryptoKey("example-asymmetric-sign-key", new()
        {
            Name = "crypto-key-example",
            KeyRing = keyring.Id,
            Purpose = "ASYMMETRIC_SIGN",
            VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
            {
                Algorithm = "EC_SIGN_P384_SHA384",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.kms.KeyRing;
    import com.pulumi.gcp.kms.KeyRingArgs;
    import com.pulumi.gcp.kms.CryptoKey;
    import com.pulumi.gcp.kms.CryptoKeyArgs;
    import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var keyring = new KeyRing("keyring", KeyRingArgs.builder()
                .name("keyring-example")
                .location("global")
                .build());
    
            var example_asymmetric_sign_key = new CryptoKey("example-asymmetric-sign-key", CryptoKeyArgs.builder()
                .name("crypto-key-example")
                .keyRing(keyring.id())
                .purpose("ASYMMETRIC_SIGN")
                .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
                    .algorithm("EC_SIGN_P384_SHA384")
                    .build())
                .build());
    
        }
    }
    
    resources:
      keyring:
        type: gcp:kms:KeyRing
        properties:
          name: keyring-example
          location: global
      example-asymmetric-sign-key:
        type: gcp:kms:CryptoKey
        properties:
          name: crypto-key-example
          keyRing: ${keyring.id}
          purpose: ASYMMETRIC_SIGN
          versionTemplate:
            algorithm: EC_SIGN_P384_SHA384
    

    Create CryptoKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);
    @overload
    def CryptoKey(resource_name: str,
                  args: CryptoKeyArgs,
                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def CryptoKey(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  key_ring: Optional[str] = None,
                  crypto_key_backend: Optional[str] = None,
                  destroy_scheduled_duration: Optional[str] = None,
                  import_only: Optional[bool] = None,
                  key_access_justifications_policy: Optional[CryptoKeyKeyAccessJustificationsPolicyArgs] = None,
                  labels: Optional[Mapping[str, str]] = None,
                  name: Optional[str] = None,
                  purpose: Optional[str] = None,
                  rotation_period: Optional[str] = None,
                  skip_initial_version_creation: Optional[bool] = None,
                  version_template: Optional[CryptoKeyVersionTemplateArgs] = None)
    func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)
    public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)
    public CryptoKey(String name, CryptoKeyArgs args)
    public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)
    
    type: gcp:kms:CryptoKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CryptoKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var cryptoKeyResource = new Gcp.Kms.CryptoKey("cryptoKeyResource", new()
    {
        KeyRing = "string",
        CryptoKeyBackend = "string",
        DestroyScheduledDuration = "string",
        ImportOnly = false,
        KeyAccessJustificationsPolicy = new Gcp.Kms.Inputs.CryptoKeyKeyAccessJustificationsPolicyArgs
        {
            AllowedAccessReasons = new[]
            {
                "string",
            },
        },
        Labels = 
        {
            { "string", "string" },
        },
        Name = "string",
        Purpose = "string",
        RotationPeriod = "string",
        SkipInitialVersionCreation = false,
        VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
        {
            Algorithm = "string",
            ProtectionLevel = "string",
        },
    });
    
    example, err := kms.NewCryptoKey(ctx, "cryptoKeyResource", &kms.CryptoKeyArgs{
    	KeyRing:                  pulumi.String("string"),
    	CryptoKeyBackend:         pulumi.String("string"),
    	DestroyScheduledDuration: pulumi.String("string"),
    	ImportOnly:               pulumi.Bool(false),
    	KeyAccessJustificationsPolicy: &kms.CryptoKeyKeyAccessJustificationsPolicyArgs{
    		AllowedAccessReasons: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Name:                       pulumi.String("string"),
    	Purpose:                    pulumi.String("string"),
    	RotationPeriod:             pulumi.String("string"),
    	SkipInitialVersionCreation: pulumi.Bool(false),
    	VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
    		Algorithm:       pulumi.String("string"),
    		ProtectionLevel: pulumi.String("string"),
    	},
    })
    
    var cryptoKeyResource = new CryptoKey("cryptoKeyResource", CryptoKeyArgs.builder()
        .keyRing("string")
        .cryptoKeyBackend("string")
        .destroyScheduledDuration("string")
        .importOnly(false)
        .keyAccessJustificationsPolicy(CryptoKeyKeyAccessJustificationsPolicyArgs.builder()
            .allowedAccessReasons("string")
            .build())
        .labels(Map.of("string", "string"))
        .name("string")
        .purpose("string")
        .rotationPeriod("string")
        .skipInitialVersionCreation(false)
        .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
            .algorithm("string")
            .protectionLevel("string")
            .build())
        .build());
    
    crypto_key_resource = gcp.kms.CryptoKey("cryptoKeyResource",
        key_ring="string",
        crypto_key_backend="string",
        destroy_scheduled_duration="string",
        import_only=False,
        key_access_justifications_policy={
            "allowedAccessReasons": ["string"],
        },
        labels={
            "string": "string",
        },
        name="string",
        purpose="string",
        rotation_period="string",
        skip_initial_version_creation=False,
        version_template={
            "algorithm": "string",
            "protectionLevel": "string",
        })
    
    const cryptoKeyResource = new gcp.kms.CryptoKey("cryptoKeyResource", {
        keyRing: "string",
        cryptoKeyBackend: "string",
        destroyScheduledDuration: "string",
        importOnly: false,
        keyAccessJustificationsPolicy: {
            allowedAccessReasons: ["string"],
        },
        labels: {
            string: "string",
        },
        name: "string",
        purpose: "string",
        rotationPeriod: "string",
        skipInitialVersionCreation: false,
        versionTemplate: {
            algorithm: "string",
            protectionLevel: "string",
        },
    });
    
    type: gcp:kms:CryptoKey
    properties:
        cryptoKeyBackend: string
        destroyScheduledDuration: string
        importOnly: false
        keyAccessJustificationsPolicy:
            allowedAccessReasons:
                - string
        keyRing: string
        labels:
            string: string
        name: string
        purpose: string
        rotationPeriod: string
        skipInitialVersionCreation: false
        versionTemplate:
            algorithm: string
            protectionLevel: string
    

    CryptoKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The CryptoKey resource accepts the following input properties:

    KeyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    CryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    DestroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    ImportOnly bool
    Whether this key may contain imported versions only.
    KeyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    Labels Dictionary<string, string>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The resource name for the CryptoKey.
    Purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    RotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    VersionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    KeyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    CryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    DestroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    ImportOnly bool
    Whether this key may contain imported versions only.
    KeyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicyArgs
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    Labels map[string]string

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The resource name for the CryptoKey.
    Purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    RotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    VersionTemplate CryptoKeyVersionTemplateArgs
    A template describing settings for new crypto key versions. Structure is documented below.
    keyRing String
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    cryptoKeyBackend String
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration String
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    importOnly Boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    labels Map<String,String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The resource name for the CryptoKey.
    purpose String
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod String
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    keyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    cryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    importOnly boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    labels {[key: string]: string}

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name string
    The resource name for the CryptoKey.
    purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    key_ring str
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    crypto_key_backend str
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroy_scheduled_duration str
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    import_only bool
    Whether this key may contain imported versions only.
    key_access_justifications_policy CryptoKeyKeyAccessJustificationsPolicyArgs
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    labels Mapping[str, str]

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name str
    The resource name for the CryptoKey.
    purpose str
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotation_period str
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skip_initial_version_creation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    version_template CryptoKeyVersionTemplateArgs
    A template describing settings for new crypto key versions. Structure is documented below.
    keyRing String
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    cryptoKeyBackend String
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration String
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    importOnly Boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy Property Map
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    labels Map<String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The resource name for the CryptoKey.
    purpose String
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod String
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate Property Map
    A template describing settings for new crypto key versions. Structure is documented below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:

    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    Primaries List<CryptoKeyPrimary>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    Primaries []CryptoKeyPrimary
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    primaries List<CryptoKeyPrimary>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id string
    The provider-assigned unique ID for this managed resource.
    primaries CryptoKeyPrimary[]
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id str
    The provider-assigned unique ID for this managed resource.
    primaries Sequence[CryptoKeyPrimary]
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    primaries List<Property Map>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.

    Look up Existing CryptoKey Resource

    Get an existing CryptoKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CryptoKeyState, opts?: CustomResourceOptions): CryptoKey
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            crypto_key_backend: Optional[str] = None,
            destroy_scheduled_duration: Optional[str] = None,
            effective_labels: Optional[Mapping[str, str]] = None,
            import_only: Optional[bool] = None,
            key_access_justifications_policy: Optional[CryptoKeyKeyAccessJustificationsPolicyArgs] = None,
            key_ring: Optional[str] = None,
            labels: Optional[Mapping[str, str]] = None,
            name: Optional[str] = None,
            primaries: Optional[Sequence[CryptoKeyPrimaryArgs]] = None,
            pulumi_labels: Optional[Mapping[str, str]] = None,
            purpose: Optional[str] = None,
            rotation_period: Optional[str] = None,
            skip_initial_version_creation: Optional[bool] = None,
            version_template: Optional[CryptoKeyVersionTemplateArgs] = None) -> CryptoKey
    func GetCryptoKey(ctx *Context, name string, id IDInput, state *CryptoKeyState, opts ...ResourceOption) (*CryptoKey, error)
    public static CryptoKey Get(string name, Input<string> id, CryptoKeyState? state, CustomResourceOptions? opts = null)
    public static CryptoKey get(String name, Output<String> id, CryptoKeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    DestroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    ImportOnly bool
    Whether this key may contain imported versions only.
    KeyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    KeyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    Labels Dictionary<string, string>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The resource name for the CryptoKey.
    Primaries List<CryptoKeyPrimary>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    Purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    RotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    VersionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    CryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    DestroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    ImportOnly bool
    Whether this key may contain imported versions only.
    KeyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicyArgs
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    KeyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    Labels map[string]string

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The resource name for the CryptoKey.
    Primaries []CryptoKeyPrimaryArgs
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    Purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    RotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    SkipInitialVersionCreation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    VersionTemplate CryptoKeyVersionTemplateArgs
    A template describing settings for new crypto key versions. Structure is documented below.
    cryptoKeyBackend String
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration String
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    importOnly Boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    keyRing String
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    labels Map<String,String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The resource name for the CryptoKey.
    primaries List<CryptoKeyPrimary>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    purpose String
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod String
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    cryptoKeyBackend string
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration string
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    importOnly boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy CryptoKeyKeyAccessJustificationsPolicy
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    keyRing string
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    labels {[key: string]: string}

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name string
    The resource name for the CryptoKey.
    primaries CryptoKeyPrimary[]
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    purpose string
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod string
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate CryptoKeyVersionTemplate
    A template describing settings for new crypto key versions. Structure is documented below.
    crypto_key_backend str
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroy_scheduled_duration str
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    import_only bool
    Whether this key may contain imported versions only.
    key_access_justifications_policy CryptoKeyKeyAccessJustificationsPolicyArgs
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    key_ring str
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    labels Mapping[str, str]

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name str
    The resource name for the CryptoKey.
    primaries Sequence[CryptoKeyPrimaryArgs]
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    purpose str
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotation_period str
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skip_initial_version_creation bool
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    version_template CryptoKeyVersionTemplateArgs
    A template describing settings for new crypto key versions. Structure is documented below.
    cryptoKeyBackend String
    The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
    destroyScheduledDuration String
    The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    importOnly Boolean
    Whether this key may contain imported versions only.
    keyAccessJustificationsPolicy Property Map
    The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.
    keyRing String
    The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.


    labels Map<String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The resource name for the CryptoKey.
    primaries List<Property Map>
    A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    purpose String
    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".
    rotationPeriod String
    Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
    skipInitialVersionCreation Boolean
    If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
    versionTemplate Property Map
    A template describing settings for new crypto key versions. Structure is documented below.

    Supporting Types

    CryptoKeyKeyAccessJustificationsPolicy, CryptoKeyKeyAccessJustificationsPolicyArgs

    AllowedAccessReasons List<string>
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
    AllowedAccessReasons []string
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
    allowedAccessReasons List<String>
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
    allowedAccessReasons string[]
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
    allowed_access_reasons Sequence[str]
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
    allowedAccessReasons List<String>
    The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

    CryptoKeyPrimary, CryptoKeyPrimaryArgs

    Name string
    The resource name for the CryptoKey.
    State string
    (Output) The current state of the CryptoKeyVersion.
    Name string
    The resource name for the CryptoKey.
    State string
    (Output) The current state of the CryptoKeyVersion.
    name String
    The resource name for the CryptoKey.
    state String
    (Output) The current state of the CryptoKeyVersion.
    name string
    The resource name for the CryptoKey.
    state string
    (Output) The current state of the CryptoKeyVersion.
    name str
    The resource name for the CryptoKey.
    state str
    (Output) The current state of the CryptoKeyVersion.
    name String
    The resource name for the CryptoKey.
    state String
    (Output) The current state of the CryptoKeyVersion.

    CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs

    Algorithm string
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    ProtectionLevel string
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
    Algorithm string
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    ProtectionLevel string
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
    algorithm String
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    protectionLevel String
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
    algorithm string
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    protectionLevel string
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
    algorithm str
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    protection_level str
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
    algorithm String
    The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
    protectionLevel String
    The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

    Import

    CryptoKey can be imported using any of these accepted formats:

    • {{key_ring}}/cryptoKeys/{{name}}

    • {{key_ring}}/{{name}}

    When using the pulumi import command, CryptoKey can be imported using one of the formats above. For example:

    $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}}
    
    $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.4.1 published on Tuesday, Oct 1, 2024 by Pulumi