Google Cloud Classic v6.57.0, May 30 23

gcp.kms.CryptoKey

Explore with Pulumi AI

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

To get more information about CryptoKey, see:

API documentation
How-to Guides
- Creating a key

Example Usage

Kms Crypto Key Basic

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Location = "global",
    });

    var example_key = new Gcp.Kms.CryptoKey("example-key", new()
    {
        KeyRing = keyring.Id,
        RotationPeriod = "100000s",
    });

});

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-key", &kms.CryptoKeyArgs{
			KeyRing:        keyring.ID(),
			RotationPeriod: pulumi.String("100000s"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()        
            .location("global")
            .build());

        var example_key = new CryptoKey("example-key", CryptoKeyArgs.builder()        
            .keyRing(keyring.id())
            .rotationPeriod("100000s")
            .build());

    }
}

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
example_key = gcp.kms.CryptoKey("example-key",
    key_ring=keyring.id,
    rotation_period="100000s")

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const example_key = new gcp.kms.CryptoKey("example-key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      location: global
  example-key:
    type: gcp:kms:CryptoKey
    properties:
      keyRing: ${keyring.id}
      rotationPeriod: 100000s

Kms Crypto Key Asymmetric Sign

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Location = "global",
    });

    var example_asymmetric_sign_key = new Gcp.Kms.CryptoKey("example-asymmetric-sign-key", new()
    {
        KeyRing = keyring.Id,
        Purpose = "ASYMMETRIC_SIGN",
        VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
        {
            Algorithm = "EC_SIGN_P384_SHA384",
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-asymmetric-sign-key", &kms.CryptoKeyArgs{
			KeyRing: keyring.ID(),
			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
				Algorithm: pulumi.String("EC_SIGN_P384_SHA384"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()        
            .location("global")
            .build());

        var example_asymmetric_sign_key = new CryptoKey("example-asymmetric-sign-key", CryptoKeyArgs.builder()        
            .keyRing(keyring.id())
            .purpose("ASYMMETRIC_SIGN")
            .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
                .algorithm("EC_SIGN_P384_SHA384")
                .build())
            .build());

    }
}

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
    key_ring=keyring.id,
    purpose="ASYMMETRIC_SIGN",
    version_template=gcp.kms.CryptoKeyVersionTemplateArgs(
        algorithm="EC_SIGN_P384_SHA384",
    ))

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
    keyRing: keyring.id,
    purpose: "ASYMMETRIC_SIGN",
    versionTemplate: {
        algorithm: "EC_SIGN_P384_SHA384",
    },
});

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      location: global
  example-asymmetric-sign-key:
    type: gcp:kms:CryptoKey
    properties:
      keyRing: ${keyring.id}
      purpose: ASYMMETRIC_SIGN
      versionTemplate:
        algorithm: EC_SIGN_P384_SHA384

Create CryptoKey Resource

new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);

@overload
def CryptoKey(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              destroy_scheduled_duration: Optional[str] = None,
              import_only: Optional[bool] = None,
              key_ring: Optional[str] = None,
              labels: Optional[Mapping[str, str]] = None,
              name: Optional[str] = None,
              purpose: Optional[str] = None,
              rotation_period: Optional[str] = None,
              skip_initial_version_creation: Optional[bool] = None,
              version_template: Optional[CryptoKeyVersionTemplateArgs] = None)
@overload
def CryptoKey(resource_name: str,
              args: CryptoKeyArgs,
              opts: Optional[ResourceOptions] = None)

func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)

public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)

public CryptoKey(String name, CryptoKeyArgs args)
public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)

type: gcp:kms:CryptoKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

CryptoKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CryptoKey resource accepts the following input properties:

KeyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
DestroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Whether this key may contain imported versions only.
Labels Dictionary<string, string>: Labels with user-defined metadata to apply to this resource.
Name string: The resource name for the CryptoKey.
Purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
VersionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

KeyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
DestroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Whether this key may contain imported versions only.
Labels map[string]string: Labels with user-defined metadata to apply to this resource.
Name string: The resource name for the CryptoKey.
Purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
VersionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

keyRing String: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
destroyScheduledDuration String: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Whether this key may contain imported versions only.
labels Map<String,String>: Labels with user-defined metadata to apply to this resource.
name String: The resource name for the CryptoKey.
purpose String: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

keyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
destroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly boolean: Whether this key may contain imported versions only.
labels {[key: string]: string}: Labels with user-defined metadata to apply to this resource.
name string: The resource name for the CryptoKey.
purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

key_ring str: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
destroy_scheduled_duration str: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
import_only bool: Whether this key may contain imported versions only.
labels Mapping[str, str]: Labels with user-defined metadata to apply to this resource.
name str: The resource name for the CryptoKey.
purpose str: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotation_period str: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skip_initial_version_creation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
version_template CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

keyRing String: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
destroyScheduledDuration String: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Whether this key may contain imported versions only.
labels Map<String>: Labels with user-defined metadata to apply to this resource.
name String: The resource name for the CryptoKey.
purpose String: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate Property Map: A template describing settings for new crypto key versions. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing CryptoKey Resource

Get an existing CryptoKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CryptoKeyState, opts?: CustomResourceOptions): CryptoKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        destroy_scheduled_duration: Optional[str] = None,
        import_only: Optional[bool] = None,
        key_ring: Optional[str] = None,
        labels: Optional[Mapping[str, str]] = None,
        name: Optional[str] = None,
        purpose: Optional[str] = None,
        rotation_period: Optional[str] = None,
        skip_initial_version_creation: Optional[bool] = None,
        version_template: Optional[CryptoKeyVersionTemplateArgs] = None) -> CryptoKey

func GetCryptoKey(ctx *Context, name string, id IDInput, state *CryptoKeyState, opts ...ResourceOption) (*CryptoKey, error)

public static CryptoKey Get(string name, Input<string> id, CryptoKeyState? state, CustomResourceOptions? opts = null)

public static CryptoKey get(String name, Output<String> id, CryptoKeyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

DestroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Whether this key may contain imported versions only.
KeyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
Labels Dictionary<string, string>: Labels with user-defined metadata to apply to this resource.
Name string: The resource name for the CryptoKey.
Purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
VersionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

DestroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Whether this key may contain imported versions only.
KeyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
Labels map[string]string: Labels with user-defined metadata to apply to this resource.
Name string: The resource name for the CryptoKey.
Purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
VersionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

destroyScheduledDuration String: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Whether this key may contain imported versions only.
keyRing String: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
labels Map<String,String>: Labels with user-defined metadata to apply to this resource.
name String: The resource name for the CryptoKey.
purpose String: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

destroyScheduledDuration string: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly boolean: Whether this key may contain imported versions only.
keyRing string: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
labels {[key: string]: string}: Labels with user-defined metadata to apply to this resource.
name string: The resource name for the CryptoKey.
purpose string: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

destroy_scheduled_duration str: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
import_only bool: Whether this key may contain imported versions only.
key_ring str: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
labels Mapping[str, str]: Labels with user-defined metadata to apply to this resource.
name str: The resource name for the CryptoKey.
purpose str: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotation_period str: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skip_initial_version_creation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
version_template CryptoKeyVersionTemplateArgs: A template describing settings for new crypto key versions. Structure is documented below.

destroyScheduledDuration String: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Whether this key may contain imported versions only.
keyRing String: The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.
labels Map<String>: Labels with user-defined metadata to apply to this resource.
name String: The resource name for the CryptoKey.
purpose String: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are: ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.
versionTemplate Property Map: A template describing settings for new crypto key versions. Structure is documented below.

Supporting Types

CryptoKeyVersionTemplate

Algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

Algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm String: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel String: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm str: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protection_level str: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm String: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel String: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

Import

CryptoKey can be imported using any of these accepted formats

 $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}}

 $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}}

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.