Google Cloud v8.32.1, May 22 25

Google Cloud v8.32.1 published on Thursday, May 22, 2025 by Pulumi

gcp.kms.CryptoKeyVersion

Explore with Pulumi AI

Google Cloud v8.32.1 published on Thursday, May 22, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Kms Crypto Key Version Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {
    name: "keyring-example",
    location: "global",
});
const cryptokey = new gcp.kms.CryptoKey("cryptokey", {
    name: "crypto-key-example",
    keyRing: keyring.id,
    rotationPeriod: "7776000s",
});
const example_key = new gcp.kms.CryptoKeyVersion("example-key", {cryptoKey: cryptokey.id});

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring",
    name="keyring-example",
    location="global")
cryptokey = gcp.kms.CryptoKey("cryptokey",
    name="crypto-key-example",
    key_ring=keyring.id,
    rotation_period="7776000s")
example_key = gcp.kms.CryptoKeyVersion("example-key", crypto_key=cryptokey.id)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("keyring-example"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		cryptokey, err := kms.NewCryptoKey(ctx, "cryptokey", &kms.CryptoKeyArgs{
			Name:           pulumi.String("crypto-key-example"),
			KeyRing:        keyring.ID(),
			RotationPeriod: pulumi.String("7776000s"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyVersion(ctx, "example-key", &kms.CryptoKeyVersionArgs{
			CryptoKey: cryptokey.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Name = "keyring-example",
        Location = "global",
    });

    var cryptokey = new Gcp.Kms.CryptoKey("cryptokey", new()
    {
        Name = "crypto-key-example",
        KeyRing = keyring.Id,
        RotationPeriod = "7776000s",
    });

    var example_key = new Gcp.Kms.CryptoKeyVersion("example-key", new()
    {
        CryptoKey = cryptokey.Id,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.CryptoKeyVersion;
import com.pulumi.gcp.kms.CryptoKeyVersionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .name("keyring-example")
            .location("global")
            .build());

        var cryptokey = new CryptoKey("cryptokey", CryptoKeyArgs.builder()
            .name("crypto-key-example")
            .keyRing(keyring.id())
            .rotationPeriod("7776000s")
            .build());

        var example_key = new CryptoKeyVersion("example-key", CryptoKeyVersionArgs.builder()
            .cryptoKey(cryptokey.id())
            .build());

    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      name: keyring-example
      location: global
  cryptokey:
    type: gcp:kms:CryptoKey
    properties:
      name: crypto-key-example
      keyRing: ${keyring.id}
      rotationPeriod: 7776000s
  example-key:
    type: gcp:kms:CryptoKeyVersion
    properties:
      cryptoKey: ${cryptokey.id}

Create CryptoKeyVersion Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CryptoKeyVersion(name: string, args: CryptoKeyVersionArgs, opts?: CustomResourceOptions);

@overload
def CryptoKeyVersion(resource_name: str,
                     args: CryptoKeyVersionArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def CryptoKeyVersion(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     crypto_key: Optional[str] = None,
                     external_protection_level_options: Optional[CryptoKeyVersionExternalProtectionLevelOptionsArgs] = None,
                     state: Optional[str] = None)

func NewCryptoKeyVersion(ctx *Context, name string, args CryptoKeyVersionArgs, opts ...ResourceOption) (*CryptoKeyVersion, error)

public CryptoKeyVersion(string name, CryptoKeyVersionArgs args, CustomResourceOptions? opts = null)

public CryptoKeyVersion(String name, CryptoKeyVersionArgs args)
public CryptoKeyVersion(String name, CryptoKeyVersionArgs args, CustomResourceOptions options)

type: gcp:kms:CryptoKeyVersion
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CryptoKeyVersionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CryptoKeyVersionArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CryptoKeyVersionArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CryptoKeyVersionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CryptoKeyVersionArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var cryptoKeyVersionResource = new Gcp.Kms.CryptoKeyVersion("cryptoKeyVersionResource", new()
{
    CryptoKey = "string",
    ExternalProtectionLevelOptions = new Gcp.Kms.Inputs.CryptoKeyVersionExternalProtectionLevelOptionsArgs
    {
        EkmConnectionKeyPath = "string",
        ExternalKeyUri = "string",
    },
    State = "string",
});

example, err := kms.NewCryptoKeyVersion(ctx, "cryptoKeyVersionResource", &kms.CryptoKeyVersionArgs{
	CryptoKey: pulumi.String("string"),
	ExternalProtectionLevelOptions: &kms.CryptoKeyVersionExternalProtectionLevelOptionsArgs{
		EkmConnectionKeyPath: pulumi.String("string"),
		ExternalKeyUri:       pulumi.String("string"),
	},
	State: pulumi.String("string"),
})

var cryptoKeyVersionResource = new CryptoKeyVersion("cryptoKeyVersionResource", CryptoKeyVersionArgs.builder()
    .cryptoKey("string")
    .externalProtectionLevelOptions(CryptoKeyVersionExternalProtectionLevelOptionsArgs.builder()
        .ekmConnectionKeyPath("string")
        .externalKeyUri("string")
        .build())
    .state("string")
    .build());

crypto_key_version_resource = gcp.kms.CryptoKeyVersion("cryptoKeyVersionResource",
    crypto_key="string",
    external_protection_level_options={
        "ekm_connection_key_path": "string",
        "external_key_uri": "string",
    },
    state="string")

const cryptoKeyVersionResource = new gcp.kms.CryptoKeyVersion("cryptoKeyVersionResource", {
    cryptoKey: "string",
    externalProtectionLevelOptions: {
        ekmConnectionKeyPath: "string",
        externalKeyUri: "string",
    },
    state: "string",
});

type: gcp:kms:CryptoKeyVersion
properties:
    cryptoKey: string
    externalProtectionLevelOptions:
        ekmConnectionKeyPath: string
        externalKeyUri: string
    state: string

CryptoKeyVersion Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The CryptoKeyVersion resource accepts the following input properties:

CryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
ExternalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
State string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

CryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
ExternalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptionsArgs: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
State string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

cryptoKey String: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
state String: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

cryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
state string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

crypto_key str: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
external_protection_level_options CryptoKeyVersionExternalProtectionLevelOptionsArgs: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
state str: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

cryptoKey String: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions Property Map: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
state String: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

Outputs

All input properties are implicitly available as output properties. Additionally, the CryptoKeyVersion resource produces the following output properties:

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestations List<CryptoKeyVersionAttestation>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
GenerateTime string: The time this CryptoKeyVersion key material was generated
Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CryptoKeyVersion.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestations []CryptoKeyVersionAttestation: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
GenerateTime string: The time this CryptoKeyVersion key material was generated
Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CryptoKeyVersion.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations List<CryptoKeyVersionAttestation>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
generateTime String: The time this CryptoKeyVersion key material was generated
id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CryptoKeyVersion.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations CryptoKeyVersionAttestation[]: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
generateTime string: The time this CryptoKeyVersion key material was generated
id string: The provider-assigned unique ID for this managed resource.
name string: The resource name for this CryptoKeyVersion.
protectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

algorithm str: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations Sequence[CryptoKeyVersionAttestation]: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
generate_time str: The time this CryptoKeyVersion key material was generated
id str: The provider-assigned unique ID for this managed resource.
name str: The resource name for this CryptoKeyVersion.
protection_level str: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations List<Property Map>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
generateTime String: The time this CryptoKeyVersion key material was generated
id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CryptoKeyVersion.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

Look up Existing CryptoKeyVersion Resource

Get an existing CryptoKeyVersion resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CryptoKeyVersionState, opts?: CustomResourceOptions): CryptoKeyVersion

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        algorithm: Optional[str] = None,
        attestations: Optional[Sequence[CryptoKeyVersionAttestationArgs]] = None,
        crypto_key: Optional[str] = None,
        external_protection_level_options: Optional[CryptoKeyVersionExternalProtectionLevelOptionsArgs] = None,
        generate_time: Optional[str] = None,
        name: Optional[str] = None,
        protection_level: Optional[str] = None,
        state: Optional[str] = None) -> CryptoKeyVersion

func GetCryptoKeyVersion(ctx *Context, name string, id IDInput, state *CryptoKeyVersionState, opts ...ResourceOption) (*CryptoKeyVersion, error)

public static CryptoKeyVersion Get(string name, Input<string> id, CryptoKeyVersionState? state, CustomResourceOptions? opts = null)

public static CryptoKeyVersion get(String name, Output<String> id, CryptoKeyVersionState state, CustomResourceOptions options)

resources:  _:    type: gcp:kms:CryptoKeyVersion    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestations List<CryptoKeyVersionAttestation>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
CryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
ExternalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
GenerateTime string: The time this CryptoKeyVersion key material was generated
Name string: The resource name for this CryptoKeyVersion.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
State string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestations []CryptoKeyVersionAttestationArgs: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
CryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
ExternalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptionsArgs: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
GenerateTime string: The time this CryptoKeyVersion key material was generated
Name string: The resource name for this CryptoKeyVersion.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
State string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations List<CryptoKeyVersionAttestation>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
cryptoKey String: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
generateTime String: The time this CryptoKeyVersion key material was generated
name String: The resource name for this CryptoKeyVersion.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
state String: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations CryptoKeyVersionAttestation[]: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
cryptoKey string: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions CryptoKeyVersionExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
generateTime string: The time this CryptoKeyVersion key material was generated
name string: The resource name for this CryptoKeyVersion.
protectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
state string: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

algorithm str: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations Sequence[CryptoKeyVersionAttestationArgs]: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
crypto_key str: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
external_protection_level_options CryptoKeyVersionExternalProtectionLevelOptionsArgs: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
generate_time str: The time this CryptoKeyVersion key material was generated
name str: The resource name for this CryptoKeyVersion.
protection_level str: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
state str: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestations List<Property Map>: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
cryptoKey String: The name of the cryptoKey associated with the CryptoKeyVersions. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
externalProtectionLevelOptions Property Map: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
generateTime String: The time this CryptoKeyVersion key material was generated
name String: The resource name for this CryptoKeyVersion.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
state String: The current state of the CryptoKeyVersion. Note: you can only specify this field to manually ENABLE or DISABLE the CryptoKeyVersion, otherwise the value of this field is always retrieved automatically. Possible values are: PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.

Supporting Types

CryptoKeyVersionAttestation, CryptoKeyVersionAttestationArgs

CertChains CryptoKeyVersionAttestationCertChains: The certificate chains needed to validate the attestation Structure is documented below.
Content string: (Output) The attestation data provided by the HSM when the key operation was performed.
ExternalProtectionLevelOptions CryptoKeyVersionAttestationExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
Format string: (Output) The format of the attestation data.

CertChains CryptoKeyVersionAttestationCertChains: The certificate chains needed to validate the attestation Structure is documented below.
Content string: (Output) The attestation data provided by the HSM when the key operation was performed.
ExternalProtectionLevelOptions CryptoKeyVersionAttestationExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
Format string: (Output) The format of the attestation data.

certChains CryptoKeyVersionAttestationCertChains: The certificate chains needed to validate the attestation Structure is documented below.
content String: (Output) The attestation data provided by the HSM when the key operation was performed.
externalProtectionLevelOptions CryptoKeyVersionAttestationExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
format String: (Output) The format of the attestation data.

certChains CryptoKeyVersionAttestationCertChains: The certificate chains needed to validate the attestation Structure is documented below.
content string: (Output) The attestation data provided by the HSM when the key operation was performed.
externalProtectionLevelOptions CryptoKeyVersionAttestationExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
format string: (Output) The format of the attestation data.

cert_chains CryptoKeyVersionAttestationCertChains: The certificate chains needed to validate the attestation Structure is documented below.
content str: (Output) The attestation data provided by the HSM when the key operation was performed.
external_protection_level_options CryptoKeyVersionAttestationExternalProtectionLevelOptions: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
format str: (Output) The format of the attestation data.

certChains Property Map: The certificate chains needed to validate the attestation Structure is documented below.
content String: (Output) The attestation data provided by the HSM when the key operation was performed.
externalProtectionLevelOptions Property Map: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
Deprecated: externalProtectionLevelOptions is being un-nested from the attestation field. Please use the top level externalProtectionLevelOptions field instead.
format String: (Output) The format of the attestation data.

CryptoKeyVersionAttestationCertChains, CryptoKeyVersionAttestationCertChainsArgs

CaviumCerts List<string>: Cavium certificate chain corresponding to the attestation.
GoogleCardCerts List<string>: Google card certificate chain corresponding to the attestation.
GooglePartitionCerts List<string>: Google partition certificate chain corresponding to the attestation.

CaviumCerts []string: Cavium certificate chain corresponding to the attestation.
GoogleCardCerts []string: Google card certificate chain corresponding to the attestation.
GooglePartitionCerts []string: Google partition certificate chain corresponding to the attestation.

caviumCerts List<String>: Cavium certificate chain corresponding to the attestation.
googleCardCerts List<String>: Google card certificate chain corresponding to the attestation.
googlePartitionCerts List<String>: Google partition certificate chain corresponding to the attestation.

caviumCerts string[]: Cavium certificate chain corresponding to the attestation.
googleCardCerts string[]: Google card certificate chain corresponding to the attestation.
googlePartitionCerts string[]: Google partition certificate chain corresponding to the attestation.

cavium_certs Sequence[str]: Cavium certificate chain corresponding to the attestation.
google_card_certs Sequence[str]: Google card certificate chain corresponding to the attestation.
google_partition_certs Sequence[str]: Google partition certificate chain corresponding to the attestation.

caviumCerts List<String>: Cavium certificate chain corresponding to the attestation.
googleCardCerts List<String>: Google card certificate chain corresponding to the attestation.
googlePartitionCerts List<String>: Google partition certificate chain corresponding to the attestation.

CryptoKeyVersionAttestationExternalProtectionLevelOptions, CryptoKeyVersionAttestationExternalProtectionLevelOptionsArgs

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekm_connection_key_path str: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
external_key_uri str: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

CryptoKeyVersionExternalProtectionLevelOptions, CryptoKeyVersionExternalProtectionLevelOptionsArgs

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekm_connection_key_path str: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
external_key_uri str: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

Import

CryptoKeyVersion can be imported using any of these accepted formats:

{{name}}

When using the pulumi import command, CryptoKeyVersion can be imported using one of the formats above. For example:

$ pulumi import gcp:kms/cryptoKeyVersion:CryptoKeyVersion default {{name}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.32.1 published on Thursday, May 22, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.kms.CryptoKeyVersion

On this page

On this page

Example Usage

Kms Crypto Key Version Basic

Create CryptoKeyVersion Resource

Constructor syntax

Parameters

Constructor example

CryptoKeyVersion Resource Properties

Inputs

Outputs

Look up Existing CryptoKeyVersion Resource

Supporting Types

CryptoKeyVersionAttestation, CryptoKeyVersionAttestationArgs

CryptoKeyVersionAttestationCertChains, CryptoKeyVersionAttestationCertChainsArgs

CryptoKeyVersionAttestationExternalProtectionLevelOptions, CryptoKeyVersionAttestationExternalProtectionLevelOptionsArgs

CryptoKeyVersionExternalProtectionLevelOptions, CryptoKeyVersionExternalProtectionLevelOptionsArgs

Import

Package Details

On this page

On this page