getKMSCryptoKey

Google Cloud v9.15.0, Mar 12 26

Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myKeyRing = gcp.kms.getKMSKeyRing({
    name: "my-key-ring",
    location: "us-central1",
});
const myCryptoKey = myKeyRing.then(myKeyRing => gcp.kms.getKMSCryptoKey({
    name: "my-crypto-key",
    keyRing: myKeyRing.id,
}));

import pulumi
import pulumi_gcp as gcp

my_key_ring = gcp.kms.get_kms_key_ring(name="my-key-ring",
    location="us-central1")
my_crypto_key = gcp.kms.get_kms_crypto_key(name="my-crypto-key",
    key_ring=my_key_ring.id)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myKeyRing, err := kms.GetKMSKeyRing(ctx, &kms.GetKMSKeyRingArgs{
			Name:     "my-key-ring",
			Location: "us-central1",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.GetKMSCryptoKey(ctx, &kms.GetKMSCryptoKeyArgs{
			Name:    "my-crypto-key",
			KeyRing: myKeyRing.Id,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var myKeyRing = Gcp.Kms.GetKMSKeyRing.Invoke(new()
    {
        Name = "my-key-ring",
        Location = "us-central1",
    });

    var myCryptoKey = Gcp.Kms.GetKMSCryptoKey.Invoke(new()
    {
        Name = "my-crypto-key",
        KeyRing = myKeyRing.Apply(getKMSKeyRingResult => getKMSKeyRingResult.Id),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KmsFunctions;
import com.pulumi.gcp.kms.inputs.GetKMSKeyRingArgs;
import com.pulumi.gcp.kms.inputs.GetKMSCryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var myKeyRing = KmsFunctions.getKMSKeyRing(GetKMSKeyRingArgs.builder()
            .name("my-key-ring")
            .location("us-central1")
            .build());

        final var myCryptoKey = KmsFunctions.getKMSCryptoKey(GetKMSCryptoKeyArgs.builder()
            .name("my-crypto-key")
            .keyRing(myKeyRing.id())
            .build());

    }
}

variables:
  myKeyRing:
    fn::invoke:
      function: gcp:kms:getKMSKeyRing
      arguments:
        name: my-key-ring
        location: us-central1
  myCryptoKey:
    fn::invoke:
      function: gcp:kms:getKMSCryptoKey
      arguments:
        name: my-crypto-key
        keyRing: ${myKeyRing.id}

Using getKMSCryptoKey

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getKMSCryptoKey(args: GetKMSCryptoKeyArgs, opts?: InvokeOptions): Promise<GetKMSCryptoKeyResult>
function getKMSCryptoKeyOutput(args: GetKMSCryptoKeyOutputArgs, opts?: InvokeOptions): Output<GetKMSCryptoKeyResult>

def get_kms_crypto_key(key_ring: Optional[str] = None,
                       name: Optional[str] = None,
                       opts: Optional[InvokeOptions] = None) -> GetKMSCryptoKeyResult
def get_kms_crypto_key_output(key_ring: Optional[pulumi.Input[str]] = None,
                       name: Optional[pulumi.Input[str]] = None,
                       opts: Optional[InvokeOptions] = None) -> Output[GetKMSCryptoKeyResult]

func GetKMSCryptoKey(ctx *Context, args *GetKMSCryptoKeyArgs, opts ...InvokeOption) (*GetKMSCryptoKeyResult, error)
func GetKMSCryptoKeyOutput(ctx *Context, args *GetKMSCryptoKeyOutputArgs, opts ...InvokeOption) GetKMSCryptoKeyResultOutput

> Note: This function is named GetKMSCryptoKey in the Go SDK.

public static class GetKMSCryptoKey 
{
    public static Task<GetKMSCryptoKeyResult> InvokeAsync(GetKMSCryptoKeyArgs args, InvokeOptions? opts = null)
    public static Output<GetKMSCryptoKeyResult> Invoke(GetKMSCryptoKeyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)
public static Output<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)

fn::invoke:
  function: gcp:kms/getKMSCryptoKey:getKMSCryptoKey
  arguments:
    # arguments dictionary

The following arguments are supported:

KeyRing string: The id of the Google Cloud Platform KeyRing to which the key belongs.
Name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

KeyRing string: The id of the Google Cloud Platform KeyRing to which the key belongs.
Name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

keyRing String: The id of the Google Cloud Platform KeyRing to which the key belongs.
name String: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

keyRing string: The id of the Google Cloud Platform KeyRing to which the key belongs.
name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

key_ring str: The id of the Google Cloud Platform KeyRing to which the key belongs.
name str: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

keyRing String: The id of the Google Cloud Platform KeyRing to which the key belongs.
name String: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

getKMSCryptoKey Result

The following output properties are available:

CryptoKeyBackend string
DestroyScheduledDuration string
EffectiveLabels Dictionary<string, string>
Id string: The provider-assigned unique ID for this managed resource.
ImportOnly bool
KeyAccessJustificationsPolicies List<GetKMSCryptoKeyKeyAccessJustificationsPolicy>
KeyRing string
Labels Dictionary<string, string>
Name string
Primaries List<GetKMSCryptoKeyPrimary>
PulumiLabels Dictionary<string, string>
Purpose string: Defines the cryptographic capabilities of the key.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
SkipInitialVersionCreation bool
VersionTemplates List<GetKMSCryptoKeyVersionTemplate>

CryptoKeyBackend string
DestroyScheduledDuration string
EffectiveLabels map[string]string
Id string: The provider-assigned unique ID for this managed resource.
ImportOnly bool
KeyAccessJustificationsPolicies []GetKMSCryptoKeyKeyAccessJustificationsPolicy
KeyRing string
Labels map[string]string
Name string
Primaries []GetKMSCryptoKeyPrimary
PulumiLabels map[string]string
Purpose string: Defines the cryptographic capabilities of the key.
RotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
SkipInitialVersionCreation bool
VersionTemplates []GetKMSCryptoKeyVersionTemplate

cryptoKeyBackend String
destroyScheduledDuration String
effectiveLabels Map<String,String>
id String: The provider-assigned unique ID for this managed resource.
importOnly Boolean
keyAccessJustificationsPolicies List<GetKMSCryptoKeyKeyAccessJustificationsPolicy>
keyRing String
labels Map<String,String>
name String
primaries List<GetKMSCryptoKeyPrimary>
pulumiLabels Map<String,String>
purpose String: Defines the cryptographic capabilities of the key.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation Boolean
versionTemplates List<GetKMSCryptoKeyVersionTemplate>

cryptoKeyBackend string
destroyScheduledDuration string
effectiveLabels {[key: string]: string}
id string: The provider-assigned unique ID for this managed resource.
importOnly boolean
keyAccessJustificationsPolicies GetKMSCryptoKeyKeyAccessJustificationsPolicy[]
keyRing string
labels {[key: string]: string}
name string
primaries GetKMSCryptoKeyPrimary[]
pulumiLabels {[key: string]: string}
purpose string: Defines the cryptographic capabilities of the key.
rotationPeriod string: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation boolean
versionTemplates GetKMSCryptoKeyVersionTemplate[]

crypto_key_backend str
destroy_scheduled_duration str
effective_labels Mapping[str, str]
id str: The provider-assigned unique ID for this managed resource.
import_only bool
key_access_justifications_policies Sequence[GetKMSCryptoKeyKeyAccessJustificationsPolicy]
key_ring str
labels Mapping[str, str]
name str
primaries Sequence[GetKMSCryptoKeyPrimary]
pulumi_labels Mapping[str, str]
purpose str: Defines the cryptographic capabilities of the key.
rotation_period str: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skip_initial_version_creation bool
version_templates Sequence[GetKMSCryptoKeyVersionTemplate]

cryptoKeyBackend String
destroyScheduledDuration String
effectiveLabels Map<String>
id String: The provider-assigned unique ID for this managed resource.
importOnly Boolean
keyAccessJustificationsPolicies List<Property Map>
keyRing String
labels Map<String>
name String
primaries List<Property Map>
pulumiLabels Map<String>
purpose String: Defines the cryptographic capabilities of the key.
rotationPeriod String: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation Boolean
versionTemplates List<Property Map>

Supporting Types

GetKMSCryptoKeyKeyAccessJustificationsPolicy

AllowedAccessReasons List<string>: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

AllowedAccessReasons []string: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

allowedAccessReasons List<String>: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

allowedAccessReasons string[]: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

allowed_access_reasons Sequence[str]: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

allowedAccessReasons List<String>: The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

GetKMSCryptoKeyPrimary

Name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
State string: The current state of the CryptoKeyVersion.

Name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
State string: The current state of the CryptoKeyVersion.

name String: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state String: The current state of the CryptoKeyVersion.

name string: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state string: The current state of the CryptoKeyVersion.

name str: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state str: The current state of the CryptoKeyVersion.

name String: The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state String: The current state of the CryptoKeyVersion.

GetKMSCryptoKeyVersionTemplate

Algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

Algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm String: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel String: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm string: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel string: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm str: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protection_level str: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

algorithm String: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel String: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".