Docs Home
Google Cloud v8.36.0 published on Friday, Jun 27, 2025 by Pulumi
gcp.kms.getKMSCryptoKey
Explore with Pulumi AI
Provides access to a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.
A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myKeyRing = gcp.kms.getKMSKeyRing({
name: "my-key-ring",
location: "us-central1",
});
const myCryptoKey = myKeyRing.then(myKeyRing => gcp.kms.getKMSCryptoKey({
name: "my-crypto-key",
keyRing: myKeyRing.id,
}));
import pulumi
import pulumi_gcp as gcp
my_key_ring = gcp.kms.get_kms_key_ring(name="my-key-ring",
location="us-central1")
my_crypto_key = gcp.kms.get_kms_crypto_key(name="my-crypto-key",
key_ring=my_key_ring.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myKeyRing, err := kms.GetKMSKeyRing(ctx, &kms.GetKMSKeyRingArgs{
Name: "my-key-ring",
Location: "us-central1",
}, nil)
if err != nil {
return err
}
_, err = kms.GetKMSCryptoKey(ctx, &kms.GetKMSCryptoKeyArgs{
Name: "my-crypto-key",
KeyRing: myKeyRing.Id,
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myKeyRing = Gcp.Kms.GetKMSKeyRing.Invoke(new()
{
Name = "my-key-ring",
Location = "us-central1",
});
var myCryptoKey = Gcp.Kms.GetKMSCryptoKey.Invoke(new()
{
Name = "my-crypto-key",
KeyRing = myKeyRing.Apply(getKMSKeyRingResult => getKMSKeyRingResult.Id),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KmsFunctions;
import com.pulumi.gcp.kms.inputs.GetKMSKeyRingArgs;
import com.pulumi.gcp.kms.inputs.GetKMSCryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var myKeyRing = KmsFunctions.getKMSKeyRing(GetKMSKeyRingArgs.builder()
.name("my-key-ring")
.location("us-central1")
.build());
final var myCryptoKey = KmsFunctions.getKMSCryptoKey(GetKMSCryptoKeyArgs.builder()
.name("my-crypto-key")
.keyRing(myKeyRing.id())
.build());
}
}
variables:
myKeyRing:
fn::invoke:
function: gcp:kms:getKMSKeyRing
arguments:
name: my-key-ring
location: us-central1
myCryptoKey:
fn::invoke:
function: gcp:kms:getKMSCryptoKey
arguments:
name: my-crypto-key
keyRing: ${myKeyRing.id}
Using getKMSCryptoKey
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getKMSCryptoKey(args: GetKMSCryptoKeyArgs, opts?: InvokeOptions): Promise<GetKMSCryptoKeyResult>
function getKMSCryptoKeyOutput(args: GetKMSCryptoKeyOutputArgs, opts?: InvokeOptions): Output<GetKMSCryptoKeyResult>def get_kms_crypto_key(key_ring: Optional[str] = None,
name: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetKMSCryptoKeyResult
def get_kms_crypto_key_output(key_ring: Optional[pulumi.Input[str]] = None,
name: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetKMSCryptoKeyResult]func GetKMSCryptoKey(ctx *Context, args *GetKMSCryptoKeyArgs, opts ...InvokeOption) (*GetKMSCryptoKeyResult, error)
func GetKMSCryptoKeyOutput(ctx *Context, args *GetKMSCryptoKeyOutputArgs, opts ...InvokeOption) GetKMSCryptoKeyResultOutput> Note: This function is named GetKMSCryptoKey in the Go SDK.
public static class GetKMSCryptoKey
{
public static Task<GetKMSCryptoKeyResult> InvokeAsync(GetKMSCryptoKeyArgs args, InvokeOptions? opts = null)
public static Output<GetKMSCryptoKeyResult> Invoke(GetKMSCryptoKeyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)
public static Output<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)
fn::invoke:
function: gcp:kms/getKMSCryptoKey:getKMSCryptoKey
arguments:
# arguments dictionaryThe following arguments are supported:
getKMSCryptoKey Result
The following output properties are available:
- Crypto
Key stringBackend - Destroy
Scheduled stringDuration - Effective
Labels Dictionary<string, string> - Id string
- The provider-assigned unique ID for this managed resource.
- Import
Only bool - Key
Access List<GetJustifications Policies KMSCrypto Key Key Access Justifications Policy> - Key
Ring string - Labels Dictionary<string, string>
- Name string
- Primaries
List<Get
KMSCrypto Key Primary> - Pulumi
Labels Dictionary<string, string> - Purpose string
- Defines the cryptographic capabilities of the key.
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- Skip
Initial boolVersion Creation - Version
Templates List<GetKMSCrypto Key Version Template>
- Crypto
Key stringBackend - Destroy
Scheduled stringDuration - Effective
Labels map[string]string - Id string
- The provider-assigned unique ID for this managed resource.
- Import
Only bool - Key
Access []GetJustifications Policies KMSCrypto Key Key Access Justifications Policy - Key
Ring string - Labels map[string]string
- Name string
- Primaries
[]Get
KMSCrypto Key Primary - Pulumi
Labels map[string]string - Purpose string
- Defines the cryptographic capabilities of the key.
- Rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- Skip
Initial boolVersion Creation - Version
Templates []GetKMSCrypto Key Version Template
- crypto
Key StringBackend - destroy
Scheduled StringDuration - effective
Labels Map<String,String> - id String
- The provider-assigned unique ID for this managed resource.
- import
Only Boolean - key
Access List<GetJustifications Policies KMSCrypto Key Key Access Justifications Policy> - key
Ring String - labels Map<String,String>
- name String
- primaries
List<Get
KMSCrypto Key Primary> - pulumi
Labels Map<String,String> - purpose String
- Defines the cryptographic capabilities of the key.
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- skip
Initial BooleanVersion Creation - version
Templates List<GetKMSCrypto Key Version Template>
- crypto
Key stringBackend - destroy
Scheduled stringDuration - effective
Labels {[key: string]: string} - id string
- The provider-assigned unique ID for this managed resource.
- import
Only boolean - key
Access GetJustifications Policies KMSCrypto Key Key Access Justifications Policy[] - key
Ring string - labels {[key: string]: string}
- name string
- primaries
Get
KMSCrypto Key Primary[] - pulumi
Labels {[key: string]: string} - purpose string
- Defines the cryptographic capabilities of the key.
- rotation
Period string - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- skip
Initial booleanVersion Creation - version
Templates GetKMSCrypto Key Version Template[]
- crypto_
key_ strbackend - destroy_
scheduled_ strduration - effective_
labels Mapping[str, str] - id str
- The provider-assigned unique ID for this managed resource.
- import_
only bool - key_
access_ Sequence[Getjustifications_ policies KMSCrypto Key Key Access Justifications Policy] - key_
ring str - labels Mapping[str, str]
- name str
- primaries
Sequence[Get
KMSCrypto Key Primary] - pulumi_
labels Mapping[str, str] - purpose str
- Defines the cryptographic capabilities of the key.
- rotation_
period str - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- skip_
initial_ boolversion_ creation - version_
templates Sequence[GetKMSCrypto Key Version Template]
- crypto
Key StringBackend - destroy
Scheduled StringDuration - effective
Labels Map<String> - id String
- The provider-assigned unique ID for this managed resource.
- import
Only Boolean - key
Access List<Property Map>Justifications Policies - key
Ring String - labels Map<String>
- name String
- primaries List<Property Map>
- pulumi
Labels Map<String> - purpose String
- Defines the cryptographic capabilities of the key.
- rotation
Period String - Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
- skip
Initial BooleanVersion Creation - version
Templates List<Property Map>
Supporting Types
GetKMSCryptoKeyKeyAccessJustificationsPolicy
- Allowed
Access List<string>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- Allowed
Access []stringReasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access List<String>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access string[]Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed_
access_ Sequence[str]reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
- allowed
Access List<String>Reasons - The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
GetKMSCryptoKeyPrimary
GetKMSCryptoKeyVersionTemplate
- Algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- Protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- Algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- Protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm String
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level String - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm string
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level string - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm str
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection_
level str - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
- algorithm String
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
- protection
Level String - The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.