Google Cloud v9.3.0, Oct 7 25

Google Cloud v9.3.0 published on Tuesday, Oct 7, 2025 by Pulumi

gcp.kms.OrganizationKajPolicyConfig

Google Cloud v9.3.0 published on Tuesday, Oct 7, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Kms Organization Kaj Policy Config Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example = new gcp.kms.OrganizationKajPolicyConfig("example", {
    organization: "123456789",
    defaultKeyAccessJustificationPolicy: {
        allowedAccessReasons: [
            "CUSTOMER_INITIATED_ACCESS",
            "GOOGLE_INITIATED_SYSTEM_OPERATION",
        ],
    },
});

import pulumi
import pulumi_gcp as gcp

example = gcp.kms.OrganizationKajPolicyConfig("example",
    organization="123456789",
    default_key_access_justification_policy={
        "allowed_access_reasons": [
            "CUSTOMER_INITIATED_ACCESS",
            "GOOGLE_INITIATED_SYSTEM_OPERATION",
        ],
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewOrganizationKajPolicyConfig(ctx, "example", &kms.OrganizationKajPolicyConfigArgs{
			Organization: pulumi.String("123456789"),
			DefaultKeyAccessJustificationPolicy: &kms.OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs{
				AllowedAccessReasons: pulumi.StringArray{
					pulumi.String("CUSTOMER_INITIATED_ACCESS"),
					pulumi.String("GOOGLE_INITIATED_SYSTEM_OPERATION"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Kms.OrganizationKajPolicyConfig("example", new()
    {
        Organization = "123456789",
        DefaultKeyAccessJustificationPolicy = new Gcp.Kms.Inputs.OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs
        {
            AllowedAccessReasons = new[]
            {
                "CUSTOMER_INITIATED_ACCESS",
                "GOOGLE_INITIATED_SYSTEM_OPERATION",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.OrganizationKajPolicyConfig;
import com.pulumi.gcp.kms.OrganizationKajPolicyConfigArgs;
import com.pulumi.gcp.kms.inputs.OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new OrganizationKajPolicyConfig("example", OrganizationKajPolicyConfigArgs.builder()
            .organization("123456789")
            .defaultKeyAccessJustificationPolicy(OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs.builder()
                .allowedAccessReasons(                
                    "CUSTOMER_INITIATED_ACCESS",
                    "GOOGLE_INITIATED_SYSTEM_OPERATION")
                .build())
            .build());

    }
}

resources:
  example:
    type: gcp:kms:OrganizationKajPolicyConfig
    properties:
      organization: '123456789'
      defaultKeyAccessJustificationPolicy:
        allowedAccessReasons:
          - CUSTOMER_INITIATED_ACCESS
          - GOOGLE_INITIATED_SYSTEM_OPERATION

Create OrganizationKajPolicyConfig Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new OrganizationKajPolicyConfig(name: string, args: OrganizationKajPolicyConfigArgs, opts?: CustomResourceOptions);

@overload
def OrganizationKajPolicyConfig(resource_name: str,
                                args: OrganizationKajPolicyConfigArgs,
                                opts: Optional[ResourceOptions] = None)

@overload
def OrganizationKajPolicyConfig(resource_name: str,
                                opts: Optional[ResourceOptions] = None,
                                organization: Optional[str] = None,
                                default_key_access_justification_policy: Optional[OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs] = None)

func NewOrganizationKajPolicyConfig(ctx *Context, name string, args OrganizationKajPolicyConfigArgs, opts ...ResourceOption) (*OrganizationKajPolicyConfig, error)

public OrganizationKajPolicyConfig(string name, OrganizationKajPolicyConfigArgs args, CustomResourceOptions? opts = null)

public OrganizationKajPolicyConfig(String name, OrganizationKajPolicyConfigArgs args)
public OrganizationKajPolicyConfig(String name, OrganizationKajPolicyConfigArgs args, CustomResourceOptions options)

type: gcp:kms:OrganizationKajPolicyConfig
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args OrganizationKajPolicyConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args OrganizationKajPolicyConfigArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OrganizationKajPolicyConfigArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OrganizationKajPolicyConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args OrganizationKajPolicyConfigArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var organizationKajPolicyConfigResource = new Gcp.Kms.OrganizationKajPolicyConfig("organizationKajPolicyConfigResource", new()
{
    Organization = "string",
    DefaultKeyAccessJustificationPolicy = new Gcp.Kms.Inputs.OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs
    {
        AllowedAccessReasons = new[]
        {
            "string",
        },
    },
});

example, err := kms.NewOrganizationKajPolicyConfig(ctx, "organizationKajPolicyConfigResource", &kms.OrganizationKajPolicyConfigArgs{
	Organization: pulumi.String("string"),
	DefaultKeyAccessJustificationPolicy: &kms.OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs{
		AllowedAccessReasons: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
})

var organizationKajPolicyConfigResource = new OrganizationKajPolicyConfig("organizationKajPolicyConfigResource", OrganizationKajPolicyConfigArgs.builder()
    .organization("string")
    .defaultKeyAccessJustificationPolicy(OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs.builder()
        .allowedAccessReasons("string")
        .build())
    .build());

organization_kaj_policy_config_resource = gcp.kms.OrganizationKajPolicyConfig("organizationKajPolicyConfigResource",
    organization="string",
    default_key_access_justification_policy={
        "allowed_access_reasons": ["string"],
    })

const organizationKajPolicyConfigResource = new gcp.kms.OrganizationKajPolicyConfig("organizationKajPolicyConfigResource", {
    organization: "string",
    defaultKeyAccessJustificationPolicy: {
        allowedAccessReasons: ["string"],
    },
});

type: gcp:kms:OrganizationKajPolicyConfig
properties:
    defaultKeyAccessJustificationPolicy:
        allowedAccessReasons:
            - string
    organization: string

OrganizationKajPolicyConfig Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The OrganizationKajPolicyConfig resource accepts the following input properties:

Organization string: The organization number for which to retrieve config.
DefaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

Organization string: The organization number for which to retrieve config.
DefaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

organization String: The organization number for which to retrieve config.
defaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

organization string: The organization number for which to retrieve config.
defaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

organization str: The organization number for which to retrieve config.
default_key_access_justification_policy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

organization String: The organization number for which to retrieve config.
defaultKeyAccessJustificationPolicy Property Map: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the OrganizationKajPolicyConfig resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing OrganizationKajPolicyConfig Resource

Get an existing OrganizationKajPolicyConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OrganizationKajPolicyConfigState, opts?: CustomResourceOptions): OrganizationKajPolicyConfig

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        default_key_access_justification_policy: Optional[OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs] = None,
        organization: Optional[str] = None) -> OrganizationKajPolicyConfig

func GetOrganizationKajPolicyConfig(ctx *Context, name string, id IDInput, state *OrganizationKajPolicyConfigState, opts ...ResourceOption) (*OrganizationKajPolicyConfig, error)

public static OrganizationKajPolicyConfig Get(string name, Input<string> id, OrganizationKajPolicyConfigState? state, CustomResourceOptions? opts = null)

public static OrganizationKajPolicyConfig get(String name, Output<String> id, OrganizationKajPolicyConfigState state, CustomResourceOptions options)

resources:  _:    type: gcp:kms:OrganizationKajPolicyConfig    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

DefaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
Organization string: The organization number for which to retrieve config.

DefaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
Organization string: The organization number for which to retrieve config.

defaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
organization String: The organization number for which to retrieve config.

defaultKeyAccessJustificationPolicy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
organization string: The organization number for which to retrieve config.

default_key_access_justification_policy OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
organization str: The organization number for which to retrieve config.

defaultKeyAccessJustificationPolicy Property Map: The default key access justification policy used when a CryptoKey is created in this organization. This is only used when a Key Access Justifications policy is not provided in the CreateCryptoKeyRequest. Structure is documented below.
organization String: The organization number for which to retrieve config.

Supporting Types

OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy, OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs

AllowedAccessReasons List<string>: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

AllowedAccessReasons []string: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

allowedAccessReasons List<String>: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

allowedAccessReasons string[]: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

allowed_access_reasons Sequence[str]: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

allowedAccessReasons List<String>: A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. Each value may be one of: CUSTOMER_INITIATED_SUPPORT, GOOGLE_INITIATED_SERVICE, THIRD_PARTY_DATA_REQUEST, GOOGLE_INITIATED_REVIEW, CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, REASON_NOT_EXPECTED, MODIFIED_CUSTOMER_INITIATED_ACCESS, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION, GOOGLE_RESPONSE_TO_PRODUCTION_ALERT, CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING.

Import

OrganizationKajPolicyConfig can be imported using any of these accepted formats:

organizations/{{organization}}/kajPolicyConfig
{{organization}}

When using the pulumi import command, OrganizationKajPolicyConfig can be imported using one of the formats above. For example:

$ pulumi import gcp:kms/organizationKajPolicyConfig:OrganizationKajPolicyConfig default organizations/{{organization}}/kajPolicyConfig

$ pulumi import gcp:kms/organizationKajPolicyConfig:OrganizationKajPolicyConfig default {{organization}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v9.3.0 published on Tuesday, Oct 7, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.kms.OrganizationKajPolicyConfig

On this page

On this page

Example Usage

Kms Organization Kaj Policy Config Basic

Create OrganizationKajPolicyConfig Resource

Constructor syntax

Parameters

Constructor example

OrganizationKajPolicyConfig Resource Properties

Inputs

Outputs

Look up Existing OrganizationKajPolicyConfig Resource

Supporting Types

OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicy, OrganizationKajPolicyConfigDefaultKeyAccessJustificationPolicyArgs

Import

Package Details

On this page

On this page