Google Cloud Native v0.32.0, Nov 29 23

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.cloudkms/v1.CryptoKey

Explore with Pulumi AI

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

Create CryptoKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);

@overload
def CryptoKey(resource_name: str,
              args: CryptoKeyArgs,
              opts: Optional[ResourceOptions] = None)

@overload
def CryptoKey(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              key_ring_id: Optional[str] = None,
              location: Optional[str] = None,
              destroy_scheduled_duration: Optional[str] = None,
              import_only: Optional[bool] = None,
              crypto_key_id: Optional[str] = None,
              labels: Optional[Mapping[str, str]] = None,
              crypto_key_backend: Optional[str] = None,
              next_rotation_time: Optional[str] = None,
              project: Optional[str] = None,
              purpose: Optional[CryptoKeyPurpose] = None,
              rotation_period: Optional[str] = None,
              skip_initial_version_creation: Optional[bool] = None,
              version_template: Optional[CryptoKeyVersionTemplateArgs] = None)

func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)

public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)

public CryptoKey(String name, CryptoKeyArgs args)
public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)

type: google-native:cloudkms/v1:CryptoKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CryptoKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var cryptoKeyResource = new GoogleNative.Cloudkms.V1.CryptoKey("cryptoKeyResource", new()
{
    KeyRingId = "string",
    Location = "string",
    DestroyScheduledDuration = "string",
    ImportOnly = false,
    CryptoKeyId = "string",
    Labels = 
    {
        { "string", "string" },
    },
    CryptoKeyBackend = "string",
    NextRotationTime = "string",
    Project = "string",
    Purpose = GoogleNative.Cloudkms.V1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
    RotationPeriod = "string",
    SkipInitialVersionCreation = false,
    VersionTemplate = new GoogleNative.Cloudkms.V1.Inputs.CryptoKeyVersionTemplateArgs
    {
        Algorithm = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
        ProtectionLevel = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
    },
});

example, err := cloudkms.NewCryptoKey(ctx, "cryptoKeyResource", &cloudkms.CryptoKeyArgs{
	KeyRingId:                pulumi.String("string"),
	Location:                 pulumi.String("string"),
	DestroyScheduledDuration: pulumi.String("string"),
	ImportOnly:               pulumi.Bool(false),
	CryptoKeyId:              pulumi.String("string"),
	Labels: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	CryptoKeyBackend:           pulumi.String("string"),
	NextRotationTime:           pulumi.String("string"),
	Project:                    pulumi.String("string"),
	Purpose:                    cloudkms.CryptoKeyPurposeCryptoKeyPurposeUnspecified,
	RotationPeriod:             pulumi.String("string"),
	SkipInitialVersionCreation: pulumi.Bool(false),
	VersionTemplate: &cloudkms.CryptoKeyVersionTemplateArgs{
		Algorithm:       cloudkms.CryptoKeyVersionTemplateAlgorithmCryptoKeyVersionAlgorithmUnspecified,
		ProtectionLevel: cloudkms.CryptoKeyVersionTemplateProtectionLevelProtectionLevelUnspecified,
	},
})

var cryptoKeyResource = new CryptoKey("cryptoKeyResource", CryptoKeyArgs.builder()
    .keyRingId("string")
    .location("string")
    .destroyScheduledDuration("string")
    .importOnly(false)
    .cryptoKeyId("string")
    .labels(Map.of("string", "string"))
    .cryptoKeyBackend("string")
    .nextRotationTime("string")
    .project("string")
    .purpose("CRYPTO_KEY_PURPOSE_UNSPECIFIED")
    .rotationPeriod("string")
    .skipInitialVersionCreation(false)
    .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
        .algorithm("CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED")
        .protectionLevel("PROTECTION_LEVEL_UNSPECIFIED")
        .build())
    .build());

crypto_key_resource = google_native.cloudkms.v1.CryptoKey("cryptoKeyResource",
    key_ring_id="string",
    location="string",
    destroy_scheduled_duration="string",
    import_only=False,
    crypto_key_id="string",
    labels={
        "string": "string",
    },
    crypto_key_backend="string",
    next_rotation_time="string",
    project="string",
    purpose=google_native.cloudkms.v1.CryptoKeyPurpose.CRYPTO_KEY_PURPOSE_UNSPECIFIED,
    rotation_period="string",
    skip_initial_version_creation=False,
    version_template={
        "algorithm": google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED,
        "protection_level": google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.PROTECTION_LEVEL_UNSPECIFIED,
    })

const cryptoKeyResource = new google_native.cloudkms.v1.CryptoKey("cryptoKeyResource", {
    keyRingId: "string",
    location: "string",
    destroyScheduledDuration: "string",
    importOnly: false,
    cryptoKeyId: "string",
    labels: {
        string: "string",
    },
    cryptoKeyBackend: "string",
    nextRotationTime: "string",
    project: "string",
    purpose: google_native.cloudkms.v1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
    rotationPeriod: "string",
    skipInitialVersionCreation: false,
    versionTemplate: {
        algorithm: google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
        protectionLevel: google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
    },
});

type: google-native:cloudkms/v1:CryptoKey
properties:
    cryptoKeyBackend: string
    cryptoKeyId: string
    destroyScheduledDuration: string
    importOnly: false
    keyRingId: string
    labels:
        string: string
    location: string
    nextRotationTime: string
    project: string
    purpose: CRYPTO_KEY_PURPOSE_UNSPECIFIED
    rotationPeriod: string
    skipInitialVersionCreation: false
    versionTemplate:
        algorithm: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
        protectionLevel: PROTECTION_LEVEL_UNSPECIFIED

CryptoKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The CryptoKey resource accepts the following input properties:

KeyRingId string
CryptoKeyBackend string: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
CryptoKeyId string: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
DestroyScheduledDuration string: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Immutable. Whether this key may contain imported versions only.
Labels Dictionary<string, string>: Labels with user-defined metadata. For more information, see Labeling Keys.
Location string
NextRotationTime string: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
Project string
Purpose Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyPurpose: Immutable. The immutable purpose of this CryptoKey.
RotationPeriod string: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
VersionTemplate Pulumi.GoogleNative.Cloudkms.V1.Inputs.CryptoKeyVersionTemplate: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

KeyRingId string
CryptoKeyBackend string: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
CryptoKeyId string: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
DestroyScheduledDuration string: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
ImportOnly bool: Immutable. Whether this key may contain imported versions only.
Labels map[string]string: Labels with user-defined metadata. For more information, see Labeling Keys.
Location string
NextRotationTime string: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
Project string
Purpose CryptoKeyPurpose: Immutable. The immutable purpose of this CryptoKey.
RotationPeriod string: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
SkipInitialVersionCreation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
VersionTemplate CryptoKeyVersionTemplateArgs: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

keyRingId String
cryptoKeyBackend String: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
cryptoKeyId String: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
destroyScheduledDuration String: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Immutable. Whether this key may contain imported versions only.
labels Map<String,String>: Labels with user-defined metadata. For more information, see Labeling Keys.
location String
nextRotationTime String: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
project String
purpose CryptoKeyPurpose: Immutable. The immutable purpose of this CryptoKey.
rotationPeriod String: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
versionTemplate CryptoKeyVersionTemplate: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

keyRingId string
cryptoKeyBackend string: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
cryptoKeyId string: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
destroyScheduledDuration string: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly boolean: Immutable. Whether this key may contain imported versions only.
labels {[key: string]: string}: Labels with user-defined metadata. For more information, see Labeling Keys.
location string
nextRotationTime string: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
project string
purpose CryptoKeyPurpose: Immutable. The immutable purpose of this CryptoKey.
rotationPeriod string: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
skipInitialVersionCreation boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
versionTemplate CryptoKeyVersionTemplate: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

key_ring_id str
crypto_key_backend str: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
crypto_key_id str: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
destroy_scheduled_duration str: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
import_only bool: Immutable. Whether this key may contain imported versions only.
labels Mapping[str, str]: Labels with user-defined metadata. For more information, see Labeling Keys.
location str
next_rotation_time str: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
project str
purpose CryptoKeyPurpose: Immutable. The immutable purpose of this CryptoKey.
rotation_period str: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
skip_initial_version_creation bool: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
version_template CryptoKeyVersionTemplateArgs: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

keyRingId String
cryptoKeyBackend String: Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
cryptoKeyId String: Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
destroyScheduledDuration String: Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly Boolean: Immutable. Whether this key may contain imported versions only.
labels Map<String>: Labels with user-defined metadata. For more information, see Labeling Keys.
location String
nextRotationTime String: At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
project String
purpose "CRYPTO_KEY_PURPOSE_UNSPECIFIED" | "ENCRYPT_DECRYPT" | "ASYMMETRIC_SIGN" | "ASYMMETRIC_DECRYPT" | "RAW_ENCRYPT_DECRYPT" | "MAC": Immutable. The immutable purpose of this CryptoKey.
rotationPeriod String: next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
skipInitialVersionCreation Boolean: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
versionTemplate Property Map: A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

Outputs

All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:

CreateTime string: The time at which this CryptoKey was created.
Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
Primary Pulumi.GoogleNative.Cloudkms.V1.Outputs.CryptoKeyVersionResponse: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

CreateTime string: The time at which this CryptoKey was created.
Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
Primary CryptoKeyVersionResponse: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

createTime String: The time at which this CryptoKey was created.
id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
primary CryptoKeyVersionResponse: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

createTime string: The time at which this CryptoKey was created.
id string: The provider-assigned unique ID for this managed resource.
name string: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
primary CryptoKeyVersionResponse: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

create_time str: The time at which this CryptoKey was created.
id str: The provider-assigned unique ID for this managed resource.
name str: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
primary CryptoKeyVersionResponse: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

createTime String: The time at which this CryptoKey was created.
id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
primary Property Map: A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

Supporting Types

CertificateChainsResponse, CertificateChainsResponseArgs

CaviumCerts List<string>: Cavium certificate chain corresponding to the attestation.
GoogleCardCerts List<string>: Google card certificate chain corresponding to the attestation.
GooglePartitionCerts List<string>: Google partition certificate chain corresponding to the attestation.

CaviumCerts []string: Cavium certificate chain corresponding to the attestation.
GoogleCardCerts []string: Google card certificate chain corresponding to the attestation.
GooglePartitionCerts []string: Google partition certificate chain corresponding to the attestation.

caviumCerts List<String>: Cavium certificate chain corresponding to the attestation.
googleCardCerts List<String>: Google card certificate chain corresponding to the attestation.
googlePartitionCerts List<String>: Google partition certificate chain corresponding to the attestation.

caviumCerts string[]: Cavium certificate chain corresponding to the attestation.
googleCardCerts string[]: Google card certificate chain corresponding to the attestation.
googlePartitionCerts string[]: Google partition certificate chain corresponding to the attestation.

cavium_certs Sequence[str]: Cavium certificate chain corresponding to the attestation.
google_card_certs Sequence[str]: Google card certificate chain corresponding to the attestation.
google_partition_certs Sequence[str]: Google partition certificate chain corresponding to the attestation.

caviumCerts List<String>: Cavium certificate chain corresponding to the attestation.
googleCardCerts List<String>: Google card certificate chain corresponding to the attestation.
googlePartitionCerts List<String>: Google partition certificate chain corresponding to the attestation.

CryptoKeyPurpose, CryptoKeyPurposeArgs

CryptoKeyPurposeUnspecified: CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
EncryptDecrypt: ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
AsymmetricSign: ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
AsymmetricDecrypt: ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
RawEncryptDecrypt: RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
Mac: MACCryptoKeys with this purpose may be used with MacSign.

CryptoKeyPurposeCryptoKeyPurposeUnspecified: CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
CryptoKeyPurposeEncryptDecrypt: ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
CryptoKeyPurposeAsymmetricSign: ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
CryptoKeyPurposeAsymmetricDecrypt: ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
CryptoKeyPurposeRawEncryptDecrypt: RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
CryptoKeyPurposeMac: MACCryptoKeys with this purpose may be used with MacSign.

CryptoKeyPurposeUnspecified: CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
EncryptDecrypt: ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
AsymmetricSign: ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
AsymmetricDecrypt: ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
RawEncryptDecrypt: RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
Mac: MACCryptoKeys with this purpose may be used with MacSign.

CryptoKeyPurposeUnspecified: CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
EncryptDecrypt: ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
AsymmetricSign: ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
AsymmetricDecrypt: ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
RawEncryptDecrypt: RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
Mac: MACCryptoKeys with this purpose may be used with MacSign.

CRYPTO_KEY_PURPOSE_UNSPECIFIED: CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
ENCRYPT_DECRYPT: ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
ASYMMETRIC_SIGN: ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
ASYMMETRIC_DECRYPT: ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
RAW_ENCRYPT_DECRYPT: RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
MAC: MACCryptoKeys with this purpose may be used with MacSign.

"CRYPTO_KEY_PURPOSE_UNSPECIFIED": CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
"ENCRYPT_DECRYPT": ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
"ASYMMETRIC_SIGN": ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
"ASYMMETRIC_DECRYPT": ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
"RAW_ENCRYPT_DECRYPT": RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
"MAC": MACCryptoKeys with this purpose may be used with MacSign.

CryptoKeyVersionResponse, CryptoKeyVersionResponseArgs

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestation Pulumi.GoogleNative.Cloudkms.V1.Inputs.KeyOperationAttestationResponse: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
CreateTime string: The time at which this CryptoKeyVersion was created.
DestroyEventTime string: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
DestroyTime string: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
ExternalDestructionFailureReason string: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
ExternalProtectionLevelOptions Pulumi.GoogleNative.Cloudkms.V1.Inputs.ExternalProtectionLevelOptionsResponse: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
GenerateTime string: The time this CryptoKeyVersion's key material was generated.
GenerationFailureReason string: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
ImportFailureReason string: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
ImportJob string: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
ImportTime string: The time at which this CryptoKeyVersion's key material was most recently imported.
Name string: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
ReimportEligible bool: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
State string: The current state of the CryptoKeyVersion.

Algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
Attestation KeyOperationAttestationResponse: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
CreateTime string: The time at which this CryptoKeyVersion was created.
DestroyEventTime string: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
DestroyTime string: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
ExternalDestructionFailureReason string: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
ExternalProtectionLevelOptions ExternalProtectionLevelOptionsResponse: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
GenerateTime string: The time this CryptoKeyVersion's key material was generated.
GenerationFailureReason string: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
ImportFailureReason string: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
ImportJob string: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
ImportTime string: The time at which this CryptoKeyVersion's key material was most recently imported.
Name string: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
ProtectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
ReimportEligible bool: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
State string: The current state of the CryptoKeyVersion.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation KeyOperationAttestationResponse: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
createTime String: The time at which this CryptoKeyVersion was created.
destroyEventTime String: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
destroyTime String: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
externalDestructionFailureReason String: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
externalProtectionLevelOptions ExternalProtectionLevelOptionsResponse: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
generateTime String: The time this CryptoKeyVersion's key material was generated.
generationFailureReason String: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
importFailureReason String: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
importJob String: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
importTime String: The time at which this CryptoKeyVersion's key material was most recently imported.
name String: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
reimportEligible Boolean: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
state String: The current state of the CryptoKeyVersion.

algorithm string: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation KeyOperationAttestationResponse: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
createTime string: The time at which this CryptoKeyVersion was created.
destroyEventTime string: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
destroyTime string: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
externalDestructionFailureReason string: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
externalProtectionLevelOptions ExternalProtectionLevelOptionsResponse: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
generateTime string: The time this CryptoKeyVersion's key material was generated.
generationFailureReason string: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
importFailureReason string: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
importJob string: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
importTime string: The time at which this CryptoKeyVersion's key material was most recently imported.
name string: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
protectionLevel string: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
reimportEligible boolean: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
state string: The current state of the CryptoKeyVersion.

algorithm str: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation KeyOperationAttestationResponse: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
create_time str: The time at which this CryptoKeyVersion was created.
destroy_event_time str: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
destroy_time str: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
external_destruction_failure_reason str: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
external_protection_level_options ExternalProtectionLevelOptionsResponse: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
generate_time str: The time this CryptoKeyVersion's key material was generated.
generation_failure_reason str: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
import_failure_reason str: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
import_job str: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
import_time str: The time at which this CryptoKeyVersion's key material was most recently imported.
name str: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
protection_level str: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
reimport_eligible bool: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
state str: The current state of the CryptoKeyVersion.

algorithm String: The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation Property Map: Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
createTime String: The time at which this CryptoKeyVersion was created.
destroyEventTime String: The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
destroyTime String: The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
externalDestructionFailureReason String: The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
externalProtectionLevelOptions Property Map: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
generateTime String: The time this CryptoKeyVersion's key material was generated.
generationFailureReason String: The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
importFailureReason String: The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
importJob String: The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
importTime String: The time at which this CryptoKeyVersion's key material was most recently imported.
name String: The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
protectionLevel String: The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
reimportEligible Boolean: Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
state String: The current state of the CryptoKeyVersion.

CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs

Algorithm Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateAlgorithm: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
ProtectionLevel Pulumi.GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateProtectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

Algorithm CryptoKeyVersionTemplateAlgorithm: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
ProtectionLevel CryptoKeyVersionTemplateProtectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm CryptoKeyVersionTemplateAlgorithm: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel CryptoKeyVersionTemplateProtectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm CryptoKeyVersionTemplateAlgorithm: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel CryptoKeyVersionTemplateProtectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm CryptoKeyVersionTemplateAlgorithm: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protection_level CryptoKeyVersionTemplateProtectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED" | "GOOGLE_SYMMETRIC_ENCRYPTION" | "AES_128_GCM" | "AES_256_GCM" | "AES_128_CBC" | "AES_256_CBC" | "AES_128_CTR" | "AES_256_CTR" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "RSA_SIGN_RAW_PKCS1_2048" | "RSA_SIGN_RAW_PKCS1_3072" | "RSA_SIGN_RAW_PKCS1_4096" | "RSA_DECRYPT_OAEP_2048_SHA256" | "RSA_DECRYPT_OAEP_3072_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA512" | "RSA_DECRYPT_OAEP_2048_SHA1" | "RSA_DECRYPT_OAEP_3072_SHA1" | "RSA_DECRYPT_OAEP_4096_SHA1" | "EC_SIGN_P256_SHA256" | "EC_SIGN_P384_SHA384" | "EC_SIGN_SECP256K1_SHA256" | "HMAC_SHA256" | "HMAC_SHA1" | "HMAC_SHA384" | "HMAC_SHA512" | "HMAC_SHA224" | "EXTERNAL_SYMMETRIC_ENCRYPTION": Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel "PROTECTION_LEVEL_UNSPECIFIED" | "SOFTWARE" | "HSM" | "EXTERNAL" | "EXTERNAL_VPC": ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

CryptoKeyVersionTemplateAlgorithm, CryptoKeyVersionTemplateAlgorithmArgs

CryptoKeyVersionAlgorithmUnspecified: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
GoogleSymmetricEncryption: GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
Aes128Gcm: AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
Aes256Gcm: AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
Aes128Cbc: AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
Aes256Cbc: AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
Aes128Ctr: AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
Aes256Ctr: AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
RsaSignRawPkcs12048: RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
RsaSignRawPkcs13072: RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
RsaSignRawPkcs14096: RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
RsaDecryptOaep2048Sha256: RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
RsaDecryptOaep3072Sha256: RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha256: RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha512: RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
RsaDecryptOaep2048Sha1: RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
RsaDecryptOaep3072Sha1: RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
RsaDecryptOaep4096Sha1: RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignSecp256k1Sha256: EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
HmacSha256: HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
HmacSha1: HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
HmacSha384: HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
HmacSha512: HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
HmacSha224: HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
ExternalSymmetricEncryption: EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

CryptoKeyVersionTemplateAlgorithmCryptoKeyVersionAlgorithmUnspecified: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
CryptoKeyVersionTemplateAlgorithmGoogleSymmetricEncryption: GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
CryptoKeyVersionTemplateAlgorithmAes128Gcm: AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
CryptoKeyVersionTemplateAlgorithmAes256Gcm: AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
CryptoKeyVersionTemplateAlgorithmAes128Cbc: AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
CryptoKeyVersionTemplateAlgorithmAes256Cbc: AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
CryptoKeyVersionTemplateAlgorithmAes128Ctr: AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
CryptoKeyVersionTemplateAlgorithmAes256Ctr: AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
CryptoKeyVersionTemplateAlgorithmRsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs12048: RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs13072: RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
CryptoKeyVersionTemplateAlgorithmRsaSignRawPkcs14096: RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep2048Sha256: RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep3072Sha256: RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha256: RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha512: RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep2048Sha1: RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep3072Sha1: RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
CryptoKeyVersionTemplateAlgorithmRsaDecryptOaep4096Sha1: RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
CryptoKeyVersionTemplateAlgorithmEcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
CryptoKeyVersionTemplateAlgorithmEcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
CryptoKeyVersionTemplateAlgorithmEcSignSecp256k1Sha256: EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
CryptoKeyVersionTemplateAlgorithmHmacSha256: HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
CryptoKeyVersionTemplateAlgorithmHmacSha1: HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
CryptoKeyVersionTemplateAlgorithmHmacSha384: HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
CryptoKeyVersionTemplateAlgorithmHmacSha512: HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
CryptoKeyVersionTemplateAlgorithmHmacSha224: HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
CryptoKeyVersionTemplateAlgorithmExternalSymmetricEncryption: EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

CryptoKeyVersionAlgorithmUnspecified: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
GoogleSymmetricEncryption: GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
Aes128Gcm: AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
Aes256Gcm: AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
Aes128Cbc: AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
Aes256Cbc: AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
Aes128Ctr: AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
Aes256Ctr: AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
RsaSignRawPkcs12048: RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
RsaSignRawPkcs13072: RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
RsaSignRawPkcs14096: RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
RsaDecryptOaep2048Sha256: RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
RsaDecryptOaep3072Sha256: RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha256: RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha512: RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
RsaDecryptOaep2048Sha1: RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
RsaDecryptOaep3072Sha1: RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
RsaDecryptOaep4096Sha1: RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignSecp256k1Sha256: EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
HmacSha256: HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
HmacSha1: HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
HmacSha384: HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
HmacSha512: HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
HmacSha224: HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
ExternalSymmetricEncryption: EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

CryptoKeyVersionAlgorithmUnspecified: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
GoogleSymmetricEncryption: GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
Aes128Gcm: AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
Aes256Gcm: AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
Aes128Cbc: AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
Aes256Cbc: AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
Aes128Ctr: AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
Aes256Ctr: AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
RsaSignRawPkcs12048: RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
RsaSignRawPkcs13072: RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
RsaSignRawPkcs14096: RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
RsaDecryptOaep2048Sha256: RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
RsaDecryptOaep3072Sha256: RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha256: RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
RsaDecryptOaep4096Sha512: RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
RsaDecryptOaep2048Sha1: RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
RsaDecryptOaep3072Sha1: RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
RsaDecryptOaep4096Sha1: RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EcSignSecp256k1Sha256: EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
HmacSha256: HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
HmacSha1: HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
HmacSha384: HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
HmacSha512: HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
HmacSha224: HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
ExternalSymmetricEncryption: EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
GOOGLE_SYMMETRIC_ENCRYPTION: GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
AES128_GCM: AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
AES256_GCM: AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
AES128_CBC: AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
AES256_CBC: AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
AES128_CTR: AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
AES256_CTR: AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
RSA_SIGN_PSS2048_SHA256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS3072_SHA256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS4096_SHA256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS4096_SHA512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS12048_SHA256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS13072_SHA256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS14096_SHA256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS14096_SHA512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
RSA_SIGN_RAW_PKCS12048: RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
RSA_SIGN_RAW_PKCS13072: RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
RSA_SIGN_RAW_PKCS14096: RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
RSA_DECRYPT_OAEP2048_SHA256: RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP3072_SHA256: RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP4096_SHA256: RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP4096_SHA512: RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
RSA_DECRYPT_OAEP2048_SHA1: RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
RSA_DECRYPT_OAEP3072_SHA1: RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
RSA_DECRYPT_OAEP4096_SHA1: RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
EC_SIGN_P256_SHA256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EC_SIGN_P384_SHA384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
EC_SIGN_SECP256K1_SHA256: EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
HMAC_SHA256: HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
HMAC_SHA1: HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
HMAC_SHA384: HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
HMAC_SHA512: HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
HMAC_SHA224: HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
EXTERNAL_SYMMETRIC_ENCRYPTION: EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

"CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED": CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
"GOOGLE_SYMMETRIC_ENCRYPTION": GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
"AES_128_GCM": AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
"AES_256_GCM": AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
"AES_128_CBC": AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
"AES_256_CBC": AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
"AES_128_CTR": AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
"AES_256_CTR": AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
"RSA_SIGN_PSS_2048_SHA256": RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
"RSA_SIGN_PSS_3072_SHA256": RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
"RSA_SIGN_PSS_4096_SHA256": RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
"RSA_SIGN_PSS_4096_SHA512": RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
"RSA_SIGN_PKCS1_2048_SHA256": RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_3072_SHA256": RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_4096_SHA256": RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_4096_SHA512": RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
"RSA_SIGN_RAW_PKCS1_2048": RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
"RSA_SIGN_RAW_PKCS1_3072": RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
"RSA_SIGN_RAW_PKCS1_4096": RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
"RSA_DECRYPT_OAEP_2048_SHA256": RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
"RSA_DECRYPT_OAEP_3072_SHA256": RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
"RSA_DECRYPT_OAEP_4096_SHA256": RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
"RSA_DECRYPT_OAEP_4096_SHA512": RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
"RSA_DECRYPT_OAEP_2048_SHA1": RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
"RSA_DECRYPT_OAEP_3072_SHA1": RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
"RSA_DECRYPT_OAEP_4096_SHA1": RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
"EC_SIGN_P256_SHA256": EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
"EC_SIGN_P384_SHA384": EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
"EC_SIGN_SECP256K1_SHA256": EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
"HMAC_SHA256": HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
"HMAC_SHA1": HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
"HMAC_SHA384": HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
"HMAC_SHA512": HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
"HMAC_SHA224": HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
"EXTERNAL_SYMMETRIC_ENCRYPTION": EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.

CryptoKeyVersionTemplateProtectionLevel, CryptoKeyVersionTemplateProtectionLevelArgs

ProtectionLevelUnspecified: PROTECTION_LEVEL_UNSPECIFIEDNot specified.
Software: SOFTWARECrypto operations are performed in software.
Hsm: HSMCrypto operations are performed in a Hardware Security Module.
External: EXTERNALCrypto operations are performed by an external key manager.
ExternalVpc: EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

CryptoKeyVersionTemplateProtectionLevelProtectionLevelUnspecified: PROTECTION_LEVEL_UNSPECIFIEDNot specified.
CryptoKeyVersionTemplateProtectionLevelSoftware: SOFTWARECrypto operations are performed in software.
CryptoKeyVersionTemplateProtectionLevelHsm: HSMCrypto operations are performed in a Hardware Security Module.
CryptoKeyVersionTemplateProtectionLevelExternal: EXTERNALCrypto operations are performed by an external key manager.
CryptoKeyVersionTemplateProtectionLevelExternalVpc: EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

ProtectionLevelUnspecified: PROTECTION_LEVEL_UNSPECIFIEDNot specified.
Software: SOFTWARECrypto operations are performed in software.
Hsm: HSMCrypto operations are performed in a Hardware Security Module.
External: EXTERNALCrypto operations are performed by an external key manager.
ExternalVpc: EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

ProtectionLevelUnspecified: PROTECTION_LEVEL_UNSPECIFIEDNot specified.
Software: SOFTWARECrypto operations are performed in software.
Hsm: HSMCrypto operations are performed in a Hardware Security Module.
External: EXTERNALCrypto operations are performed by an external key manager.
ExternalVpc: EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

PROTECTION_LEVEL_UNSPECIFIED: PROTECTION_LEVEL_UNSPECIFIEDNot specified.
SOFTWARE: SOFTWARECrypto operations are performed in software.
HSM: HSMCrypto operations are performed in a Hardware Security Module.
EXTERNAL: EXTERNALCrypto operations are performed by an external key manager.
EXTERNAL_VPC: EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

"PROTECTION_LEVEL_UNSPECIFIED": PROTECTION_LEVEL_UNSPECIFIEDNot specified.
"SOFTWARE": SOFTWARECrypto operations are performed in software.
"HSM": HSMCrypto operations are performed in a Hardware Security Module.
"EXTERNAL": EXTERNALCrypto operations are performed by an external key manager.
"EXTERNAL_VPC": EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.

CryptoKeyVersionTemplateResponse, CryptoKeyVersionTemplateResponseArgs

Algorithm string: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
ProtectionLevel string: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

Algorithm string: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
ProtectionLevel string: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm String: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel String: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm string: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel string: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm str: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protection_level str: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

algorithm String: Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
protectionLevel String: ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

ExternalProtectionLevelOptionsResponse, ExternalProtectionLevelOptionsResponseArgs

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

EkmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
ExternalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath string: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
externalKeyUri string: The URI for an external resource that this CryptoKeyVersion represents.

ekm_connection_key_path str: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
external_key_uri str: The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath String: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
externalKeyUri String: The URI for an external resource that this CryptoKeyVersion represents.

KeyOperationAttestationResponse, KeyOperationAttestationResponseArgs

CertChains Pulumi.GoogleNative.Cloudkms.V1.Inputs.CertificateChainsResponse: The certificate chains needed to validate the attestation
Content string: The attestation data provided by the HSM when the key operation was performed.
Format string: The format of the attestation data.

CertChains CertificateChainsResponse: The certificate chains needed to validate the attestation
Content string: The attestation data provided by the HSM when the key operation was performed.
Format string: The format of the attestation data.

certChains CertificateChainsResponse: The certificate chains needed to validate the attestation
content String: The attestation data provided by the HSM when the key operation was performed.
format String: The format of the attestation data.

certChains CertificateChainsResponse: The certificate chains needed to validate the attestation
content string: The attestation data provided by the HSM when the key operation was performed.
format string: The format of the attestation data.

cert_chains CertificateChainsResponse: The certificate chains needed to validate the attestation
content str: The attestation data provided by the HSM when the key operation was performed.
format str: The format of the attestation data.

certChains Property Map: The certificate chains needed to validate the attestation
content String: The attestation data provided by the HSM when the key operation was performed.
format String: The format of the attestation data.

Package Details

Repository: Google Cloud Native pulumi/pulumi-google-native
License: Apache-2.0

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.cloudkms/v1.CryptoKey

On this page

On this page

Create CryptoKey Resource

Constructor syntax

Parameters

Constructor example

CryptoKey Resource Properties

Inputs

Outputs

Supporting Types

CertificateChainsResponse, CertificateChainsResponseArgs

CryptoKeyPurpose, CryptoKeyPurposeArgs

CryptoKeyVersionResponse, CryptoKeyVersionResponseArgs

CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs

CryptoKeyVersionTemplateAlgorithm, CryptoKeyVersionTemplateAlgorithmArgs

CryptoKeyVersionTemplateProtectionLevel, CryptoKeyVersionTemplateProtectionLevelArgs

CryptoKeyVersionTemplateResponse, CryptoKeyVersionTemplateResponseArgs

ExternalProtectionLevelOptionsResponse, ExternalProtectionLevelOptionsResponseArgs

KeyOperationAttestationResponse, KeyOperationAttestationResponseArgs

Package Details

On this page

On this page