SymmetricKeyService

Calls SymmetricKeyService
Create
Get
List
ListVersions
Update
Delete
SetPrimaryVersion
ScheduleVersionDestruction
CancelVersionDestruction
Rotate
ListOperations
ListAccessBindings
SetAccessBindings
UpdateAccessBindings

Set of methods for managing symmetric KMS keys.

Call	Description
Create	--- control plane Creates a symmetric KMS key in the specified folder.
Get	Returns the specified symmetric KMS key.
List	Returns the list of symmetric KMS keys in the specified folder.
ListVersions	Returns the list of versions of the specified symmetric KMS key.
Update	Updates the specified symmetric KMS key.
Delete	Deletes the specified symmetric KMS key.
SetPrimaryVersion	Sets the primary version for the specified key.
ScheduleVersionDestruction	Schedules the specified key version for destruction.
CancelVersionDestruction	Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.
Rotate	Rotates the specified key: creates a new key version and makes it the primary version.
ListOperations	Lists operations for the specified symmetric KMS key.
ListAccessBindings	Lists existing access bindings for the specified key.
SetAccessBindings	Sets access bindings for the key.
UpdateAccessBindings	Updates access bindings for the specified key.

Calls SymmetricKeyService

Create

--- control plane Creates a symmetric KMS key in the specified folder.

rpc Create (CreateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CreateSymmetricKeyMetadata

Operation.response:SymmetricKey

CreateSymmetricKeyRequest

Field	Description
folder_id	string Required. ID of the folder to create a symmetric KMS key in. The maximum string length in characters is 50.
name	string Name of the key. The maximum string length in characters is 100.
description	string Description of the key. The maximum string length in characters is 1024.
labels	map<string,string> Custom labels for the symmetric KMS key as `key:value` pairs. Maximum 64 per key. For example, `"project": "mvp"` or `"source": "dictionary"`. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
default_algorithm	enum SymmetricAlgorithm Encryption algorithm to be used with a new key version, generated with the next rotation. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotation_period	google.protobuf.Duration Interval between automatic rotations. To disable automatic rotation, don't include this field in the creation request.
deletion_protection	bool Flag that inhibits deletion of the symmetric KMS key

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CreateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

CreateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being created.
primary_version_id	string ID of the primary version of the key being created.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Get

Returns the specified symmetric KMS key.
To get the list of available symmetric KMS keys, make a SymmetricKeyService.List request.

rpc Get (GetSymmetricKeyRequest) returns (SymmetricKey)

GetSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to return. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

List

Returns the list of symmetric KMS keys in the specified folder.

rpc List (ListSymmetricKeysRequest) returns (ListSymmetricKeysResponse)

ListSymmetricKeysRequest

Field	Description
folder_id	string Required. ID of the folder to list symmetric KMS keys in. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeysResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeysResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeysResponse

Field Description

keys[] SymmetricKey
List of symmetric KMS keys in the specified folder.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeysRequest.page_size, use the next_page_token as the value for the ListSymmetricKeysRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
keys[]	SymmetricKey List of symmetric KMS keys in the specified folder.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeysRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeysRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

ListVersions

Returns the list of versions of the specified symmetric KMS key.

rpc ListVersions (ListSymmetricKeyVersionsRequest) returns (ListSymmetricKeyVersionsResponse)

ListSymmetricKeyVersionsRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to list versions for. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeyVersionsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeyVersionsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeyVersionsResponse

Field Description

key_versions[] SymmetricKeyVersion
List of versions for the specified symmetric KMS key.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeyVersionsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
key_versions[]	SymmetricKeyVersion List of versions for the specified symmetric KMS key.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeyVersionsRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeyVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Update

Updates the specified symmetric KMS key.

rpc Update (UpdateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateSymmetricKeyMetadata

Operation.response:SymmetricKey

UpdateSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to update. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50.
update_mask	google.protobuf.FieldMask Required. Field mask that specifies which attributes of the symmetric KMS key are going to be updated.
name	string New name for the symmetric KMS key. The maximum string length in characters is 100.
description	string New description for the symmetric KMS key. The maximum string length in characters is 1024.
status	SymmetricKey.Status New status for the symmetric KMS key. Using the SymmetricKeyService.Update method you can only set ACTIVE or INACTIVE status.
labels	map<string,string> Custom labels for the symmetric KMS key as `key:value` pairs. Maximum 64 per key. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the symmetric KMS key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotation_period	google.protobuf.Duration Time period between automatic symmetric KMS key rotations.
deletion_protection	bool Flag that inhibits deletion of the symmetric KMS key

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

UpdateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being updated.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Delete

Deletes the specified symmetric KMS key. This action also automatically schedules the destruction of all of the key's versions in 72 hours.
The key and its versions appear absent in SymmetricKeyService.Get and SymmetricKeyService.List requests, but can be restored within 72 hours with a request to tech support.

rpc Delete (DeleteSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:DeleteSymmetricKeyMetadata

Operation.response:SymmetricKey

DeleteSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the key to be deleted. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<DeleteSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

DeleteSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being deleted.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

SetPrimaryVersion

Sets the primary version for the specified key. The primary version is used by default for all encrypt/decrypt operations where no version ID is specified.

rpc SetPrimaryVersion (SetPrimarySymmetricKeyVersionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:SetPrimarySymmetricKeyVersionMetadata

Operation.response:SymmetricKey

SetPrimarySymmetricKeyVersionRequest

Field	Description
key_id	string Required. ID of the key to set a primary version for. The maximum string length in characters is 50.
version_id	string Required. ID of the version that should become primary for the specified key. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<SetPrimarySymmetricKeyVersionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

SetPrimarySymmetricKeyVersionMetadata

Field	Description
key_id	string ID of the key that the primary version if being changed for.
version_id	string ID of the version that is being made primary for the key.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

ScheduleVersionDestruction

Schedules the specified key version for destruction.
Scheduled destruction can be cancelled with the SymmetricKeyService.CancelVersionDestruction method.

rpc ScheduleVersionDestruction (ScheduleSymmetricKeyVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:ScheduleSymmetricKeyVersionDestructionMetadata

Operation.response:SymmetricKeyVersion

ScheduleSymmetricKeyVersionDestructionRequest

Field	Description
key_id	string Required. ID of the key whose version should be scheduled for destruction. The maximum string length in characters is 50.
version_id	string Required. ID of the version to be destroyed. The maximum string length in characters is 50.
pending_period	google.protobuf.Duration Time interval between the version destruction request and actual destruction. Default value: 7 days.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<ScheduleSymmetricKeyVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKeyVersion> if operation finished successfully.

ScheduleSymmetricKeyVersionDestructionMetadata

Field	Description
key_id	string ID of the key whose version is being scheduled for destruction.
version_id	string ID of the version that is being scheduled for destruction.
destroy_at	google.protobuf.Timestamp Time when the version is scheduled to be destroyed.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

CancelVersionDestruction

Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.

rpc CancelVersionDestruction (CancelSymmetricKeyVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CancelSymmetricKeyVersionDestructionMetadata

Operation.response:SymmetricKeyVersion

CancelSymmetricKeyVersionDestructionRequest

Field	Description
key_id	string Required. ID of the key to cancel a version's destruction for. The maximum string length in characters is 50.
version_id	string Required. ID of the version whose scheduled destruction should be cancelled. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CancelSymmetricKeyVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKeyVersion> if operation finished successfully.

CancelSymmetricKeyVersionDestructionMetadata

Field	Description
key_id	string ID of the key whose version's destruction is being cancelled.
version_id	string ID of the version whose scheduled destruction is being cancelled.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Rotate

Rotates the specified key: creates a new key version and makes it the primary version. The old version remains available for decryption of ciphertext encrypted with it.

rpc Rotate (RotateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:RotateSymmetricKeyMetadata

Operation.response:SymmetricKey

RotateSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the key to be rotated. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<RotateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

RotateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being rotated.
new_primary_version_id	string ID of the version generated as a result of key rotation.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.
deletion_protection	bool Flag that inhibits deletion of the key

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

ListOperations

Lists operations for the specified symmetric KMS key.

rpc ListOperations (ListSymmetricKeyOperationsRequest) returns (ListSymmetricKeyOperationsResponse)

ListSymmetricKeyOperationsRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to get operations for. To get the key ID, use a SymmetricKeyService.List request. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page that should be returned. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeyOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeyOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeyOperationsResponse

Field Description

operations[] operation.Operation
List of operations for the specified key.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListSymmetricKeyOperationsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
operations[]	operation.Operation List of operations for the specified key.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListSymmetricKeyOperationsRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeyOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.

ListAccessBindings

Lists existing access bindings for the specified key.

rpc ListAccessBindings (ListAccessBindingsRequest) returns (ListAccessBindingsResponse)

ListAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource to list access bindings for. To get the resource ID, use a corresponding List request. For example, use the yandex.cloud.resourcemanager.v1.CloudService.List request to get the Cloud resource ID. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page that should be returned. If the number of available results is larger than `page_size`, the service returns a ListAccessBindingsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. Set `page_token` to the ListAccessBindingsResponse.next_page_token returned by a previous list request to get the next page of results. The maximum string length in characters is 100.

ListAccessBindingsResponse

Field	Description
access_bindings[]	AccessBinding List of access bindings for the specified resource.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListAccessBindingsRequest.page_size, use the `next_page_token` as the value for the ListAccessBindingsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required.

allAuthenticatedUsers: A special system identifier that represents anyone
allUsers: A special system identifier that represents anyone. No authentication is required.
<cloud generated id>: An identifier that represents a user account.

The maximum string length in characters is 50.

type

string
Required.

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

The maximum string length in characters is 100.

SetAccessBindings

Sets access bindings for the key.

rpc SetAccessBindings (SetAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:SetAccessBindingsMetadata

Operation.response:google.protobuf.Empty

SetAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource for which access bindings are being set. To get the resource ID, use a corresponding List request. The maximum string length in characters is 50.
access_bindings[]	AccessBinding Required. Access bindings to be set. For more information, see Access Bindings.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required.

allAuthenticatedUsers: A special system identifier that represents anyone
allUsers: A special system identifier that represents anyone. No authentication is required.
<cloud generated id>: An identifier that represents a user account.

The maximum string length in characters is 50.

type

string
Required.

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

The maximum string length in characters is 100.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<SetAccessBindingsMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<google.protobuf.Empty> if operation finished successfully.

SetAccessBindingsMetadata

Field	Description
resource_id	string ID of the resource for which access bindings are being set.

UpdateAccessBindings

Updates access bindings for the specified key.

rpc UpdateAccessBindings (UpdateAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateAccessBindingsMetadata

Operation.response:google.protobuf.Empty

UpdateAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource for which access bindings are being updated. The maximum string length in characters is 50.
access_binding_deltas[]	AccessBindingDelta Required. Updates to access bindings. The number of elements must be greater than 0.

AccessBindingDelta

Field	Description
action	enum AccessBindingAction Required. The action that is being performed on an access binding. `ADD`: Addition of an access binding. `REMOVE`: Removal of an access binding.
access_binding	AccessBinding Required. Access binding. For more information, see Access Bindings.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required.

allAuthenticatedUsers: A special system identifier that represents anyone
allUsers: A special system identifier that represents anyone. No authentication is required.
<cloud generated id>: An identifier that represents a user account.

The maximum string length in characters is 50.

type

string
Required.

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

The maximum string length in characters is 100.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateAccessBindingsMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<google.protobuf.Empty> if operation finished successfully.

UpdateAccessBindingsMetadata

Field	Description
resource_id	string ID of the resource for which access bindings are being updated.