SymmetricKeyService

Calls SymmetricKeyService
Create
Get
List
ListVersions
Update
Delete
SetPrimaryVersion
ScheduleVersionDestruction
CancelVersionDestruction
Rotate
ListOperations

Set of methods for managing symmetric KMS keys.

Call	Description
Create	--- control plane Creates a symmetric KMS key in the specified folder.
Get	Returns the specified symmetric KMS key.
List	Returns the list of symmetric KMS keys in the specified folder.
ListVersions	Returns the list of versions of the specified symmetric KMS key.
Update	Updates the specified symmetric KMS key.
Delete	Deletes the specified symmetric KMS key.
SetPrimaryVersion	Sets the primary version for the specified key.
ScheduleVersionDestruction	Schedules the specified key version for destruction.
CancelVersionDestruction	Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.
Rotate	Rotates the specified key: creates a new key version and makes it the primary version.
ListOperations	Lists operations for the specified symmetric KMS key.

Calls SymmetricKeyService

Create

--- control plane Creates a symmetric KMS key in the specified folder.

rpc Create (CreateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CreateSymmetricKeyMetadata

Operation.response:SymmetricKey

CreateSymmetricKeyRequest

Field	Description
folder_id	string Required. ID of the folder to create a symmetric KMS key in. The maximum string length in characters is 50.
name	string Name of the key. The maximum string length in characters is 100.
description	string Description of the key. The maximum string length in characters is 1024.
labels	map<string,string> Custom labels for the symmetric KMS key as `key:value` pairs. Maximum 64 per key. For example, `"project": "mvp"` or `"source": "dictionary"`. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
default_algorithm	enum SymmetricAlgorithm Encryption algorithm to be used with a new key version, generated with the next rotation. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotation_period	google.protobuf.Duration Interval between automatic rotations. To disable automatic rotation, don't include this field in the creation request.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CreateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

CreateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being created.
primary_version_id	string ID of the primary version of the key being created.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

Get

Returns the specified symmetric KMS key.
To get the list of available symmetric KMS keys, make a SymmetricKeyService.List request.

rpc Get (GetSymmetricKeyRequest) returns (SymmetricKey)

GetSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to return. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

List

Returns the list of symmetric KMS keys in the specified folder.

rpc List (ListSymmetricKeysRequest) returns (ListSymmetricKeysResponse)

ListSymmetricKeysRequest

Field	Description
folder_id	string Required. ID of the folder to list symmetric KMS keys in. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeysResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeysResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeysResponse

Field Description

keys[] SymmetricKey
List of symmetric KMS keys in the specified folder.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeysRequest.page_size, use the next_page_token as the value for the ListSymmetricKeysRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
keys[]	SymmetricKey List of symmetric KMS keys in the specified folder.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeysRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeysRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

ListVersions

Returns the list of versions of the specified symmetric KMS key.

rpc ListVersions (ListSymmetricKeyVersionsRequest) returns (ListSymmetricKeyVersionsResponse)

ListSymmetricKeyVersionsRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to list versions for. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeyVersionsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeyVersionsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeyVersionsResponse

Field Description

key_versions[] SymmetricKeyVersion
List of versions for the specified symmetric KMS key.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeyVersionsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
key_versions[]	SymmetricKeyVersion List of versions for the specified symmetric KMS key.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeyVersionsRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeyVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Update

Updates the specified symmetric KMS key.

rpc Update (UpdateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateSymmetricKeyMetadata

Operation.response:SymmetricKey

UpdateSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to update. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50.
update_mask	google.protobuf.FieldMask Required. Field mask that specifies which attributes of the symmetric KMS key are going to be updated.
name	string New name for the symmetric KMS key. The maximum string length in characters is 100.
description	string New description for the symmetric KMS key. The maximum string length in characters is 1024.
status	SymmetricKey.Status New status for the symmetric KMS key. Using the SymmetricKeyService.Update method you can only set ACTIVE or INACTIVE status.
labels	map<string,string> Custom labels for the symmetric KMS key as `key:value` pairs. Maximum 64 per key. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the symmetric KMS key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotation_period	google.protobuf.Duration Time period between automatic symmetric KMS key rotations.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

UpdateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being updated.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

Delete

Deletes the specified symmetric KMS key. This action also automatically schedules the destruction of all of the key's versions in 72 hours.
The key and its versions appear absent in SymmetricKeyService.Get and SymmetricKeyService.List requests, but can be restored within 72 hours with a request to tech support.

rpc Delete (DeleteSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:DeleteSymmetricKeyMetadata

Operation.response:SymmetricKey

DeleteSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the key to be deleted. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<DeleteSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

DeleteSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being deleted.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

SetPrimaryVersion

Sets the primary version for the specified key. The primary version is used by default for all encrypt/decrypt operations where no version ID is specified.

rpc SetPrimaryVersion (SetPrimarySymmetricKeyVersionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:SetPrimarySymmetricKeyVersionMetadata

Operation.response:SymmetricKey

SetPrimarySymmetricKeyVersionRequest

Field	Description
key_id	string Required. ID of the key to set a primary version for. The maximum string length in characters is 50.
version_id	string Required. ID of the version that should become primary for the specified key. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<SetPrimarySymmetricKeyVersionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

SetPrimarySymmetricKeyVersionMetadata

Field	Description
key_id	string ID of the key that the primary version if being changed for.
version_id	string ID of the version that is being made primary for the key.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

ScheduleVersionDestruction

Schedules the specified key version for destruction.
Scheduled destruction can be cancelled with the SymmetricKeyService.CancelVersionDestruction method.

rpc ScheduleVersionDestruction (ScheduleSymmetricKeyVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:ScheduleSymmetricKeyVersionDestructionMetadata

Operation.response:SymmetricKeyVersion

ScheduleSymmetricKeyVersionDestructionRequest

Field	Description
key_id	string Required. ID of the key whose version should be scheduled for destruction. The maximum string length in characters is 50.
version_id	string Required. ID of the version to be destroyed. The maximum string length in characters is 50.
pending_period	google.protobuf.Duration Time interval between the version destruction request and actual destruction. Default value: 7 days.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<ScheduleSymmetricKeyVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKeyVersion> if operation finished successfully.

ScheduleSymmetricKeyVersionDestructionMetadata

Field	Description
key_id	string ID of the key whose version is being scheduled for destruction.
version_id	string ID of the version that is being scheduled for destruction.
destroy_at	google.protobuf.Timestamp Time when the version is scheduled to be destroyed.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

CancelVersionDestruction

Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.

rpc CancelVersionDestruction (CancelSymmetricKeyVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CancelSymmetricKeyVersionDestructionMetadata

Operation.response:SymmetricKeyVersion

CancelSymmetricKeyVersionDestructionRequest

Field	Description
key_id	string Required. ID of the key to cancel a version's destruction for. The maximum string length in characters is 50.
version_id	string Required. ID of the version whose scheduled destruction should be cancelled. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CancelSymmetricKeyVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKeyVersion> if operation finished successfully.

CancelSymmetricKeyVersionDestructionMetadata

Field	Description
key_id	string ID of the key whose version's destruction is being cancelled.
version_id	string ID of the version whose scheduled destruction is being cancelled.

SymmetricKeyVersion

Field	Description
id	string ID of the key version.
key_id	string ID of the symmetric KMS key that the version belongs to.
status	enum Status Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the SymmetricKeyVersion.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
created_at	google.protobuf.Timestamp Time when the key version was created.
primary	bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroy_at	google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.

Rotate

Rotates the specified key: creates a new key version and makes it the primary version. The old version remains available for decryption of ciphertext encrypted with it.

rpc Rotate (RotateSymmetricKeyRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:RotateSymmetricKeyMetadata

Operation.response:SymmetricKey

RotateSymmetricKeyRequest

Field	Description
key_id	string Required. ID of the key to be rotated. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<RotateSymmetricKeyMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<SymmetricKey> if operation finished successfully.

RotateSymmetricKeyMetadata

Field	Description
key_id	string ID of the key being rotated.
new_primary_version_id	string ID of the version generated as a result of key rotation.

SymmetricKey

Field	Description
id	string ID of the key.
folder_id	string ID of the folder that the key belongs to.
created_at	google.protobuf.Timestamp Time when the key was created.
name	string Name of the key.
description	string Description of the key.
labels	map<string,string> Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum Status Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primary_version	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
default_algorithm	enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys.
rotated_at	google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.
rotation_period	google.protobuf.Duration Time period between automatic key rotations.

ListOperations

Lists operations for the specified symmetric KMS key.

rpc ListOperations (ListSymmetricKeyOperationsRequest) returns (ListSymmetricKeyOperationsResponse)

ListSymmetricKeyOperationsRequest

Field	Description
key_id	string Required. ID of the symmetric KMS key to get operations for. To get the key ID, use a SymmetricKeyService.List request. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page that should be returned. If the number of available results is larger than `page_size`, the service returns a ListSymmetricKeyOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSymmetricKeyOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSymmetricKeyOperationsResponse

Field Description

operations[] operation.Operation
List of operations for the specified key.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListSymmetricKeyOperationsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
operations[]	operation.Operation List of operations for the specified key.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListSymmetricKeyOperationsRequest.page_size, use the `next_page_token` as the value for the ListSymmetricKeyOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.