Key Management Service API, gRPC: SymmetricKeyService
Set of methods for managing symmetric KMS keys.
Call | Description |
---|---|
Create | Creates a symmetric KMS key in the specified folder. |
Get | Returns the specified symmetric KMS key. |
List | Returns the list of symmetric KMS keys in the specified folder. |
ListVersions | Returns the list of versions of the specified symmetric KMS key. |
Update | Updates the specified symmetric KMS key. |
Delete | Deletes the specified symmetric KMS key. |
SetPrimaryVersion | Sets the primary version for the specified key. |
ScheduleVersionDestruction | Schedules the specified key version for destruction. |
CancelVersionDestruction | Cancels previously scheduled version destruction, if the version hasn't been destroyed yet. |
Rotate | Rotates the specified key: creates a new key version and makes it the primary version. |
ListOperations | Lists operations for the specified symmetric KMS key. |
ListAccessBindings | Lists existing access bindings for the specified key. |
SetAccessBindings | Sets access bindings for the key. |
UpdateAccessBindings | Updates access bindings for the specified key. |
Calls SymmetricKeyService
Create
Creates a symmetric KMS key in the specified folder.
rpc Create (CreateSymmetricKeyRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:CreateSymmetricKeyMetadata
Operation.response:SymmetricKey
CreateSymmetricKeyRequest
Field | Description |
---|---|
folder_id | string Required. ID of the folder to create a symmetric KMS key in. The maximum string length in characters is 50. |
name | string Name of the key. The maximum string length in characters is 100. |
description | string Description of the key. The maximum string length in characters is 1024. |
labels | map<string,string> Custom labels for the symmetric KMS key as key:value pairs. Maximum 64 per key. For example, "project": "mvp" or "source": "dictionary" . No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression [-_0-9a-z]* . The maximum string length in characters for each key is 63. Each key must match the regular expression [a-z][-_0-9a-z]* . |
default_algorithm | enum SymmetricAlgorithm Encryption algorithm to be used with a new key version, generated with the next rotation.
|
rotation_period | google.protobuf.Duration Interval between automatic rotations. To disable automatic rotation, don't include this field in the creation request. |
deletion_protection | bool Flag that inhibits deletion of the symmetric KMS key |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
CreateSymmetricKeyMetadata
Field | Description |
---|---|
key_id | string ID of the key being created. |
primary_version_id | string ID of the primary version of the key being created. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
Get
Returns the specified symmetric KMS key.
To get the list of available symmetric KMS keys, make a SymmetricKeyService.List request.
rpc Get (GetSymmetricKeyRequest) returns (SymmetricKey)
GetSymmetricKeyRequest
Field | Description |
---|---|
key_id | string Required. ID of the symmetric KMS key to return. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
List
Returns the list of symmetric KMS keys in the specified folder.
rpc List (ListSymmetricKeysRequest) returns (ListSymmetricKeysResponse)
ListSymmetricKeysRequest
Field | Description |
---|---|
folder_id | string Required. ID of the folder to list symmetric KMS keys in. The maximum string length in characters is 50. |
page_size | int64 The maximum number of results per page to return. If the number of available results is larger than page_size , the service returns a ListSymmetricKeysResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000. |
page_token | string Page token. To get the next page of results, set page_token to the ListSymmetricKeysResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100. |
ListSymmetricKeysResponse
Field | Description |
---|---|
keys[] | SymmetricKey List of symmetric KMS keys in the specified folder. |
next_page_token | string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeysRequest.page_size, use the next_page_token as the value for the ListSymmetricKeysRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
ListVersions
Returns the list of versions of the specified symmetric KMS key.
rpc ListVersions (ListSymmetricKeyVersionsRequest) returns (ListSymmetricKeyVersionsResponse)
ListSymmetricKeyVersionsRequest
Field | Description |
---|---|
key_id | string Required. ID of the symmetric KMS key to list versions for. The maximum string length in characters is 50. |
page_size | int64 The maximum number of results per page to return. If the number of available results is larger than page_size , the service returns a ListSymmetricKeyVersionsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000. |
page_token | string Page token. To get the next page of results, set page_token to the ListSymmetricKeyVersionsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100. |
ListSymmetricKeyVersionsResponse
Field | Description |
---|---|
key_versions[] | SymmetricKeyVersion List of versions for the specified symmetric KMS key. |
next_page_token | string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSymmetricKeyVersionsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results. |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
Update
Updates the specified symmetric KMS key.
rpc Update (UpdateSymmetricKeyRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:UpdateSymmetricKeyMetadata
Operation.response:SymmetricKey
UpdateSymmetricKeyRequest
Field | Description |
---|---|
key_id | string Required. ID of the symmetric KMS key to update. To get the ID of a symmetric KMS key use a SymmetricKeyService.List request. The maximum string length in characters is 50. |
update_mask | google.protobuf.FieldMask Required. Field mask that specifies which attributes of the symmetric KMS key are going to be updated. |
name | string New name for the symmetric KMS key. The maximum string length in characters is 100. |
description | string New description for the symmetric KMS key. The maximum string length in characters is 1024. |
status | SymmetricKey.Status New status for the symmetric KMS key. Using the SymmetricKeyService.Update method you can only set ACTIVE or INACTIVE status. |
labels | map<string,string> Custom labels for the symmetric KMS key as key:value pairs. Maximum 64 per key. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression [-_0-9a-z]* . The maximum string length in characters for each key is 63. Each key must match the regular expression [a-z][-_0-9a-z]* . |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the symmetric KMS key.
|
rotation_period | google.protobuf.Duration Time period between automatic symmetric KMS key rotations. |
deletion_protection | bool Flag that inhibits deletion of the symmetric KMS key |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
UpdateSymmetricKeyMetadata
Field | Description |
---|---|
key_id | string ID of the key being updated. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
Delete
Deletes the specified symmetric KMS key. This action also automatically schedules the destruction of all of the key's versions in 72 hours.
The key and its versions appear absent in SymmetricKeyService.Get and SymmetricKeyService.List requests, but can be restored within 72 hours with a request to tech support.
rpc Delete (DeleteSymmetricKeyRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:DeleteSymmetricKeyMetadata
Operation.response:SymmetricKey
DeleteSymmetricKeyRequest
Field | Description |
---|---|
key_id | string Required. ID of the key to be deleted. The maximum string length in characters is 50. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
DeleteSymmetricKeyMetadata
Field | Description |
---|---|
key_id | string ID of the key being deleted. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
SetPrimaryVersion
Sets the primary version for the specified key. The primary version is used by default for all encrypt/decrypt operations where no version ID is specified.
rpc SetPrimaryVersion (SetPrimarySymmetricKeyVersionRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:SetPrimarySymmetricKeyVersionMetadata
Operation.response:SymmetricKey
SetPrimarySymmetricKeyVersionRequest
Field | Description |
---|---|
key_id | string Required. ID of the key to set a primary version for. The maximum string length in characters is 50. |
version_id | string Required. ID of the version that should become primary for the specified key. The maximum string length in characters is 50. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
SetPrimarySymmetricKeyVersionMetadata
Field | Description |
---|---|
key_id | string ID of the key that the primary version if being changed for. |
version_id | string ID of the version that is being made primary for the key. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
ScheduleVersionDestruction
Schedules the specified key version for destruction.
Scheduled destruction can be cancelled with the SymmetricKeyService.CancelVersionDestruction method.
rpc ScheduleVersionDestruction (ScheduleSymmetricKeyVersionDestructionRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:ScheduleSymmetricKeyVersionDestructionMetadata
Operation.response:SymmetricKeyVersion
ScheduleSymmetricKeyVersionDestructionRequest
Field | Description |
---|---|
key_id | string Required. ID of the key whose version should be scheduled for destruction. The maximum string length in characters is 50. |
version_id | string Required. ID of the version to be destroyed. The maximum string length in characters is 50. |
pending_period | google.protobuf.Duration Time interval between the version destruction request and actual destruction. Default value: 7 days. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
ScheduleSymmetricKeyVersionDestructionMetadata
Field | Description |
---|---|
key_id | string ID of the key whose version is being scheduled for destruction. |
version_id | string ID of the version that is being scheduled for destruction. |
destroy_at | google.protobuf.Timestamp Time when the version is scheduled to be destroyed. |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
CancelVersionDestruction
Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.
rpc CancelVersionDestruction (CancelSymmetricKeyVersionDestructionRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:CancelSymmetricKeyVersionDestructionMetadata
Operation.response:SymmetricKeyVersion
CancelSymmetricKeyVersionDestructionRequest
Field | Description |
---|---|
key_id | string Required. ID of the key to cancel a version's destruction for. The maximum string length in characters is 50. |
version_id | string Required. ID of the version whose scheduled destruction should be cancelled. The maximum string length in characters is 50. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
CancelSymmetricKeyVersionDestructionMetadata
Field | Description |
---|---|
key_id | string ID of the key whose version's destruction is being cancelled. |
version_id | string ID of the version whose scheduled destruction is being cancelled. |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
Rotate
Rotates the specified key: creates a new key version and makes it the primary version. The old version remains available for decryption of ciphertext encrypted with it.
rpc Rotate (RotateSymmetricKeyRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:RotateSymmetricKeyMetadata
Operation.response:SymmetricKey
RotateSymmetricKeyRequest
Field | Description |
---|---|
key_id | string Required. ID of the key to be rotated. The maximum string length in characters is 50. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
RotateSymmetricKeyMetadata
Field | Description |
---|---|
key_id | string ID of the key being rotated. |
new_primary_version_id | string ID of the version generated as a result of key rotation. |
SymmetricKey
Field | Description |
---|---|
id | string ID of the key. |
folder_id | string ID of the folder that the key belongs to. |
created_at | google.protobuf.Timestamp Time when the key was created. |
name | string Name of the key. |
description | string Description of the key. |
labels | map<string,string> Custom labels for the key as key:value pairs. Maximum 64 per key. |
status | enum Status Current status of the key.
|
primary_version | SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified. |
default_algorithm | enum SymmetricAlgorithm Default encryption algorithm to be used with new versions of the key.
|
rotated_at | google.protobuf.Timestamp Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. |
rotation_period | google.protobuf.Duration Time period between automatic key rotations. |
deletion_protection | bool Flag that inhibits deletion of the key |
SymmetricKeyVersion
Field | Description |
---|---|
id | string ID of the key version. |
key_id | string ID of the symmetric KMS key that the version belongs to. |
status | enum Status Status of the key version.
|
algorithm | enum SymmetricAlgorithm Encryption algorithm that should be used when using the key version to encrypt plaintext.
|
created_at | google.protobuf.Timestamp Time when the key version was created. |
primary | bool Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified. |
destroy_at | google.protobuf.Timestamp Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION . |
hosted_by_hsm | bool Indication of the version that is hosted by HSM. |
ListOperations
Lists operations for the specified symmetric KMS key.
rpc ListOperations (ListSymmetricKeyOperationsRequest) returns (ListSymmetricKeyOperationsResponse)
ListSymmetricKeyOperationsRequest
Field | Description |
---|---|
key_id | string Required. ID of the symmetric KMS key to get operations for. To get the key ID, use a SymmetricKeyService.List request. The maximum string length in characters is 50. |
page_size | int64 The maximum number of results per page that should be returned. If the number of available results is larger than page_size , the service returns a ListSymmetricKeyOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000. |
page_token | string Page token. To get the next page of results, set page_token to the ListSymmetricKeyOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100. |
ListSymmetricKeyOperationsResponse
Field | Description |
---|---|
operations[] | operation.Operation List of operations for the specified key. |
next_page_token | string This token allows you to get the next page of results for list requests. If the number of results is larger than ListSymmetricKeyOperationsRequest.page_size, use the next_page_token as the value for the ListSymmetricKeyOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty |
ListAccessBindings
Lists existing access bindings for the specified key.
rpc ListAccessBindings (ListAccessBindingsRequest) returns (ListAccessBindingsResponse)
ListAccessBindingsRequest
Field | Description |
---|---|
resource_id | string Required. ID of the resource to list access bindings for. To get the resource ID, use a corresponding List request. For example, use the yandex.cloud.resourcemanager.v1.CloudService.List request to get the Cloud resource ID. The maximum string length in characters is 50. |
page_size | int64 The maximum number of results per page that should be returned. If the number of available results is larger than page_size , the service returns a ListAccessBindingsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000. |
page_token | string Page token. Set page_token to the ListAccessBindingsResponse.next_page_token returned by a previous list request to get the next page of results. The maximum string length in characters is 100. |
ListAccessBindingsResponse
Field | Description |
---|---|
access_bindings[] | AccessBinding List of access bindings for the specified resource. |
next_page_token | string This token allows you to get the next page of results for list requests. If the number of results is larger than ListAccessBindingsRequest.page_size, use the next_page_token as the value for the ListAccessBindingsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results. |
AccessBinding
Field | Description |
---|---|
role_id | string Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject . The maximum string length in characters is 50. |
subject | Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier. |
Subject
Field | Description |
---|---|
id | string Required. ID of the subject. It can contain one of the following values:
type is system .
type is userAccount , federatedUser or serviceAccount . The maximum string length in characters is 50. |
type | string Required. Type of the subject. It can contain one of the following values:
For more information, see Subject to which the role is assigned. The maximum string length in characters is 100. |
SetAccessBindings
Sets access bindings for the key.
rpc SetAccessBindings (SetAccessBindingsRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:SetAccessBindingsMetadata
Operation.response:google.protobuf.Empty
SetAccessBindingsRequest
Field | Description |
---|---|
resource_id | string Required. ID of the resource for which access bindings are being set. To get the resource ID, use a corresponding List request. The maximum string length in characters is 50. |
access_bindings[] | AccessBinding Required. Access bindings to be set. For more information, see Access Bindings. |
AccessBinding
Field | Description |
---|---|
role_id | string Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject . The maximum string length in characters is 50. |
subject | Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier. |
Subject
Field | Description |
---|---|
id | string Required. ID of the subject. It can contain one of the following values:
type is system .
type is userAccount , federatedUser or serviceAccount . The maximum string length in characters is 50. |
type | string Required. Type of the subject. It can contain one of the following values:
For more information, see Subject to which the role is assigned. The maximum string length in characters is 100. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
SetAccessBindingsMetadata
Field | Description |
---|---|
resource_id | string ID of the resource for which access bindings are being set. |
UpdateAccessBindings
Updates access bindings for the specified key.
rpc UpdateAccessBindings (UpdateAccessBindingsRequest) returns (operation.Operation)
Metadata and response of Operation:
Operation.metadata:UpdateAccessBindingsMetadata
Operation.response:google.protobuf.Empty
UpdateAccessBindingsRequest
Field | Description |
---|---|
resource_id | string Required. ID of the resource for which access bindings are being updated. The maximum string length in characters is 50. |
access_binding_deltas[] | AccessBindingDelta Required. Updates to access bindings. The number of elements must be greater than 0. |
AccessBindingDelta
Field | Description |
---|---|
action | enum AccessBindingAction Required. The action that is being performed on an access binding.
|
access_binding | AccessBinding Required. Access binding. For more information, see Access Bindings. |
AccessBinding
Field | Description |
---|---|
role_id | string Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject . The maximum string length in characters is 50. |
subject | Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier. |
Subject
Field | Description |
---|---|
id | string Required. ID of the subject. It can contain one of the following values:
type is system .
type is userAccount , federatedUser or serviceAccount . The maximum string length in characters is 50. |
type | string Required. Type of the subject. It can contain one of the following values:
For more information, see Subject to which the role is assigned. The maximum string length in characters is 100. |
Operation
Field | Description |
---|---|
id | string ID of the operation. |
description | string Description of the operation. 0-256 characters long. |
created_at | google.protobuf.Timestamp Creation timestamp. |
created_by | string ID of the user or service account who initiated the operation. |
modified_at | google.protobuf.Timestamp The time when the Operation resource was last modified. |
done | bool If the value is false , it means the operation is still in progress. If true , the operation is completed, and either error or response is available. |
metadata | google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any. |
result | oneof: error or response The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true , exactly one of error or response is set. |
error | google.rpc.Status The error result of the operation in case of failure or cancellation. |
response | google.protobuf.Any if operation finished successfully. |
UpdateAccessBindingsMetadata
Field | Description |
---|---|
resource_id | string ID of the resource for which access bindings are being updated. |