KMS Inventory API . projects . cryptoKeys

Instance Methods

close()

Close httplib2 connections.

list(parent, pageSize=None, pageToken=None, x__xgafv=None)

Returns cryptographic keys managed by Cloud KMS in a given Cloud project. Note that this data is sourced from snapshots, meaning it may not completely reflect the actual state of key metadata at call time.

list_next()

Retrieves the next page of results.

Method Details

close()
Close httplib2 connections.
list(parent, pageSize=None, pageToken=None, x__xgafv=None)
Returns cryptographic keys managed by Cloud KMS in a given Cloud project. Note that this data is sourced from snapshots, meaning it may not completely reflect the actual state of key metadata at call time.

Args:
  parent: string, Required. The Google Cloud project for which to retrieve key metadata, in the format `projects/*` (required)
  pageSize: integer, Optional. The maximum number of keys to return. The service may return fewer than this value. If unspecified, at most 1000 keys will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.
  pageToken: string, Optional. Pass this into a subsequent request in order to receive the next page of results.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response message for KeyDashboardService.ListCryptoKeys.
  "cryptoKeys": [ # The list of CryptoKeys.
    { # A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.
      "createTime": "A String", # Output only. The time at which this CryptoKey was created.
      "cryptoKeyBackend": "A String", # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
      "destroyScheduledDuration": "A String", # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
      "importOnly": True or False, # Immutable. Whether this key may contain imported versions only.
      "keyAccessJustificationsPolicy": { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
        "allowedAccessReasons": [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for the CryptoKey associated with this policy will fail.
          "A String",
        ],
      },
      "labels": { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
        "a_key": "A String",
      },
      "name": "A String", # Output only. The resource name for this CryptoKey in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
      "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
      "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. # Output only. A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
        "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
        "attestation": { # Contains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key). # Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
          "certChains": { # Certificate chains needed to verify the attestation. Certificates in chains are PEM-encoded and are ordered based on https://tools.ietf.org/html/rfc5246#section-7.4.2. # Output only. The certificate chains needed to validate the attestation
            "caviumCerts": [ # Cavium certificate chain corresponding to the attestation.
              "A String",
            ],
            "googleCardCerts": [ # Google card certificate chain corresponding to the attestation.
              "A String",
            ],
            "googlePartitionCerts": [ # Google partition certificate chain corresponding to the attestation.
              "A String",
            ],
          },
          "content": "A String", # Output only. The attestation data provided by the HSM when the key operation was performed.
          "format": "A String", # Output only. The format of the attestation data.
        },
        "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
        "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
        "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
        "externalDestructionFailureReason": "A String", # Output only. The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
        "externalProtectionLevelOptions": { # ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. # ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
          "ekmConnectionKeyPath": "A String", # The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
          "externalKeyUri": "A String", # The URI for an external resource that this CryptoKeyVersion represents.
        },
        "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was generated.
        "generationFailureReason": "A String", # Output only. The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
        "importFailureReason": "A String", # Output only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
        "importJob": "A String", # Output only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
        "importTime": "A String", # Output only. The time at which this CryptoKeyVersion's key material was most recently imported.
        "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
        "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
        "reimportEligible": True or False, # Output only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
        "state": "A String", # The current state of the CryptoKeyVersion.
      },
      "purpose": "A String", # Immutable. The immutable purpose of this CryptoKey.
      "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
      "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation. # A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
        "algorithm": "A String", # Required. Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
        "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
      },
    },
  ],
  "nextPageToken": "A String", # The page token returned from the previous response if the next page is desired.
}
list_next()
Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call 'execute()' on to request the next
          page. Returns None if there are no more items in the collection.