service.proto 57 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101
  1. // Copyright 2021 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.kms.v1;
  16. import "google/api/annotations.proto";
  17. import "google/api/client.proto";
  18. import "google/api/field_behavior.proto";
  19. import "google/api/resource.proto";
  20. import "google/cloud/kms/v1/resources.proto";
  21. import "google/protobuf/field_mask.proto";
  22. import "google/protobuf/wrappers.proto";
  23. option cc_enable_arenas = true;
  24. option csharp_namespace = "Google.Cloud.Kms.V1";
  25. option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
  26. option java_multiple_files = true;
  27. option java_outer_classname = "KmsProto";
  28. option java_package = "com.google.cloud.kms.v1";
  29. option php_namespace = "Google\\Cloud\\Kms\\V1";
  30. // Google Cloud Key Management Service
  31. //
  32. // Manages cryptographic keys and operations using those keys. Implements a REST
  33. // model with the following objects:
  34. //
  35. // * [KeyRing][google.cloud.kms.v1.KeyRing]
  36. // * [CryptoKey][google.cloud.kms.v1.CryptoKey]
  37. // * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  38. // * [ImportJob][google.cloud.kms.v1.ImportJob]
  39. //
  40. // If you are using manual gRPC libraries, see
  41. // [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
  42. service KeyManagementService {
  43. option (google.api.default_host) = "cloudkms.googleapis.com";
  44. option (google.api.oauth_scopes) =
  45. "https://www.googleapis.com/auth/cloud-platform,"
  46. "https://www.googleapis.com/auth/cloudkms";
  47. // Lists [KeyRings][google.cloud.kms.v1.KeyRing].
  48. rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) {
  49. option (google.api.http) = {
  50. get: "/v1/{parent=projects/*/locations/*}/keyRings"
  51. };
  52. option (google.api.method_signature) = "parent";
  53. }
  54. // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  55. rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) {
  56. option (google.api.http) = {
  57. get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
  58. };
  59. option (google.api.method_signature) = "parent";
  60. }
  61. // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  62. rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) returns (ListCryptoKeyVersionsResponse) {
  63. option (google.api.http) = {
  64. get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
  65. };
  66. option (google.api.method_signature) = "parent";
  67. }
  68. // Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
  69. rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) {
  70. option (google.api.http) = {
  71. get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
  72. };
  73. option (google.api.method_signature) = "parent";
  74. }
  75. // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
  76. rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
  77. option (google.api.http) = {
  78. get: "/v1/{name=projects/*/locations/*/keyRings/*}"
  79. };
  80. option (google.api.method_signature) = "name";
  81. }
  82. // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
  83. // [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  84. rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) {
  85. option (google.api.http) = {
  86. get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
  87. };
  88. option (google.api.method_signature) = "name";
  89. }
  90. // Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  91. rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  92. option (google.api.http) = {
  93. get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
  94. };
  95. option (google.api.method_signature) = "name";
  96. }
  97. // Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
  98. // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
  99. // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or
  100. // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
  101. rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) {
  102. option (google.api.http) = {
  103. get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey"
  104. };
  105. option (google.api.method_signature) = "name";
  106. }
  107. // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
  108. rpc GetImportJob(GetImportJobRequest) returns (ImportJob) {
  109. option (google.api.http) = {
  110. get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}"
  111. };
  112. option (google.api.method_signature) = "name";
  113. }
  114. // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
  115. rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
  116. option (google.api.http) = {
  117. post: "/v1/{parent=projects/*/locations/*}/keyRings"
  118. body: "key_ring"
  119. };
  120. option (google.api.method_signature) = "parent,key_ring_id,key_ring";
  121. }
  122. // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
  123. //
  124. // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
  125. // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
  126. // are required.
  127. rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) {
  128. option (google.api.http) = {
  129. post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
  130. body: "crypto_key"
  131. };
  132. option (google.api.method_signature) = "parent,crypto_key_id,crypto_key";
  133. }
  134. // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
  135. //
  136. // The server will assign the next sequential id. If unset,
  137. // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
  138. // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
  139. rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  140. option (google.api.http) = {
  141. post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
  142. body: "crypto_key_version"
  143. };
  144. option (google.api.method_signature) = "parent,crypto_key_version";
  145. }
  146. // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
  147. // wrapped key material provided in the request.
  148. //
  149. // The version ID will be assigned the next sequential id within the
  150. // [CryptoKey][google.cloud.kms.v1.CryptoKey].
  151. rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  152. option (google.api.http) = {
  153. post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import"
  154. body: "*"
  155. };
  156. }
  157. // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
  158. //
  159. // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
  160. rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) {
  161. option (google.api.http) = {
  162. post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
  163. body: "import_job"
  164. };
  165. option (google.api.method_signature) = "parent,import_job_id,import_job";
  166. }
  167. // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
  168. rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) {
  169. option (google.api.http) = {
  170. patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
  171. body: "crypto_key"
  172. };
  173. option (google.api.method_signature) = "crypto_key,update_mask";
  174. }
  175. // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata.
  176. //
  177. // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
  178. // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and
  179. // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this
  180. // method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to
  181. // move between other states.
  182. rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  183. option (google.api.http) = {
  184. patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
  185. body: "crypto_key_version"
  186. };
  187. option (google.api.method_signature) = "crypto_key_version,update_mask";
  188. }
  189. // Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
  190. // The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
  191. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  192. rpc Encrypt(EncryptRequest) returns (EncryptResponse) {
  193. option (google.api.http) = {
  194. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt"
  195. body: "*"
  196. };
  197. option (google.api.method_signature) = "name,plaintext";
  198. }
  199. // Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  200. // must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  201. rpc Decrypt(DecryptRequest) returns (DecryptResponse) {
  202. option (google.api.http) = {
  203. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt"
  204. body: "*"
  205. };
  206. option (google.api.method_signature) = "name,ciphertext";
  207. }
  208. // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  209. // ASYMMETRIC_SIGN, producing a signature that can be verified with the public
  210. // key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  211. rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) {
  212. option (google.api.http) = {
  213. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign"
  214. body: "*"
  215. };
  216. option (google.api.method_signature) = "name,digest";
  217. }
  218. // Decrypts data that was encrypted with a public key retrieved from
  219. // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
  220. // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
  221. rpc AsymmetricDecrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse) {
  222. option (google.api.http) = {
  223. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt"
  224. body: "*"
  225. };
  226. option (google.api.method_signature) = "name,ciphertext";
  227. }
  228. // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
  229. //
  230. // Returns an error if called on a key whose purpose is not
  231. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  232. rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) returns (CryptoKey) {
  233. option (google.api.http) = {
  234. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion"
  235. body: "*"
  236. };
  237. option (google.api.method_signature) = "name,crypto_key_version_id";
  238. }
  239. // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
  240. //
  241. // Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
  242. // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
  243. // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24
  244. // hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state]
  245. // will be changed to
  246. // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key
  247. // material will be irrevocably destroyed.
  248. //
  249. // Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached,
  250. // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
  251. rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  252. option (google.api.http) = {
  253. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy"
  254. body: "*"
  255. };
  256. option (google.api.method_signature) = "name";
  257. }
  258. // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
  259. // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
  260. // state.
  261. //
  262. // Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state]
  263. // will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
  264. // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
  265. rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
  266. option (google.api.http) = {
  267. post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore"
  268. body: "*"
  269. };
  270. option (google.api.method_signature) = "name";
  271. }
  272. }
  273. // Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
  274. message ListKeyRingsRequest {
  275. // Required. The resource name of the location associated with the
  276. // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
  277. string parent = 1 [
  278. (google.api.field_behavior) = REQUIRED,
  279. (google.api.resource_reference) = {
  280. type: "locations.googleapis.com/Location"
  281. }
  282. ];
  283. // Optional. Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the
  284. // response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
  285. // including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent
  286. // request. If unspecified, the server will pick an appropriate default.
  287. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
  288. // Optional. Optional pagination token, returned earlier via
  289. // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
  290. string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
  291. // Optional. Only include resources that match the filter in the response. For
  292. // more information, see
  293. // [Sorting and filtering list
  294. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  295. string filter = 4 [(google.api.field_behavior) = OPTIONAL];
  296. // Optional. Specify how the results should be sorted. If not specified, the
  297. // results will be sorted in the default order. For more information, see
  298. // [Sorting and filtering list
  299. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  300. string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
  301. }
  302. // Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
  303. message ListCryptoKeysRequest {
  304. // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
  305. // `projects/*/locations/*/keyRings/*`.
  306. string parent = 1 [
  307. (google.api.field_behavior) = REQUIRED,
  308. (google.api.resource_reference) = {
  309. type: "cloudkms.googleapis.com/KeyRing"
  310. }
  311. ];
  312. // Optional. Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the
  313. // response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by
  314. // including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent
  315. // request. If unspecified, the server will pick an appropriate default.
  316. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
  317. // Optional. Optional pagination token, returned earlier via
  318. // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
  319. string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
  320. // The fields of the primary version to include in the response.
  321. CryptoKeyVersion.CryptoKeyVersionView version_view = 4;
  322. // Optional. Only include resources that match the filter in the response. For
  323. // more information, see
  324. // [Sorting and filtering list
  325. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  326. string filter = 5 [(google.api.field_behavior) = OPTIONAL];
  327. // Optional. Specify how the results should be sorted. If not specified, the
  328. // results will be sorted in the default order. For more information, see
  329. // [Sorting and filtering list
  330. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  331. string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
  332. }
  333. // Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
  334. message ListCryptoKeyVersionsRequest {
  335. // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
  336. // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
  337. string parent = 1 [
  338. (google.api.field_behavior) = REQUIRED,
  339. (google.api.resource_reference) = {
  340. type: "cloudkms.googleapis.com/CryptoKey"
  341. }
  342. ];
  343. // Optional. Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to
  344. // include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can
  345. // subsequently be obtained by including the
  346. // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request.
  347. // If unspecified, the server will pick an appropriate default.
  348. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
  349. // Optional. Optional pagination token, returned earlier via
  350. // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
  351. string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
  352. // The fields to include in the response.
  353. CryptoKeyVersion.CryptoKeyVersionView view = 4;
  354. // Optional. Only include resources that match the filter in the response. For
  355. // more information, see
  356. // [Sorting and filtering list
  357. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  358. string filter = 5 [(google.api.field_behavior) = OPTIONAL];
  359. // Optional. Specify how the results should be sorted. If not specified, the
  360. // results will be sorted in the default order. For more information, see
  361. // [Sorting and filtering list
  362. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  363. string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
  364. }
  365. // Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
  366. message ListImportJobsRequest {
  367. // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
  368. // `projects/*/locations/*/keyRings/*`.
  369. string parent = 1 [
  370. (google.api.field_behavior) = REQUIRED,
  371. (google.api.resource_reference) = {
  372. type: "cloudkms.googleapis.com/KeyRing"
  373. }
  374. ];
  375. // Optional. Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the
  376. // response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by
  377. // including the [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] in a subsequent
  378. // request. If unspecified, the server will pick an appropriate default.
  379. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
  380. // Optional. Optional pagination token, returned earlier via
  381. // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
  382. string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
  383. // Optional. Only include resources that match the filter in the response. For
  384. // more information, see
  385. // [Sorting and filtering list
  386. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  387. string filter = 4 [(google.api.field_behavior) = OPTIONAL];
  388. // Optional. Specify how the results should be sorted. If not specified, the
  389. // results will be sorted in the default order. For more information, see
  390. // [Sorting and filtering list
  391. // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  392. string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
  393. }
  394. // Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
  395. message ListKeyRingsResponse {
  396. // The list of [KeyRings][google.cloud.kms.v1.KeyRing].
  397. repeated KeyRing key_rings = 1;
  398. // A token to retrieve next page of results. Pass this value in
  399. // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results.
  400. string next_page_token = 2;
  401. // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
  402. int32 total_size = 3;
  403. }
  404. // Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
  405. message ListCryptoKeysResponse {
  406. // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  407. repeated CryptoKey crypto_keys = 1;
  408. // A token to retrieve next page of results. Pass this value in
  409. // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results.
  410. string next_page_token = 2;
  411. // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
  412. int32 total_size = 3;
  413. }
  414. // Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
  415. message ListCryptoKeyVersionsResponse {
  416. // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  417. repeated CryptoKeyVersion crypto_key_versions = 1;
  418. // A token to retrieve next page of results. Pass this value in
  419. // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of
  420. // results.
  421. string next_page_token = 2;
  422. // The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
  423. // query.
  424. int32 total_size = 3;
  425. }
  426. // Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
  427. message ListImportJobsResponse {
  428. // The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
  429. repeated ImportJob import_jobs = 1;
  430. // A token to retrieve next page of results. Pass this value in
  431. // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] to retrieve the next page of results.
  432. string next_page_token = 2;
  433. // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.
  434. int32 total_size = 3;
  435. }
  436. // Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
  437. message GetKeyRingRequest {
  438. // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
  439. string name = 1 [
  440. (google.api.field_behavior) = REQUIRED,
  441. (google.api.resource_reference) = {
  442. type: "cloudkms.googleapis.com/KeyRing"
  443. }
  444. ];
  445. }
  446. // Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
  447. message GetCryptoKeyRequest {
  448. // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
  449. string name = 1 [
  450. (google.api.field_behavior) = REQUIRED,
  451. (google.api.resource_reference) = {
  452. type: "cloudkms.googleapis.com/CryptoKey"
  453. }
  454. ];
  455. }
  456. // Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
  457. message GetCryptoKeyVersionRequest {
  458. // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
  459. string name = 1 [
  460. (google.api.field_behavior) = REQUIRED,
  461. (google.api.resource_reference) = {
  462. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  463. }
  464. ];
  465. }
  466. // Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  467. message GetPublicKeyRequest {
  468. // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to
  469. // get.
  470. string name = 1 [
  471. (google.api.field_behavior) = REQUIRED,
  472. (google.api.resource_reference) = {
  473. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  474. }
  475. ];
  476. }
  477. // Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
  478. message GetImportJobRequest {
  479. // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
  480. string name = 1 [
  481. (google.api.field_behavior) = REQUIRED,
  482. (google.api.resource_reference) = {
  483. type: "cloudkms.googleapis.com/ImportJob"
  484. }
  485. ];
  486. }
  487. // Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
  488. message CreateKeyRingRequest {
  489. // Required. The resource name of the location associated with the
  490. // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
  491. string parent = 1 [
  492. (google.api.field_behavior) = REQUIRED,
  493. (google.api.resource_reference) = {
  494. type: "locations.googleapis.com/Location"
  495. }
  496. ];
  497. // Required. It must be unique within a location and match the regular
  498. // expression `[a-zA-Z0-9_-]{1,63}`
  499. string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED];
  500. // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
  501. KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED];
  502. }
  503. // Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
  504. message CreateCryptoKeyRequest {
  505. // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the
  506. // [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  507. string parent = 1 [
  508. (google.api.field_behavior) = REQUIRED,
  509. (google.api.resource_reference) = {
  510. type: "cloudkms.googleapis.com/KeyRing"
  511. }
  512. ];
  513. // Required. It must be unique within a KeyRing and match the regular
  514. // expression `[a-zA-Z0-9_-]{1,63}`
  515. string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED];
  516. // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
  517. CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED];
  518. // If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
  519. // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call
  520. // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
  521. // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
  522. // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
  523. bool skip_initial_version_creation = 5;
  524. }
  525. // Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
  526. message CreateCryptoKeyVersionRequest {
  527. // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with
  528. // the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  529. string parent = 1 [
  530. (google.api.field_behavior) = REQUIRED,
  531. (google.api.resource_reference) = {
  532. type: "cloudkms.googleapis.com/CryptoKey"
  533. }
  534. ];
  535. // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
  536. CryptoKeyVersion crypto_key_version = 2 [(google.api.field_behavior) = REQUIRED];
  537. }
  538. // Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
  539. message ImportCryptoKeyVersionRequest {
  540. // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
  541. // be imported into.
  542. string parent = 1 [
  543. (google.api.field_behavior) = REQUIRED,
  544. (google.api.resource_reference) = {
  545. type: "cloudkms.googleapis.com/CryptoKey"
  546. }
  547. ];
  548. // Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] of
  549. // the key being imported. This does not need to match the
  550. // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this
  551. // version imports into.
  552. CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(google.api.field_behavior) = REQUIRED];
  553. // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to
  554. // wrap this key material.
  555. string import_job = 4 [(google.api.field_behavior) = REQUIRED];
  556. // Required. The incoming wrapped key material that is to be imported.
  557. oneof wrapped_key_material {
  558. // Wrapped key material produced with
  559. // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
  560. // or
  561. // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
  562. //
  563. // This field contains the concatenation of two wrapped keys:
  564. // <ol>
  565. // <li>An ephemeral AES-256 wrapping key wrapped with the
  566. // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1,
  567. // MGF1 with SHA-1, and an empty label.
  568. // </li>
  569. // <li>The key to be imported, wrapped with the ephemeral AES-256 key
  570. // using AES-KWP (RFC 5649).
  571. // </li>
  572. // </ol>
  573. //
  574. // If importing symmetric key material, it is expected that the unwrapped
  575. // key contains plain bytes. If importing asymmetric key material, it is
  576. // expected that the unwrapped key is in PKCS#8-encoded DER format (the
  577. // PrivateKeyInfo structure from RFC 5208).
  578. //
  579. // This format is the same as the format produced by PKCS#11 mechanism
  580. // CKM_RSA_AES_KEY_WRAP.
  581. bytes rsa_aes_wrapped_key = 5;
  582. }
  583. }
  584. // Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
  585. message CreateImportJobRequest {
  586. // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
  587. // [ImportJobs][google.cloud.kms.v1.ImportJob].
  588. string parent = 1 [
  589. (google.api.field_behavior) = REQUIRED,
  590. (google.api.resource_reference) = {
  591. type: "cloudkms.googleapis.com/KeyRing"
  592. }
  593. ];
  594. // Required. It must be unique within a KeyRing and match the regular
  595. // expression `[a-zA-Z0-9_-]{1,63}`
  596. string import_job_id = 2 [(google.api.field_behavior) = REQUIRED];
  597. // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
  598. ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED];
  599. }
  600. // Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
  601. message UpdateCryptoKeyRequest {
  602. // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
  603. CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED];
  604. // Required. List of fields to be updated in this request.
  605. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
  606. }
  607. // Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
  608. message UpdateCryptoKeyVersionRequest {
  609. // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
  610. CryptoKeyVersion crypto_key_version = 1 [(google.api.field_behavior) = REQUIRED];
  611. // Required. List of fields to be updated in this request.
  612. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
  613. }
  614. // Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
  615. message EncryptRequest {
  616. // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  617. // to use for encryption.
  618. //
  619. // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its
  620. // [primary version][google.cloud.kms.v1.CryptoKey.primary].
  621. string name = 1 [
  622. (google.api.field_behavior) = REQUIRED,
  623. (google.api.resource_reference) = {
  624. type: "*"
  625. }
  626. ];
  627. // Required. The data to encrypt. Must be no larger than 64KiB.
  628. //
  629. // The maximum size depends on the key version's
  630. // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
  631. // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger
  632. // than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
  633. // plaintext and additional_authenticated_data fields must be no larger than
  634. // 8KiB.
  635. bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED];
  636. // Optional. Optional data that, if specified, must also be provided during decryption
  637. // through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
  638. //
  639. // The maximum size depends on the key version's
  640. // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
  641. // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than
  642. // 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
  643. // plaintext and additional_authenticated_data fields must be no larger than
  644. // 8KiB.
  645. bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL];
  646. // Optional. An optional CRC32C checksum of the [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. If
  647. // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
  648. // received [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] using this checksum.
  649. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  650. // fails. If you receive a checksum error, your client should verify that
  651. // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) is equal to
  652. // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], and if so, perform a limited number of
  653. // retries. A persistent mismatch may indicate an issue in your computation of
  654. // the CRC32C checksum.
  655. // Note: This field is defined as int64 for reasons of compatibility across
  656. // different languages. However, it is a non-negative integer, which will
  657. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  658. // that support this type.
  659. //
  660. // NOTE: This field is in Beta.
  661. google.protobuf.Int64Value plaintext_crc32c = 7 [(google.api.field_behavior) = OPTIONAL];
  662. // Optional. An optional CRC32C checksum of the
  663. // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. If specified,
  664. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received
  665. // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] using this checksum.
  666. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  667. // fails. If you receive a checksum error, your client should verify that
  668. // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) is equal to
  669. // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], and if so, perform
  670. // a limited number of retries. A persistent mismatch may indicate an issue in
  671. // your computation of the CRC32C checksum.
  672. // Note: This field is defined as int64 for reasons of compatibility across
  673. // different languages. However, it is a non-negative integer, which will
  674. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  675. // that support this type.
  676. //
  677. // NOTE: This field is in Beta.
  678. google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(google.api.field_behavior) = OPTIONAL];
  679. }
  680. // Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
  681. message DecryptRequest {
  682. // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption.
  683. // The server will choose the appropriate version.
  684. string name = 1 [
  685. (google.api.field_behavior) = REQUIRED,
  686. (google.api.resource_reference) = {
  687. type: "cloudkms.googleapis.com/CryptoKey"
  688. }
  689. ];
  690. // Required. The encrypted data originally returned in
  691. // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
  692. bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED];
  693. // Optional. Optional data that must match the data originally supplied in
  694. // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
  695. bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL];
  696. // Optional. An optional CRC32C checksum of the [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. If
  697. // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
  698. // received [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] using this checksum.
  699. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  700. // fails. If you receive a checksum error, your client should verify that
  701. // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) is equal to
  702. // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], and if so, perform a limited number
  703. // of retries. A persistent mismatch may indicate an issue in your computation
  704. // of the CRC32C checksum.
  705. // Note: This field is defined as int64 for reasons of compatibility across
  706. // different languages. However, it is a non-negative integer, which will
  707. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  708. // that support this type.
  709. //
  710. // NOTE: This field is in Beta.
  711. google.protobuf.Int64Value ciphertext_crc32c = 5 [(google.api.field_behavior) = OPTIONAL];
  712. // Optional. An optional CRC32C checksum of the
  713. // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. If specified,
  714. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received
  715. // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] using this checksum.
  716. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  717. // fails. If you receive a checksum error, your client should verify that
  718. // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) is equal to
  719. // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], and if so, perform
  720. // a limited number of retries. A persistent mismatch may indicate an issue in
  721. // your computation of the CRC32C checksum.
  722. // Note: This field is defined as int64 for reasons of compatibility across
  723. // different languages. However, it is a non-negative integer, which will
  724. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  725. // that support this type.
  726. //
  727. // NOTE: This field is in Beta.
  728. google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(google.api.field_behavior) = OPTIONAL];
  729. }
  730. // Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
  731. message AsymmetricSignRequest {
  732. // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
  733. string name = 1 [
  734. (google.api.field_behavior) = REQUIRED,
  735. (google.api.resource_reference) = {
  736. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  737. }
  738. ];
  739. // Required. The digest of the data to sign. The digest must be produced with
  740. // the same digest algorithm as specified by the key version's
  741. // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
  742. Digest digest = 3 [(google.api.field_behavior) = REQUIRED];
  743. // Optional. An optional CRC32C checksum of the [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. If
  744. // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
  745. // received [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] using this checksum.
  746. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  747. // fails. If you receive a checksum error, your client should verify that
  748. // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) is equal to
  749. // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], and if so, perform a limited
  750. // number of retries. A persistent mismatch may indicate an issue in your
  751. // computation of the CRC32C checksum.
  752. // Note: This field is defined as int64 for reasons of compatibility across
  753. // different languages. However, it is a non-negative integer, which will
  754. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  755. // that support this type.
  756. //
  757. // NOTE: This field is in Beta.
  758. google.protobuf.Int64Value digest_crc32c = 4 [(google.api.field_behavior) = OPTIONAL];
  759. }
  760. // Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
  761. message AsymmetricDecryptRequest {
  762. // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  763. // decryption.
  764. string name = 1 [
  765. (google.api.field_behavior) = REQUIRED,
  766. (google.api.resource_reference) = {
  767. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  768. }
  769. ];
  770. // Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public
  771. // key using OAEP.
  772. bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED];
  773. // Optional. An optional CRC32C checksum of the [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
  774. // If specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
  775. // received [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] using this checksum.
  776. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
  777. // fails. If you receive a checksum error, your client should verify that
  778. // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) is equal to
  779. // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], and if so, perform a
  780. // limited number of retries. A persistent mismatch may indicate an issue in
  781. // your computation of the CRC32C checksum.
  782. // Note: This field is defined as int64 for reasons of compatibility across
  783. // different languages. However, it is a non-negative integer, which will
  784. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  785. // that support this type.
  786. //
  787. // NOTE: This field is in Beta.
  788. google.protobuf.Int64Value ciphertext_crc32c = 4 [(google.api.field_behavior) = OPTIONAL];
  789. }
  790. // Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
  791. message DecryptResponse {
  792. // The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
  793. bytes plaintext = 1;
  794. // Integrity verification field. A CRC32C checksum of the returned
  795. // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. An integrity check of
  796. // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] can be performed by computing the CRC32C
  797. // checksum of [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] and comparing your results to
  798. // this field. Discard the response in case of non-matching checksum values,
  799. // and perform a limited number of retries. A persistent mismatch may indicate
  800. // an issue in your computation of the CRC32C checksum. Note: receiving this
  801. // response message indicates that [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
  802. // successfully decrypt the [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
  803. // Note: This field is defined as int64 for reasons of compatibility across
  804. // different languages. However, it is a non-negative integer, which will
  805. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  806. // that support this type.
  807. //
  808. // NOTE: This field is in Beta.
  809. google.protobuf.Int64Value plaintext_crc32c = 2;
  810. }
  811. // Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
  812. message EncryptResponse {
  813. // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption. Check
  814. // this field to verify that the intended resource was used for encryption.
  815. string name = 1;
  816. // The encrypted data.
  817. bytes ciphertext = 2;
  818. // Integrity verification field. A CRC32C checksum of the returned
  819. // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. An integrity check of
  820. // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] can be performed by computing the CRC32C
  821. // checksum of [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] and comparing your results to
  822. // this field. Discard the response in case of non-matching checksum values,
  823. // and perform a limited number of retries. A persistent mismatch may indicate
  824. // an issue in your computation of the CRC32C checksum.
  825. // Note: This field is defined as int64 for reasons of compatibility across
  826. // different languages. However, it is a non-negative integer, which will
  827. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  828. // that support this type.
  829. //
  830. // NOTE: This field is in Beta.
  831. google.protobuf.Int64Value ciphertext_crc32c = 4;
  832. // Integrity verification field. A flag indicating whether
  833. // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was received by
  834. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
  835. // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of this field
  836. // indicates either that [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was left unset or
  837. // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set
  838. // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] but this field is still false, discard
  839. // the response and perform a limited number of retries.
  840. //
  841. // NOTE: This field is in Beta.
  842. bool verified_plaintext_crc32c = 5;
  843. // Integrity verification field. A flag indicating whether
  844. // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was received by
  845. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
  846. // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A false value of this
  847. // field indicates either that
  848. // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was left unset or
  849. // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set
  850. // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] but this field is
  851. // still false, discard the response and perform a limited number of retries.
  852. //
  853. // NOTE: This field is in Beta.
  854. bool verified_additional_authenticated_data_crc32c = 6;
  855. }
  856. // Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
  857. message AsymmetricSignResponse {
  858. // The created signature.
  859. bytes signature = 1;
  860. // Integrity verification field. A CRC32C checksum of the returned
  861. // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. An integrity check of
  862. // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] can be performed by computing the
  863. // CRC32C checksum of [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] and comparing your
  864. // results to this field. Discard the response in case of non-matching
  865. // checksum values, and perform a limited number of retries. A persistent
  866. // mismatch may indicate an issue in your computation of the CRC32C checksum.
  867. // Note: This field is defined as int64 for reasons of compatibility across
  868. // different languages. However, it is a non-negative integer, which will
  869. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  870. // that support this type.
  871. //
  872. // NOTE: This field is in Beta.
  873. google.protobuf.Int64Value signature_crc32c = 2;
  874. // Integrity verification field. A flag indicating whether
  875. // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was received by
  876. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
  877. // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value of this field
  878. // indicates either that [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was left
  879. // unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  880. // set [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] but this field is still false,
  881. // discard the response and perform a limited number of retries.
  882. //
  883. // NOTE: This field is in Beta.
  884. bool verified_digest_crc32c = 3;
  885. // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. Check
  886. // this field to verify that the intended resource was used for signing.
  887. //
  888. // NOTE: This field is in Beta.
  889. string name = 4;
  890. }
  891. // Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
  892. message AsymmetricDecryptResponse {
  893. // The decrypted data originally encrypted with the matching public key.
  894. bytes plaintext = 1;
  895. // Integrity verification field. A CRC32C checksum of the returned
  896. // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. An integrity check of
  897. // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] can be performed by computing the
  898. // CRC32C checksum of [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] and comparing
  899. // your results to this field. Discard the response in case of non-matching
  900. // checksum values, and perform a limited number of retries. A persistent
  901. // mismatch may indicate an issue in your computation of the CRC32C checksum.
  902. // Note: This field is defined as int64 for reasons of compatibility across
  903. // different languages. However, it is a non-negative integer, which will
  904. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  905. // that support this type.
  906. //
  907. // NOTE: This field is in Beta.
  908. google.protobuf.Int64Value plaintext_crc32c = 2;
  909. // Integrity verification field. A flag indicating whether
  910. // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] was received by
  911. // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
  912. // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A false value of this
  913. // field indicates either that [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
  914. // was left unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If
  915. // you've set [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] but this field is
  916. // still false, discard the response and perform a limited number of retries.
  917. //
  918. // NOTE: This field is in Beta.
  919. bool verified_ciphertext_crc32c = 3;
  920. }
  921. // Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
  922. message UpdateCryptoKeyPrimaryVersionRequest {
  923. // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
  924. string name = 1 [
  925. (google.api.field_behavior) = REQUIRED,
  926. (google.api.resource_reference) = {
  927. type: "cloudkms.googleapis.com/CryptoKey"
  928. }
  929. ];
  930. // Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
  931. string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED];
  932. }
  933. // Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
  934. message DestroyCryptoKeyVersionRequest {
  935. // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
  936. string name = 1 [
  937. (google.api.field_behavior) = REQUIRED,
  938. (google.api.resource_reference) = {
  939. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  940. }
  941. ];
  942. }
  943. // Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
  944. message RestoreCryptoKeyVersionRequest {
  945. // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
  946. string name = 1 [
  947. (google.api.field_behavior) = REQUIRED,
  948. (google.api.resource_reference) = {
  949. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  950. }
  951. ];
  952. }
  953. // A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
  954. message Digest {
  955. // Required. The message digest.
  956. oneof digest {
  957. // A message digest produced with the SHA-256 algorithm.
  958. bytes sha256 = 1;
  959. // A message digest produced with the SHA-384 algorithm.
  960. bytes sha384 = 2;
  961. // A message digest produced with the SHA-512 algorithm.
  962. bytes sha512 = 3;
  963. }
  964. }
  965. // Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
  966. message LocationMetadata {
  967. // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
  968. // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
  969. // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
  970. bool hsm_available = 1;
  971. // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
  972. // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
  973. // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in this location.
  974. bool ekm_available = 2;
  975. }