1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="cloudkms_v1.html">Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code> 79</p> 80<p class="firstline">Returns the cryptoKeyVersions Resource.</p> 81 82<p class="toc_element"> 83 <code><a href="#create">create(parent, body, cryptoKeyId=None, x__xgafv=None)</a></code></p> 84<p class="firstline">Create a new CryptoKey within a KeyRing.</p> 85<p class="toc_element"> 86 <code><a href="#decrypt">decrypt(name, body, x__xgafv=None)</a></code></p> 87<p class="firstline">Decrypts data that was protected by Encrypt. The CryptoKey.purpose</p> 88<p class="toc_element"> 89 <code><a href="#encrypt">encrypt(name, body, x__xgafv=None)</a></code></p> 90<p class="firstline">Encrypts data, so that it can only be recovered by a call to Decrypt.</p> 91<p class="toc_element"> 92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p> 94<p class="toc_element"> 95 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 96<p class="firstline">Gets the access control policy for a resource.</p> 97<p class="toc_element"> 98 <code><a href="#list">list(parent, versionView=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 99<p class="firstline">Lists CryptoKeys.</p> 100<p class="toc_element"> 101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 102<p class="firstline">Retrieves the next page of results.</p> 103<p class="toc_element"> 104 <code><a href="#patch">patch(name, body, updateMask=None, x__xgafv=None)</a></code></p> 105<p class="firstline">Update a CryptoKey.</p> 106<p class="toc_element"> 107 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p> 109<p class="toc_element"> 110 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 111<p class="firstline">Returns permissions that a caller has on the specified resource.</p> 112<p class="toc_element"> 113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</a></code></p> 114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt.</p> 115<h3>Method Details</h3> 116<div class="method"> 117 <code class="details" id="create">create(parent, body, cryptoKeyId=None, x__xgafv=None)</code> 118 <pre>Create a new CryptoKey within a KeyRing. 119 120CryptoKey.purpose and 121CryptoKey.version_template.algorithm 122are required. 123 124Args: 125 parent: string, Required. The name of the KeyRing associated with the 126CryptoKeys. (required) 127 body: object, The request body. (required) 128 The object takes the form of: 129 130{ # A CryptoKey represents a logical key that can be used for cryptographic 131 # operations. 132 # 133 # A CryptoKey is made up of one or more versions, which 134 # represent the actual key material used in cryptographic operations. 135 "labels": { # Labels with user-defined metadata. For more information, see 136 # [Labeling Keys](/kms/docs/labeling-keys). 137 "a_key": "A String", 138 }, 139 "name": "A String", # Output only. The resource name for this CryptoKey in the format 140 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 141 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 142 # automatically rotates a key. Must be at least one day. 143 # 144 # If rotation_period is set, next_rotation_time must also be set. 145 # 146 # Keys with purpose 147 # ENCRYPT_DECRYPT support 148 # automatic rotation. For other keys, this field must be omitted. 149 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 150 # by Encrypt when this CryptoKey is given 151 # in EncryptRequest.name. 152 # 153 # The CryptoKey's primary version can be updated via 154 # UpdateCryptoKeyPrimaryVersion. 155 # 156 # All keys with purpose 157 # ENCRYPT_DECRYPT have a 158 # primary. For other keys, this field will be omitted. 159 # associated key material. 160 # 161 # An ENABLED version can be 162 # used for cryptographic operations. 163 # 164 # For security reasons, the raw cryptographic key material represented by a 165 # CryptoKeyVersion can never be viewed or exported. It can only be used to 166 # encrypt, decrypt, or sign data when an authorized user or application invokes 167 # Cloud KMS. 168 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 169 # for destruction. Only present if state is 170 # DESTROY_SCHEDULED. 171 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 172 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 173 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 174 # CryptoKeyVersion supports. 175 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 176 # performed with this CryptoKeyVersion. 177 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 178 # creation time. Use this statement to verify attributes of the key as stored 179 # on the HSM, independently of Google. Only provided for key versions with 180 # protection_level HSM. 181 # information, see [Verifying attestations] 182 # (https://cloud.google.com/kms/docs/attest-key). 183 "content": "A String", # Output only. The attestation data provided by the HSM when the key 184 # operation was performed. 185 "format": "A String", # Output only. The format of the attestation data. 186 }, 187 "state": "A String", # The current state of the CryptoKeyVersion. 188 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 189 # destroyed. Only present if state is 190 # DESTROYED. 191 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 192 # generated. 193 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 194 }, 195 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 196 "purpose": "A String", # The immutable purpose of this CryptoKey. 197 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 198 # The properties of new CryptoKeyVersion instances created by either 199 # CreateCryptoKeyVersion or 200 # auto-rotation are controlled by this template. 201 # a new CryptoKeyVersion, either manually with 202 # CreateCryptoKeyVersion or 203 # automatically as a result of auto-rotation. 204 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 205 # this template. Immutable. Defaults to SOFTWARE. 206 "algorithm": "A String", # Required. Algorithm to use 207 # when creating a CryptoKeyVersion based on this template. 208 # 209 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 210 # this field is omitted and CryptoKey.purpose is 211 # ENCRYPT_DECRYPT. 212 }, 213 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 214 # 215 # 1. Create a new version of this CryptoKey. 216 # 2. Mark the new version as primary. 217 # 218 # Key rotations performed manually via 219 # CreateCryptoKeyVersion and 220 # UpdateCryptoKeyPrimaryVersion 221 # do not affect next_rotation_time. 222 # 223 # Keys with purpose 224 # ENCRYPT_DECRYPT support 225 # automatic rotation. For other keys, this field must be omitted. 226} 227 228 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular 229expression `[a-zA-Z0-9_-]{1,63}` 230 x__xgafv: string, V1 error format. 231 Allowed values 232 1 - v1 error format 233 2 - v2 error format 234 235Returns: 236 An object of the form: 237 238 { # A CryptoKey represents a logical key that can be used for cryptographic 239 # operations. 240 # 241 # A CryptoKey is made up of one or more versions, which 242 # represent the actual key material used in cryptographic operations. 243 "labels": { # Labels with user-defined metadata. For more information, see 244 # [Labeling Keys](/kms/docs/labeling-keys). 245 "a_key": "A String", 246 }, 247 "name": "A String", # Output only. The resource name for this CryptoKey in the format 248 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 249 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 250 # automatically rotates a key. Must be at least one day. 251 # 252 # If rotation_period is set, next_rotation_time must also be set. 253 # 254 # Keys with purpose 255 # ENCRYPT_DECRYPT support 256 # automatic rotation. For other keys, this field must be omitted. 257 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 258 # by Encrypt when this CryptoKey is given 259 # in EncryptRequest.name. 260 # 261 # The CryptoKey's primary version can be updated via 262 # UpdateCryptoKeyPrimaryVersion. 263 # 264 # All keys with purpose 265 # ENCRYPT_DECRYPT have a 266 # primary. For other keys, this field will be omitted. 267 # associated key material. 268 # 269 # An ENABLED version can be 270 # used for cryptographic operations. 271 # 272 # For security reasons, the raw cryptographic key material represented by a 273 # CryptoKeyVersion can never be viewed or exported. It can only be used to 274 # encrypt, decrypt, or sign data when an authorized user or application invokes 275 # Cloud KMS. 276 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 277 # for destruction. Only present if state is 278 # DESTROY_SCHEDULED. 279 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 280 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 281 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 282 # CryptoKeyVersion supports. 283 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 284 # performed with this CryptoKeyVersion. 285 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 286 # creation time. Use this statement to verify attributes of the key as stored 287 # on the HSM, independently of Google. Only provided for key versions with 288 # protection_level HSM. 289 # information, see [Verifying attestations] 290 # (https://cloud.google.com/kms/docs/attest-key). 291 "content": "A String", # Output only. The attestation data provided by the HSM when the key 292 # operation was performed. 293 "format": "A String", # Output only. The format of the attestation data. 294 }, 295 "state": "A String", # The current state of the CryptoKeyVersion. 296 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 297 # destroyed. Only present if state is 298 # DESTROYED. 299 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 300 # generated. 301 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 302 }, 303 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 304 "purpose": "A String", # The immutable purpose of this CryptoKey. 305 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 306 # The properties of new CryptoKeyVersion instances created by either 307 # CreateCryptoKeyVersion or 308 # auto-rotation are controlled by this template. 309 # a new CryptoKeyVersion, either manually with 310 # CreateCryptoKeyVersion or 311 # automatically as a result of auto-rotation. 312 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 313 # this template. Immutable. Defaults to SOFTWARE. 314 "algorithm": "A String", # Required. Algorithm to use 315 # when creating a CryptoKeyVersion based on this template. 316 # 317 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 318 # this field is omitted and CryptoKey.purpose is 319 # ENCRYPT_DECRYPT. 320 }, 321 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 322 # 323 # 1. Create a new version of this CryptoKey. 324 # 2. Mark the new version as primary. 325 # 326 # Key rotations performed manually via 327 # CreateCryptoKeyVersion and 328 # UpdateCryptoKeyPrimaryVersion 329 # do not affect next_rotation_time. 330 # 331 # Keys with purpose 332 # ENCRYPT_DECRYPT support 333 # automatic rotation. For other keys, this field must be omitted. 334 }</pre> 335</div> 336 337<div class="method"> 338 <code class="details" id="decrypt">decrypt(name, body, x__xgafv=None)</code> 339 <pre>Decrypts data that was protected by Encrypt. The CryptoKey.purpose 340must be ENCRYPT_DECRYPT. 341 342Args: 343 name: string, Required. The resource name of the CryptoKey to use for decryption. 344The server will choose the appropriate version. (required) 345 body: object, The request body. (required) 346 The object takes the form of: 347 348{ # Request message for KeyManagementService.Decrypt. 349 "ciphertext": "A String", # Required. The encrypted data originally returned in 350 # EncryptResponse.ciphertext. 351 "additionalAuthenticatedData": "A String", # Optional data that must match the data originally supplied in 352 # EncryptRequest.additional_authenticated_data. 353 } 354 355 x__xgafv: string, V1 error format. 356 Allowed values 357 1 - v1 error format 358 2 - v2 error format 359 360Returns: 361 An object of the form: 362 363 { # Response message for KeyManagementService.Decrypt. 364 "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext. 365 }</pre> 366</div> 367 368<div class="method"> 369 <code class="details" id="encrypt">encrypt(name, body, x__xgafv=None)</code> 370 <pre>Encrypts data, so that it can only be recovered by a call to Decrypt. 371The CryptoKey.purpose must be 372ENCRYPT_DECRYPT. 373 374Args: 375 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion 376to use for encryption. 377 378If a CryptoKey is specified, the server will use its 379primary version. (required) 380 body: object, The request body. (required) 381 The object takes the form of: 382 383{ # Request message for KeyManagementService.Encrypt. 384 "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB. 385 # 386 # The maximum size depends on the key version's 387 # protection_level. For 388 # SOFTWARE keys, the plaintext must be no larger 389 # than 64KiB. For HSM keys, the combined length of the 390 # plaintext and additional_authenticated_data fields must be no larger than 391 # 8KiB. 392 "additionalAuthenticatedData": "A String", # Optional data that, if specified, must also be provided during decryption 393 # through DecryptRequest.additional_authenticated_data. 394 # 395 # The maximum size depends on the key version's 396 # protection_level. For 397 # SOFTWARE keys, the AAD must be no larger than 398 # 64KiB. For HSM keys, the combined length of the 399 # plaintext and additional_authenticated_data fields must be no larger than 400 # 8KiB. 401 } 402 403 x__xgafv: string, V1 error format. 404 Allowed values 405 1 - v1 error format 406 2 - v2 error format 407 408Returns: 409 An object of the form: 410 411 { # Response message for KeyManagementService.Encrypt. 412 "ciphertext": "A String", # The encrypted data. 413 "name": "A String", # The resource name of the CryptoKeyVersion used in encryption. 414 }</pre> 415</div> 416 417<div class="method"> 418 <code class="details" id="get">get(name, x__xgafv=None)</code> 419 <pre>Returns metadata for a given CryptoKey, as well as its 420primary CryptoKeyVersion. 421 422Args: 423 name: string, The name of the CryptoKey to get. (required) 424 x__xgafv: string, V1 error format. 425 Allowed values 426 1 - v1 error format 427 2 - v2 error format 428 429Returns: 430 An object of the form: 431 432 { # A CryptoKey represents a logical key that can be used for cryptographic 433 # operations. 434 # 435 # A CryptoKey is made up of one or more versions, which 436 # represent the actual key material used in cryptographic operations. 437 "labels": { # Labels with user-defined metadata. For more information, see 438 # [Labeling Keys](/kms/docs/labeling-keys). 439 "a_key": "A String", 440 }, 441 "name": "A String", # Output only. The resource name for this CryptoKey in the format 442 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 443 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 444 # automatically rotates a key. Must be at least one day. 445 # 446 # If rotation_period is set, next_rotation_time must also be set. 447 # 448 # Keys with purpose 449 # ENCRYPT_DECRYPT support 450 # automatic rotation. For other keys, this field must be omitted. 451 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 452 # by Encrypt when this CryptoKey is given 453 # in EncryptRequest.name. 454 # 455 # The CryptoKey's primary version can be updated via 456 # UpdateCryptoKeyPrimaryVersion. 457 # 458 # All keys with purpose 459 # ENCRYPT_DECRYPT have a 460 # primary. For other keys, this field will be omitted. 461 # associated key material. 462 # 463 # An ENABLED version can be 464 # used for cryptographic operations. 465 # 466 # For security reasons, the raw cryptographic key material represented by a 467 # CryptoKeyVersion can never be viewed or exported. It can only be used to 468 # encrypt, decrypt, or sign data when an authorized user or application invokes 469 # Cloud KMS. 470 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 471 # for destruction. Only present if state is 472 # DESTROY_SCHEDULED. 473 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 474 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 475 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 476 # CryptoKeyVersion supports. 477 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 478 # performed with this CryptoKeyVersion. 479 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 480 # creation time. Use this statement to verify attributes of the key as stored 481 # on the HSM, independently of Google. Only provided for key versions with 482 # protection_level HSM. 483 # information, see [Verifying attestations] 484 # (https://cloud.google.com/kms/docs/attest-key). 485 "content": "A String", # Output only. The attestation data provided by the HSM when the key 486 # operation was performed. 487 "format": "A String", # Output only. The format of the attestation data. 488 }, 489 "state": "A String", # The current state of the CryptoKeyVersion. 490 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 491 # destroyed. Only present if state is 492 # DESTROYED. 493 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 494 # generated. 495 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 496 }, 497 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 498 "purpose": "A String", # The immutable purpose of this CryptoKey. 499 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 500 # The properties of new CryptoKeyVersion instances created by either 501 # CreateCryptoKeyVersion or 502 # auto-rotation are controlled by this template. 503 # a new CryptoKeyVersion, either manually with 504 # CreateCryptoKeyVersion or 505 # automatically as a result of auto-rotation. 506 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 507 # this template. Immutable. Defaults to SOFTWARE. 508 "algorithm": "A String", # Required. Algorithm to use 509 # when creating a CryptoKeyVersion based on this template. 510 # 511 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 512 # this field is omitted and CryptoKey.purpose is 513 # ENCRYPT_DECRYPT. 514 }, 515 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 516 # 517 # 1. Create a new version of this CryptoKey. 518 # 2. Mark the new version as primary. 519 # 520 # Key rotations performed manually via 521 # CreateCryptoKeyVersion and 522 # UpdateCryptoKeyPrimaryVersion 523 # do not affect next_rotation_time. 524 # 525 # Keys with purpose 526 # ENCRYPT_DECRYPT support 527 # automatic rotation. For other keys, this field must be omitted. 528 }</pre> 529</div> 530 531<div class="method"> 532 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 533 <pre>Gets the access control policy for a resource. 534Returns an empty policy if the resource exists and does not have a policy 535set. 536 537Args: 538 resource: string, REQUIRED: The resource for which the policy is being requested. 539See the operation documentation for the appropriate value for this field. (required) 540 x__xgafv: string, V1 error format. 541 Allowed values 542 1 - v1 error format 543 2 - v2 error format 544 545Returns: 546 An object of the form: 547 548 { # Defines an Identity and Access Management (IAM) policy. It is used to 549 # specify access control policies for Cloud Platform resources. 550 # 551 # 552 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 553 # `members` to a `role`, where the members can be user accounts, Google groups, 554 # Google domains, and service accounts. A `role` is a named list of permissions 555 # defined by IAM. 556 # 557 # **JSON Example** 558 # 559 # { 560 # "bindings": [ 561 # { 562 # "role": "roles/owner", 563 # "members": [ 564 # "user:mike@example.com", 565 # "group:admins@example.com", 566 # "domain:google.com", 567 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 568 # ] 569 # }, 570 # { 571 # "role": "roles/viewer", 572 # "members": ["user:sean@example.com"] 573 # } 574 # ] 575 # } 576 # 577 # **YAML Example** 578 # 579 # bindings: 580 # - members: 581 # - user:mike@example.com 582 # - group:admins@example.com 583 # - domain:google.com 584 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 585 # role: roles/owner 586 # - members: 587 # - user:sean@example.com 588 # role: roles/viewer 589 # 590 # 591 # For a description of IAM and its features, see the 592 # [IAM developer's guide](https://cloud.google.com/iam/docs). 593 "bindings": [ # Associates a list of `members` to a `role`. 594 # `bindings` with no members will result in an error. 595 { # Associates `members` with a `role`. 596 "role": "A String", # Role that is assigned to `members`. 597 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 598 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 599 # `members` can have the following values: 600 # 601 # * `allUsers`: A special identifier that represents anyone who is 602 # on the internet; with or without a Google account. 603 # 604 # * `allAuthenticatedUsers`: A special identifier that represents anyone 605 # who is authenticated with a Google account or a service account. 606 # 607 # * `user:{emailid}`: An email address that represents a specific Google 608 # account. For example, `alice@gmail.com` . 609 # 610 # 611 # * `serviceAccount:{emailid}`: An email address that represents a service 612 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 613 # 614 # * `group:{emailid}`: An email address that represents a Google group. 615 # For example, `admins@example.com`. 616 # 617 # 618 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 619 # users of that domain. For example, `google.com` or `example.com`. 620 # 621 "A String", 622 ], 623 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 624 # NOTE: An unsatisfied condition will not allow user access via current 625 # binding. Different bindings, including their conditions, are examined 626 # independently. 627 # 628 # title: "User account presence" 629 # description: "Determines whether the request has a user account" 630 # expression: "size(request.user) > 0" 631 "description": "A String", # An optional description of the expression. This is a longer text which 632 # describes the expression, e.g. when hovered over it in a UI. 633 "expression": "A String", # Textual representation of an expression in 634 # Common Expression Language syntax. 635 # 636 # The application context of the containing message determines which 637 # well-known feature set of CEL is supported. 638 "location": "A String", # An optional string indicating the location of the expression for error 639 # reporting, e.g. a file name and a position in the file. 640 "title": "A String", # An optional title for the expression, i.e. a short string describing 641 # its purpose. This can be used e.g. in UIs which allow to enter the 642 # expression. 643 }, 644 }, 645 ], 646 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 647 # prevent simultaneous updates of a policy from overwriting each other. 648 # It is strongly suggested that systems make use of the `etag` in the 649 # read-modify-write cycle to perform policy updates in order to avoid race 650 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 651 # systems are expected to put that etag in the request to `setIamPolicy` to 652 # ensure that their change will be applied to the same version of the policy. 653 # 654 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 655 # policy is overwritten blindly. 656 "version": 42, # Deprecated. 657 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 658 { # Specifies the audit configuration for a service. 659 # The configuration determines which permission types are logged, and what 660 # identities, if any, are exempted from logging. 661 # An AuditConfig must have one or more AuditLogConfigs. 662 # 663 # If there are AuditConfigs for both `allServices` and a specific service, 664 # the union of the two AuditConfigs is used for that service: the log_types 665 # specified in each AuditConfig are enabled, and the exempted_members in each 666 # AuditLogConfig are exempted. 667 # 668 # Example Policy with multiple AuditConfigs: 669 # 670 # { 671 # "audit_configs": [ 672 # { 673 # "service": "allServices" 674 # "audit_log_configs": [ 675 # { 676 # "log_type": "DATA_READ", 677 # "exempted_members": [ 678 # "user:foo@gmail.com" 679 # ] 680 # }, 681 # { 682 # "log_type": "DATA_WRITE", 683 # }, 684 # { 685 # "log_type": "ADMIN_READ", 686 # } 687 # ] 688 # }, 689 # { 690 # "service": "fooservice.googleapis.com" 691 # "audit_log_configs": [ 692 # { 693 # "log_type": "DATA_READ", 694 # }, 695 # { 696 # "log_type": "DATA_WRITE", 697 # "exempted_members": [ 698 # "user:bar@gmail.com" 699 # ] 700 # } 701 # ] 702 # } 703 # ] 704 # } 705 # 706 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 707 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 708 # bar@gmail.com from DATA_WRITE logging. 709 "auditLogConfigs": [ # The configuration for logging of each type of permission. 710 { # Provides the configuration for logging a type of permissions. 711 # Example: 712 # 713 # { 714 # "audit_log_configs": [ 715 # { 716 # "log_type": "DATA_READ", 717 # "exempted_members": [ 718 # "user:foo@gmail.com" 719 # ] 720 # }, 721 # { 722 # "log_type": "DATA_WRITE", 723 # } 724 # ] 725 # } 726 # 727 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 728 # foo@gmail.com from DATA_READ logging. 729 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 730 # permission. 731 # Follows the same format of Binding.members. 732 "A String", 733 ], 734 "logType": "A String", # The log type that this config enables. 735 }, 736 ], 737 "service": "A String", # Specifies a service that will be enabled for audit logging. 738 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 739 # `allServices` is a special value that covers all services. 740 }, 741 ], 742 }</pre> 743</div> 744 745<div class="method"> 746 <code class="details" id="list">list(parent, versionView=None, pageToken=None, x__xgafv=None, pageSize=None)</code> 747 <pre>Lists CryptoKeys. 748 749Args: 750 parent: string, Required. The resource name of the KeyRing to list, in the format 751`projects/*/locations/*/keyRings/*`. (required) 752 versionView: string, The fields of the primary version to include in the response. 753 pageToken: string, Optional pagination token, returned earlier via 754ListCryptoKeysResponse.next_page_token. 755 x__xgafv: string, V1 error format. 756 Allowed values 757 1 - v1 error format 758 2 - v2 error format 759 pageSize: integer, Optional limit on the number of CryptoKeys to include in the 760response. Further CryptoKeys can subsequently be obtained by 761including the ListCryptoKeysResponse.next_page_token in a subsequent 762request. If unspecified, the server will pick an appropriate default. 763 764Returns: 765 An object of the form: 766 767 { # Response message for KeyManagementService.ListCryptoKeys. 768 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in 769 # ListCryptoKeysRequest.page_token to retrieve the next page of results. 770 "cryptoKeys": [ # The list of CryptoKeys. 771 { # A CryptoKey represents a logical key that can be used for cryptographic 772 # operations. 773 # 774 # A CryptoKey is made up of one or more versions, which 775 # represent the actual key material used in cryptographic operations. 776 "labels": { # Labels with user-defined metadata. For more information, see 777 # [Labeling Keys](/kms/docs/labeling-keys). 778 "a_key": "A String", 779 }, 780 "name": "A String", # Output only. The resource name for this CryptoKey in the format 781 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 782 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 783 # automatically rotates a key. Must be at least one day. 784 # 785 # If rotation_period is set, next_rotation_time must also be set. 786 # 787 # Keys with purpose 788 # ENCRYPT_DECRYPT support 789 # automatic rotation. For other keys, this field must be omitted. 790 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 791 # by Encrypt when this CryptoKey is given 792 # in EncryptRequest.name. 793 # 794 # The CryptoKey's primary version can be updated via 795 # UpdateCryptoKeyPrimaryVersion. 796 # 797 # All keys with purpose 798 # ENCRYPT_DECRYPT have a 799 # primary. For other keys, this field will be omitted. 800 # associated key material. 801 # 802 # An ENABLED version can be 803 # used for cryptographic operations. 804 # 805 # For security reasons, the raw cryptographic key material represented by a 806 # CryptoKeyVersion can never be viewed or exported. It can only be used to 807 # encrypt, decrypt, or sign data when an authorized user or application invokes 808 # Cloud KMS. 809 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 810 # for destruction. Only present if state is 811 # DESTROY_SCHEDULED. 812 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 813 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 814 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 815 # CryptoKeyVersion supports. 816 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 817 # performed with this CryptoKeyVersion. 818 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 819 # creation time. Use this statement to verify attributes of the key as stored 820 # on the HSM, independently of Google. Only provided for key versions with 821 # protection_level HSM. 822 # information, see [Verifying attestations] 823 # (https://cloud.google.com/kms/docs/attest-key). 824 "content": "A String", # Output only. The attestation data provided by the HSM when the key 825 # operation was performed. 826 "format": "A String", # Output only. The format of the attestation data. 827 }, 828 "state": "A String", # The current state of the CryptoKeyVersion. 829 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 830 # destroyed. Only present if state is 831 # DESTROYED. 832 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 833 # generated. 834 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 835 }, 836 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 837 "purpose": "A String", # The immutable purpose of this CryptoKey. 838 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 839 # The properties of new CryptoKeyVersion instances created by either 840 # CreateCryptoKeyVersion or 841 # auto-rotation are controlled by this template. 842 # a new CryptoKeyVersion, either manually with 843 # CreateCryptoKeyVersion or 844 # automatically as a result of auto-rotation. 845 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 846 # this template. Immutable. Defaults to SOFTWARE. 847 "algorithm": "A String", # Required. Algorithm to use 848 # when creating a CryptoKeyVersion based on this template. 849 # 850 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 851 # this field is omitted and CryptoKey.purpose is 852 # ENCRYPT_DECRYPT. 853 }, 854 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 855 # 856 # 1. Create a new version of this CryptoKey. 857 # 2. Mark the new version as primary. 858 # 859 # Key rotations performed manually via 860 # CreateCryptoKeyVersion and 861 # UpdateCryptoKeyPrimaryVersion 862 # do not affect next_rotation_time. 863 # 864 # Keys with purpose 865 # ENCRYPT_DECRYPT support 866 # automatic rotation. For other keys, this field must be omitted. 867 }, 868 ], 869 "totalSize": 42, # The total number of CryptoKeys that matched the query. 870 }</pre> 871</div> 872 873<div class="method"> 874 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 875 <pre>Retrieves the next page of results. 876 877Args: 878 previous_request: The request for the previous page. (required) 879 previous_response: The response from the request for the previous page. (required) 880 881Returns: 882 A request object that you can call 'execute()' on to request the next 883 page. Returns None if there are no more items in the collection. 884 </pre> 885</div> 886 887<div class="method"> 888 <code class="details" id="patch">patch(name, body, updateMask=None, x__xgafv=None)</code> 889 <pre>Update a CryptoKey. 890 891Args: 892 name: string, Output only. The resource name for this CryptoKey in the format 893`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required) 894 body: object, The request body. (required) 895 The object takes the form of: 896 897{ # A CryptoKey represents a logical key that can be used for cryptographic 898 # operations. 899 # 900 # A CryptoKey is made up of one or more versions, which 901 # represent the actual key material used in cryptographic operations. 902 "labels": { # Labels with user-defined metadata. For more information, see 903 # [Labeling Keys](/kms/docs/labeling-keys). 904 "a_key": "A String", 905 }, 906 "name": "A String", # Output only. The resource name for this CryptoKey in the format 907 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 908 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 909 # automatically rotates a key. Must be at least one day. 910 # 911 # If rotation_period is set, next_rotation_time must also be set. 912 # 913 # Keys with purpose 914 # ENCRYPT_DECRYPT support 915 # automatic rotation. For other keys, this field must be omitted. 916 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 917 # by Encrypt when this CryptoKey is given 918 # in EncryptRequest.name. 919 # 920 # The CryptoKey's primary version can be updated via 921 # UpdateCryptoKeyPrimaryVersion. 922 # 923 # All keys with purpose 924 # ENCRYPT_DECRYPT have a 925 # primary. For other keys, this field will be omitted. 926 # associated key material. 927 # 928 # An ENABLED version can be 929 # used for cryptographic operations. 930 # 931 # For security reasons, the raw cryptographic key material represented by a 932 # CryptoKeyVersion can never be viewed or exported. It can only be used to 933 # encrypt, decrypt, or sign data when an authorized user or application invokes 934 # Cloud KMS. 935 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 936 # for destruction. Only present if state is 937 # DESTROY_SCHEDULED. 938 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 939 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 940 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 941 # CryptoKeyVersion supports. 942 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 943 # performed with this CryptoKeyVersion. 944 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 945 # creation time. Use this statement to verify attributes of the key as stored 946 # on the HSM, independently of Google. Only provided for key versions with 947 # protection_level HSM. 948 # information, see [Verifying attestations] 949 # (https://cloud.google.com/kms/docs/attest-key). 950 "content": "A String", # Output only. The attestation data provided by the HSM when the key 951 # operation was performed. 952 "format": "A String", # Output only. The format of the attestation data. 953 }, 954 "state": "A String", # The current state of the CryptoKeyVersion. 955 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 956 # destroyed. Only present if state is 957 # DESTROYED. 958 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 959 # generated. 960 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 961 }, 962 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 963 "purpose": "A String", # The immutable purpose of this CryptoKey. 964 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 965 # The properties of new CryptoKeyVersion instances created by either 966 # CreateCryptoKeyVersion or 967 # auto-rotation are controlled by this template. 968 # a new CryptoKeyVersion, either manually with 969 # CreateCryptoKeyVersion or 970 # automatically as a result of auto-rotation. 971 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 972 # this template. Immutable. Defaults to SOFTWARE. 973 "algorithm": "A String", # Required. Algorithm to use 974 # when creating a CryptoKeyVersion based on this template. 975 # 976 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 977 # this field is omitted and CryptoKey.purpose is 978 # ENCRYPT_DECRYPT. 979 }, 980 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 981 # 982 # 1. Create a new version of this CryptoKey. 983 # 2. Mark the new version as primary. 984 # 985 # Key rotations performed manually via 986 # CreateCryptoKeyVersion and 987 # UpdateCryptoKeyPrimaryVersion 988 # do not affect next_rotation_time. 989 # 990 # Keys with purpose 991 # ENCRYPT_DECRYPT support 992 # automatic rotation. For other keys, this field must be omitted. 993} 994 995 updateMask: string, Required list of fields to be updated in this request. 996 x__xgafv: string, V1 error format. 997 Allowed values 998 1 - v1 error format 999 2 - v2 error format 1000 1001Returns: 1002 An object of the form: 1003 1004 { # A CryptoKey represents a logical key that can be used for cryptographic 1005 # operations. 1006 # 1007 # A CryptoKey is made up of one or more versions, which 1008 # represent the actual key material used in cryptographic operations. 1009 "labels": { # Labels with user-defined metadata. For more information, see 1010 # [Labeling Keys](/kms/docs/labeling-keys). 1011 "a_key": "A String", 1012 }, 1013 "name": "A String", # Output only. The resource name for this CryptoKey in the format 1014 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 1015 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 1016 # automatically rotates a key. Must be at least one day. 1017 # 1018 # If rotation_period is set, next_rotation_time must also be set. 1019 # 1020 # Keys with purpose 1021 # ENCRYPT_DECRYPT support 1022 # automatic rotation. For other keys, this field must be omitted. 1023 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 1024 # by Encrypt when this CryptoKey is given 1025 # in EncryptRequest.name. 1026 # 1027 # The CryptoKey's primary version can be updated via 1028 # UpdateCryptoKeyPrimaryVersion. 1029 # 1030 # All keys with purpose 1031 # ENCRYPT_DECRYPT have a 1032 # primary. For other keys, this field will be omitted. 1033 # associated key material. 1034 # 1035 # An ENABLED version can be 1036 # used for cryptographic operations. 1037 # 1038 # For security reasons, the raw cryptographic key material represented by a 1039 # CryptoKeyVersion can never be viewed or exported. It can only be used to 1040 # encrypt, decrypt, or sign data when an authorized user or application invokes 1041 # Cloud KMS. 1042 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 1043 # for destruction. Only present if state is 1044 # DESTROY_SCHEDULED. 1045 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 1046 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 1047 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 1048 # CryptoKeyVersion supports. 1049 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 1050 # performed with this CryptoKeyVersion. 1051 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 1052 # creation time. Use this statement to verify attributes of the key as stored 1053 # on the HSM, independently of Google. Only provided for key versions with 1054 # protection_level HSM. 1055 # information, see [Verifying attestations] 1056 # (https://cloud.google.com/kms/docs/attest-key). 1057 "content": "A String", # Output only. The attestation data provided by the HSM when the key 1058 # operation was performed. 1059 "format": "A String", # Output only. The format of the attestation data. 1060 }, 1061 "state": "A String", # The current state of the CryptoKeyVersion. 1062 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 1063 # destroyed. Only present if state is 1064 # DESTROYED. 1065 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 1066 # generated. 1067 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 1068 }, 1069 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 1070 "purpose": "A String", # The immutable purpose of this CryptoKey. 1071 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 1072 # The properties of new CryptoKeyVersion instances created by either 1073 # CreateCryptoKeyVersion or 1074 # auto-rotation are controlled by this template. 1075 # a new CryptoKeyVersion, either manually with 1076 # CreateCryptoKeyVersion or 1077 # automatically as a result of auto-rotation. 1078 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 1079 # this template. Immutable. Defaults to SOFTWARE. 1080 "algorithm": "A String", # Required. Algorithm to use 1081 # when creating a CryptoKeyVersion based on this template. 1082 # 1083 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 1084 # this field is omitted and CryptoKey.purpose is 1085 # ENCRYPT_DECRYPT. 1086 }, 1087 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 1088 # 1089 # 1. Create a new version of this CryptoKey. 1090 # 2. Mark the new version as primary. 1091 # 1092 # Key rotations performed manually via 1093 # CreateCryptoKeyVersion and 1094 # UpdateCryptoKeyPrimaryVersion 1095 # do not affect next_rotation_time. 1096 # 1097 # Keys with purpose 1098 # ENCRYPT_DECRYPT support 1099 # automatic rotation. For other keys, this field must be omitted. 1100 }</pre> 1101</div> 1102 1103<div class="method"> 1104 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 1105 <pre>Sets the access control policy on the specified resource. Replaces any 1106existing policy. 1107 1108Args: 1109 resource: string, REQUIRED: The resource for which the policy is being specified. 1110See the operation documentation for the appropriate value for this field. (required) 1111 body: object, The request body. (required) 1112 The object takes the form of: 1113 1114{ # Request message for `SetIamPolicy` method. 1115 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 1116 # the policy is limited to a few 10s of KB. An empty policy is a 1117 # valid policy but certain Cloud Platform services (such as Projects) 1118 # might reject them. 1119 # specify access control policies for Cloud Platform resources. 1120 # 1121 # 1122 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 1123 # `members` to a `role`, where the members can be user accounts, Google groups, 1124 # Google domains, and service accounts. A `role` is a named list of permissions 1125 # defined by IAM. 1126 # 1127 # **JSON Example** 1128 # 1129 # { 1130 # "bindings": [ 1131 # { 1132 # "role": "roles/owner", 1133 # "members": [ 1134 # "user:mike@example.com", 1135 # "group:admins@example.com", 1136 # "domain:google.com", 1137 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 1138 # ] 1139 # }, 1140 # { 1141 # "role": "roles/viewer", 1142 # "members": ["user:sean@example.com"] 1143 # } 1144 # ] 1145 # } 1146 # 1147 # **YAML Example** 1148 # 1149 # bindings: 1150 # - members: 1151 # - user:mike@example.com 1152 # - group:admins@example.com 1153 # - domain:google.com 1154 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 1155 # role: roles/owner 1156 # - members: 1157 # - user:sean@example.com 1158 # role: roles/viewer 1159 # 1160 # 1161 # For a description of IAM and its features, see the 1162 # [IAM developer's guide](https://cloud.google.com/iam/docs). 1163 "bindings": [ # Associates a list of `members` to a `role`. 1164 # `bindings` with no members will result in an error. 1165 { # Associates `members` with a `role`. 1166 "role": "A String", # Role that is assigned to `members`. 1167 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1168 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1169 # `members` can have the following values: 1170 # 1171 # * `allUsers`: A special identifier that represents anyone who is 1172 # on the internet; with or without a Google account. 1173 # 1174 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1175 # who is authenticated with a Google account or a service account. 1176 # 1177 # * `user:{emailid}`: An email address that represents a specific Google 1178 # account. For example, `alice@gmail.com` . 1179 # 1180 # 1181 # * `serviceAccount:{emailid}`: An email address that represents a service 1182 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1183 # 1184 # * `group:{emailid}`: An email address that represents a Google group. 1185 # For example, `admins@example.com`. 1186 # 1187 # 1188 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 1189 # users of that domain. For example, `google.com` or `example.com`. 1190 # 1191 "A String", 1192 ], 1193 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1194 # NOTE: An unsatisfied condition will not allow user access via current 1195 # binding. Different bindings, including their conditions, are examined 1196 # independently. 1197 # 1198 # title: "User account presence" 1199 # description: "Determines whether the request has a user account" 1200 # expression: "size(request.user) > 0" 1201 "description": "A String", # An optional description of the expression. This is a longer text which 1202 # describes the expression, e.g. when hovered over it in a UI. 1203 "expression": "A String", # Textual representation of an expression in 1204 # Common Expression Language syntax. 1205 # 1206 # The application context of the containing message determines which 1207 # well-known feature set of CEL is supported. 1208 "location": "A String", # An optional string indicating the location of the expression for error 1209 # reporting, e.g. a file name and a position in the file. 1210 "title": "A String", # An optional title for the expression, i.e. a short string describing 1211 # its purpose. This can be used e.g. in UIs which allow to enter the 1212 # expression. 1213 }, 1214 }, 1215 ], 1216 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1217 # prevent simultaneous updates of a policy from overwriting each other. 1218 # It is strongly suggested that systems make use of the `etag` in the 1219 # read-modify-write cycle to perform policy updates in order to avoid race 1220 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1221 # systems are expected to put that etag in the request to `setIamPolicy` to 1222 # ensure that their change will be applied to the same version of the policy. 1223 # 1224 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1225 # policy is overwritten blindly. 1226 "version": 42, # Deprecated. 1227 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1228 { # Specifies the audit configuration for a service. 1229 # The configuration determines which permission types are logged, and what 1230 # identities, if any, are exempted from logging. 1231 # An AuditConfig must have one or more AuditLogConfigs. 1232 # 1233 # If there are AuditConfigs for both `allServices` and a specific service, 1234 # the union of the two AuditConfigs is used for that service: the log_types 1235 # specified in each AuditConfig are enabled, and the exempted_members in each 1236 # AuditLogConfig are exempted. 1237 # 1238 # Example Policy with multiple AuditConfigs: 1239 # 1240 # { 1241 # "audit_configs": [ 1242 # { 1243 # "service": "allServices" 1244 # "audit_log_configs": [ 1245 # { 1246 # "log_type": "DATA_READ", 1247 # "exempted_members": [ 1248 # "user:foo@gmail.com" 1249 # ] 1250 # }, 1251 # { 1252 # "log_type": "DATA_WRITE", 1253 # }, 1254 # { 1255 # "log_type": "ADMIN_READ", 1256 # } 1257 # ] 1258 # }, 1259 # { 1260 # "service": "fooservice.googleapis.com" 1261 # "audit_log_configs": [ 1262 # { 1263 # "log_type": "DATA_READ", 1264 # }, 1265 # { 1266 # "log_type": "DATA_WRITE", 1267 # "exempted_members": [ 1268 # "user:bar@gmail.com" 1269 # ] 1270 # } 1271 # ] 1272 # } 1273 # ] 1274 # } 1275 # 1276 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1277 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1278 # bar@gmail.com from DATA_WRITE logging. 1279 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1280 { # Provides the configuration for logging a type of permissions. 1281 # Example: 1282 # 1283 # { 1284 # "audit_log_configs": [ 1285 # { 1286 # "log_type": "DATA_READ", 1287 # "exempted_members": [ 1288 # "user:foo@gmail.com" 1289 # ] 1290 # }, 1291 # { 1292 # "log_type": "DATA_WRITE", 1293 # } 1294 # ] 1295 # } 1296 # 1297 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1298 # foo@gmail.com from DATA_READ logging. 1299 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1300 # permission. 1301 # Follows the same format of Binding.members. 1302 "A String", 1303 ], 1304 "logType": "A String", # The log type that this config enables. 1305 }, 1306 ], 1307 "service": "A String", # Specifies a service that will be enabled for audit logging. 1308 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1309 # `allServices` is a special value that covers all services. 1310 }, 1311 ], 1312 }, 1313 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 1314 # the fields in the mask will be modified. If no mask is provided, the 1315 # following default mask is used: 1316 # paths: "bindings, etag" 1317 # This field is only used by Cloud IAM. 1318 } 1319 1320 x__xgafv: string, V1 error format. 1321 Allowed values 1322 1 - v1 error format 1323 2 - v2 error format 1324 1325Returns: 1326 An object of the form: 1327 1328 { # Defines an Identity and Access Management (IAM) policy. It is used to 1329 # specify access control policies for Cloud Platform resources. 1330 # 1331 # 1332 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 1333 # `members` to a `role`, where the members can be user accounts, Google groups, 1334 # Google domains, and service accounts. A `role` is a named list of permissions 1335 # defined by IAM. 1336 # 1337 # **JSON Example** 1338 # 1339 # { 1340 # "bindings": [ 1341 # { 1342 # "role": "roles/owner", 1343 # "members": [ 1344 # "user:mike@example.com", 1345 # "group:admins@example.com", 1346 # "domain:google.com", 1347 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 1348 # ] 1349 # }, 1350 # { 1351 # "role": "roles/viewer", 1352 # "members": ["user:sean@example.com"] 1353 # } 1354 # ] 1355 # } 1356 # 1357 # **YAML Example** 1358 # 1359 # bindings: 1360 # - members: 1361 # - user:mike@example.com 1362 # - group:admins@example.com 1363 # - domain:google.com 1364 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 1365 # role: roles/owner 1366 # - members: 1367 # - user:sean@example.com 1368 # role: roles/viewer 1369 # 1370 # 1371 # For a description of IAM and its features, see the 1372 # [IAM developer's guide](https://cloud.google.com/iam/docs). 1373 "bindings": [ # Associates a list of `members` to a `role`. 1374 # `bindings` with no members will result in an error. 1375 { # Associates `members` with a `role`. 1376 "role": "A String", # Role that is assigned to `members`. 1377 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1378 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1379 # `members` can have the following values: 1380 # 1381 # * `allUsers`: A special identifier that represents anyone who is 1382 # on the internet; with or without a Google account. 1383 # 1384 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1385 # who is authenticated with a Google account or a service account. 1386 # 1387 # * `user:{emailid}`: An email address that represents a specific Google 1388 # account. For example, `alice@gmail.com` . 1389 # 1390 # 1391 # * `serviceAccount:{emailid}`: An email address that represents a service 1392 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1393 # 1394 # * `group:{emailid}`: An email address that represents a Google group. 1395 # For example, `admins@example.com`. 1396 # 1397 # 1398 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 1399 # users of that domain. For example, `google.com` or `example.com`. 1400 # 1401 "A String", 1402 ], 1403 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1404 # NOTE: An unsatisfied condition will not allow user access via current 1405 # binding. Different bindings, including their conditions, are examined 1406 # independently. 1407 # 1408 # title: "User account presence" 1409 # description: "Determines whether the request has a user account" 1410 # expression: "size(request.user) > 0" 1411 "description": "A String", # An optional description of the expression. This is a longer text which 1412 # describes the expression, e.g. when hovered over it in a UI. 1413 "expression": "A String", # Textual representation of an expression in 1414 # Common Expression Language syntax. 1415 # 1416 # The application context of the containing message determines which 1417 # well-known feature set of CEL is supported. 1418 "location": "A String", # An optional string indicating the location of the expression for error 1419 # reporting, e.g. a file name and a position in the file. 1420 "title": "A String", # An optional title for the expression, i.e. a short string describing 1421 # its purpose. This can be used e.g. in UIs which allow to enter the 1422 # expression. 1423 }, 1424 }, 1425 ], 1426 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1427 # prevent simultaneous updates of a policy from overwriting each other. 1428 # It is strongly suggested that systems make use of the `etag` in the 1429 # read-modify-write cycle to perform policy updates in order to avoid race 1430 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1431 # systems are expected to put that etag in the request to `setIamPolicy` to 1432 # ensure that their change will be applied to the same version of the policy. 1433 # 1434 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1435 # policy is overwritten blindly. 1436 "version": 42, # Deprecated. 1437 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1438 { # Specifies the audit configuration for a service. 1439 # The configuration determines which permission types are logged, and what 1440 # identities, if any, are exempted from logging. 1441 # An AuditConfig must have one or more AuditLogConfigs. 1442 # 1443 # If there are AuditConfigs for both `allServices` and a specific service, 1444 # the union of the two AuditConfigs is used for that service: the log_types 1445 # specified in each AuditConfig are enabled, and the exempted_members in each 1446 # AuditLogConfig are exempted. 1447 # 1448 # Example Policy with multiple AuditConfigs: 1449 # 1450 # { 1451 # "audit_configs": [ 1452 # { 1453 # "service": "allServices" 1454 # "audit_log_configs": [ 1455 # { 1456 # "log_type": "DATA_READ", 1457 # "exempted_members": [ 1458 # "user:foo@gmail.com" 1459 # ] 1460 # }, 1461 # { 1462 # "log_type": "DATA_WRITE", 1463 # }, 1464 # { 1465 # "log_type": "ADMIN_READ", 1466 # } 1467 # ] 1468 # }, 1469 # { 1470 # "service": "fooservice.googleapis.com" 1471 # "audit_log_configs": [ 1472 # { 1473 # "log_type": "DATA_READ", 1474 # }, 1475 # { 1476 # "log_type": "DATA_WRITE", 1477 # "exempted_members": [ 1478 # "user:bar@gmail.com" 1479 # ] 1480 # } 1481 # ] 1482 # } 1483 # ] 1484 # } 1485 # 1486 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1487 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1488 # bar@gmail.com from DATA_WRITE logging. 1489 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1490 { # Provides the configuration for logging a type of permissions. 1491 # Example: 1492 # 1493 # { 1494 # "audit_log_configs": [ 1495 # { 1496 # "log_type": "DATA_READ", 1497 # "exempted_members": [ 1498 # "user:foo@gmail.com" 1499 # ] 1500 # }, 1501 # { 1502 # "log_type": "DATA_WRITE", 1503 # } 1504 # ] 1505 # } 1506 # 1507 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1508 # foo@gmail.com from DATA_READ logging. 1509 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1510 # permission. 1511 # Follows the same format of Binding.members. 1512 "A String", 1513 ], 1514 "logType": "A String", # The log type that this config enables. 1515 }, 1516 ], 1517 "service": "A String", # Specifies a service that will be enabled for audit logging. 1518 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1519 # `allServices` is a special value that covers all services. 1520 }, 1521 ], 1522 }</pre> 1523</div> 1524 1525<div class="method"> 1526 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 1527 <pre>Returns permissions that a caller has on the specified resource. 1528If the resource does not exist, this will return an empty set of 1529permissions, not a NOT_FOUND error. 1530 1531Note: This operation is designed to be used for building permission-aware 1532UIs and command-line tools, not for authorization checking. This operation 1533may "fail open" without warning. 1534 1535Args: 1536 resource: string, REQUIRED: The resource for which the policy detail is being requested. 1537See the operation documentation for the appropriate value for this field. (required) 1538 body: object, The request body. (required) 1539 The object takes the form of: 1540 1541{ # Request message for `TestIamPermissions` method. 1542 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 1543 # wildcards (such as '*' or 'storage.*') are not allowed. For more 1544 # information see 1545 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 1546 "A String", 1547 ], 1548 } 1549 1550 x__xgafv: string, V1 error format. 1551 Allowed values 1552 1 - v1 error format 1553 2 - v2 error format 1554 1555Returns: 1556 An object of the form: 1557 1558 { # Response message for `TestIamPermissions` method. 1559 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 1560 # allowed. 1561 "A String", 1562 ], 1563 }</pre> 1564</div> 1565 1566<div class="method"> 1567 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</code> 1568 <pre>Update the version of a CryptoKey that will be used in Encrypt. 1569 1570Returns an error if called on an asymmetric key. 1571 1572Args: 1573 name: string, The resource name of the CryptoKey to update. (required) 1574 body: object, The request body. (required) 1575 The object takes the form of: 1576 1577{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion. 1578 "cryptoKeyVersionId": "A String", # The id of the child CryptoKeyVersion to use as primary. 1579 } 1580 1581 x__xgafv: string, V1 error format. 1582 Allowed values 1583 1 - v1 error format 1584 2 - v2 error format 1585 1586Returns: 1587 An object of the form: 1588 1589 { # A CryptoKey represents a logical key that can be used for cryptographic 1590 # operations. 1591 # 1592 # A CryptoKey is made up of one or more versions, which 1593 # represent the actual key material used in cryptographic operations. 1594 "labels": { # Labels with user-defined metadata. For more information, see 1595 # [Labeling Keys](/kms/docs/labeling-keys). 1596 "a_key": "A String", 1597 }, 1598 "name": "A String", # Output only. The resource name for this CryptoKey in the format 1599 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 1600 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 1601 # automatically rotates a key. Must be at least one day. 1602 # 1603 # If rotation_period is set, next_rotation_time must also be set. 1604 # 1605 # Keys with purpose 1606 # ENCRYPT_DECRYPT support 1607 # automatic rotation. For other keys, this field must be omitted. 1608 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 1609 # by Encrypt when this CryptoKey is given 1610 # in EncryptRequest.name. 1611 # 1612 # The CryptoKey's primary version can be updated via 1613 # UpdateCryptoKeyPrimaryVersion. 1614 # 1615 # All keys with purpose 1616 # ENCRYPT_DECRYPT have a 1617 # primary. For other keys, this field will be omitted. 1618 # associated key material. 1619 # 1620 # An ENABLED version can be 1621 # used for cryptographic operations. 1622 # 1623 # For security reasons, the raw cryptographic key material represented by a 1624 # CryptoKeyVersion can never be viewed or exported. It can only be used to 1625 # encrypt, decrypt, or sign data when an authorized user or application invokes 1626 # Cloud KMS. 1627 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 1628 # for destruction. Only present if state is 1629 # DESTROY_SCHEDULED. 1630 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 1631 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 1632 "algorithm": "A String", # Output only. The CryptoKeyVersionAlgorithm that this 1633 # CryptoKeyVersion supports. 1634 "protectionLevel": "A String", # Output only. The ProtectionLevel describing how crypto operations are 1635 # performed with this CryptoKeyVersion. 1636 "attestation": { # Contains an HSM-generated attestation about a key operation. For more # Output only. Statement that was generated and signed by the HSM at key 1637 # creation time. Use this statement to verify attributes of the key as stored 1638 # on the HSM, independently of Google. Only provided for key versions with 1639 # protection_level HSM. 1640 # information, see [Verifying attestations] 1641 # (https://cloud.google.com/kms/docs/attest-key). 1642 "content": "A String", # Output only. The attestation data provided by the HSM when the key 1643 # operation was performed. 1644 "format": "A String", # Output only. The format of the attestation data. 1645 }, 1646 "state": "A String", # The current state of the CryptoKeyVersion. 1647 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 1648 # destroyed. Only present if state is 1649 # DESTROYED. 1650 "generateTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 1651 # generated. 1652 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 1653 }, 1654 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 1655 "purpose": "A String", # The immutable purpose of this CryptoKey. 1656 "versionTemplate": { # A CryptoKeyVersionTemplate specifies the properties to use when creating # A template describing settings for new CryptoKeyVersion instances. 1657 # The properties of new CryptoKeyVersion instances created by either 1658 # CreateCryptoKeyVersion or 1659 # auto-rotation are controlled by this template. 1660 # a new CryptoKeyVersion, either manually with 1661 # CreateCryptoKeyVersion or 1662 # automatically as a result of auto-rotation. 1663 "protectionLevel": "A String", # ProtectionLevel to use when creating a CryptoKeyVersion based on 1664 # this template. Immutable. Defaults to SOFTWARE. 1665 "algorithm": "A String", # Required. Algorithm to use 1666 # when creating a CryptoKeyVersion based on this template. 1667 # 1668 # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 1669 # this field is omitted and CryptoKey.purpose is 1670 # ENCRYPT_DECRYPT. 1671 }, 1672 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 1673 # 1674 # 1. Create a new version of this CryptoKey. 1675 # 2. Mark the new version as primary. 1676 # 1677 # Key rotations performed manually via 1678 # CreateCryptoKeyVersion and 1679 # UpdateCryptoKeyPrimaryVersion 1680 # do not affect next_rotation_time. 1681 # 1682 # Keys with purpose 1683 # ENCRYPT_DECRYPT support 1684 # automatic rotation. For other keys, this field must be omitted. 1685 }</pre> 1686</div> 1687 1688</body></html>