1"""Generated message classes for cloudkms version v1. 2 3Manages keys and performs cryptographic operations in a central cloud service, 4for direct use by other cloud resources and applications. 5""" 6# NOTE: This file is autogenerated and should not be edited by hand. 7 8from __future__ import absolute_import 9 10from apitools.base.protorpclite import messages as _messages 11from apitools.base.py import encoding 12from apitools.base.py import extra_types 13 14 15package = 'cloudkms' 16 17 18class AsymmetricDecryptRequest(_messages.Message): 19 r"""Request message for KeyManagementService.AsymmetricDecrypt. 20 21 Fields: 22 ciphertext: Required. The data encrypted with the named CryptoKeyVersion's 23 public key using OAEP. 24 ciphertextCrc32c: Optional. An optional CRC32C checksum of the 25 AsymmetricDecryptRequest.ciphertext. If specified, KeyManagementService 26 will verify the integrity of the received 27 AsymmetricDecryptRequest.ciphertext using this checksum. 28 KeyManagementService will report an error if the checksum verification 29 fails. If you receive a checksum error, your client should verify that 30 CRC32C(AsymmetricDecryptRequest.ciphertext) is equal to 31 AsymmetricDecryptRequest.ciphertext_crc32c, and if so, perform a limited 32 number of retries. A persistent mismatch may indicate an issue in your 33 computation of the CRC32C checksum. Note: This field is defined as int64 34 for reasons of compatibility across different languages. However, it is 35 a non-negative integer, which will never exceed 2^32-1, and can be 36 safely downconverted to uint32 in languages that support this type. 37 NOTE: This field is in Beta. 38 """ 39 40 ciphertext = _messages.BytesField(1) 41 ciphertextCrc32c = _messages.IntegerField(2) 42 43 44class AsymmetricDecryptResponse(_messages.Message): 45 r"""Response message for KeyManagementService.AsymmetricDecrypt. 46 47 Enums: 48 ProtectionLevelValueValuesEnum: The ProtectionLevel of the 49 CryptoKeyVersion used in decryption. 50 51 Fields: 52 plaintext: The decrypted data originally encrypted with the matching 53 public key. 54 plaintextCrc32c: Integrity verification field. A CRC32C checksum of the 55 returned AsymmetricDecryptResponse.plaintext. An integrity check of 56 AsymmetricDecryptResponse.plaintext can be performed by computing the 57 CRC32C checksum of AsymmetricDecryptResponse.plaintext and comparing 58 your results to this field. Discard the response in case of non-matching 59 checksum values, and perform a limited number of retries. A persistent 60 mismatch may indicate an issue in your computation of the CRC32C 61 checksum. Note: This field is defined as int64 for reasons of 62 compatibility across different languages. However, it is a non-negative 63 integer, which will never exceed 2^32-1, and can be safely downconverted 64 to uint32 in languages that support this type. NOTE: This field is in 65 Beta. 66 protectionLevel: The ProtectionLevel of the CryptoKeyVersion used in 67 decryption. 68 verifiedCiphertextCrc32c: Integrity verification field. A flag indicating 69 whether AsymmetricDecryptRequest.ciphertext_crc32c was received by 70 KeyManagementService and used for the integrity verification of the 71 ciphertext. A false value of this field indicates either that 72 AsymmetricDecryptRequest.ciphertext_crc32c was left unset or that it was 73 not delivered to KeyManagementService. If you've set 74 AsymmetricDecryptRequest.ciphertext_crc32c but this field is still 75 false, discard the response and perform a limited number of retries. 76 NOTE: This field is in Beta. 77 """ 78 79 class ProtectionLevelValueValuesEnum(_messages.Enum): 80 r"""The ProtectionLevel of the CryptoKeyVersion used in decryption. 81 82 Values: 83 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 84 SOFTWARE: Crypto operations are performed in software. 85 HSM: Crypto operations are performed in a Hardware Security Module. 86 EXTERNAL: Crypto operations are performed by an external key manager. 87 """ 88 PROTECTION_LEVEL_UNSPECIFIED = 0 89 SOFTWARE = 1 90 HSM = 2 91 EXTERNAL = 3 92 93 plaintext = _messages.BytesField(1) 94 plaintextCrc32c = _messages.IntegerField(2) 95 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 3) 96 verifiedCiphertextCrc32c = _messages.BooleanField(4) 97 98 99class AsymmetricSignRequest(_messages.Message): 100 r"""Request message for KeyManagementService.AsymmetricSign. 101 102 Fields: 103 digest: Optional. The digest of the data to sign. The digest must be 104 produced with the same digest algorithm as specified by the key 105 version's algorithm. 106 digestCrc32c: Optional. An optional CRC32C checksum of the 107 AsymmetricSignRequest.digest. If specified, KeyManagementService will 108 verify the integrity of the received AsymmetricSignRequest.digest using 109 this checksum. KeyManagementService will report an error if the checksum 110 verification fails. If you receive a checksum error, your client should 111 verify that CRC32C(AsymmetricSignRequest.digest) is equal to 112 AsymmetricSignRequest.digest_crc32c, and if so, perform a limited number 113 of retries. A persistent mismatch may indicate an issue in your 114 computation of the CRC32C checksum. Note: This field is defined as int64 115 for reasons of compatibility across different languages. However, it is 116 a non-negative integer, which will never exceed 2^32-1, and can be 117 safely downconverted to uint32 in languages that support this type. 118 NOTE: This field is in Beta. 119 """ 120 121 digest = _messages.MessageField('Digest', 1) 122 digestCrc32c = _messages.IntegerField(2) 123 124 125class AsymmetricSignResponse(_messages.Message): 126 r"""Response message for KeyManagementService.AsymmetricSign. 127 128 Enums: 129 ProtectionLevelValueValuesEnum: The ProtectionLevel of the 130 CryptoKeyVersion used for signing. 131 132 Fields: 133 name: The resource name of the CryptoKeyVersion used for signing. Check 134 this field to verify that the intended resource was used for signing. 135 NOTE: This field is in Beta. 136 protectionLevel: The ProtectionLevel of the CryptoKeyVersion used for 137 signing. 138 signature: The created signature. 139 signatureCrc32c: Integrity verification field. A CRC32C checksum of the 140 returned AsymmetricSignResponse.signature. An integrity check of 141 AsymmetricSignResponse.signature can be performed by computing the 142 CRC32C checksum of AsymmetricSignResponse.signature and comparing your 143 results to this field. Discard the response in case of non-matching 144 checksum values, and perform a limited number of retries. A persistent 145 mismatch may indicate an issue in your computation of the CRC32C 146 checksum. Note: This field is defined as int64 for reasons of 147 compatibility across different languages. However, it is a non-negative 148 integer, which will never exceed 2^32-1, and can be safely downconverted 149 to uint32 in languages that support this type. NOTE: This field is in 150 Beta. 151 verifiedDigestCrc32c: Integrity verification field. A flag indicating 152 whether AsymmetricSignRequest.digest_crc32c was received by 153 KeyManagementService and used for the integrity verification of the 154 digest. A false value of this field indicates either that 155 AsymmetricSignRequest.digest_crc32c was left unset or that it was not 156 delivered to KeyManagementService. If you've set 157 AsymmetricSignRequest.digest_crc32c but this field is still false, 158 discard the response and perform a limited number of retries. NOTE: This 159 field is in Beta. 160 """ 161 162 class ProtectionLevelValueValuesEnum(_messages.Enum): 163 r"""The ProtectionLevel of the CryptoKeyVersion used for signing. 164 165 Values: 166 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 167 SOFTWARE: Crypto operations are performed in software. 168 HSM: Crypto operations are performed in a Hardware Security Module. 169 EXTERNAL: Crypto operations are performed by an external key manager. 170 """ 171 PROTECTION_LEVEL_UNSPECIFIED = 0 172 SOFTWARE = 1 173 HSM = 2 174 EXTERNAL = 3 175 176 name = _messages.StringField(1) 177 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 2) 178 signature = _messages.BytesField(3) 179 signatureCrc32c = _messages.IntegerField(4) 180 verifiedDigestCrc32c = _messages.BooleanField(5) 181 182 183class AuditConfig(_messages.Message): 184 r"""Specifies the audit configuration for a service. The configuration 185 determines which permission types are logged, and what identities, if any, 186 are exempted from logging. An AuditConfig must have one or more 187 AuditLogConfigs. If there are AuditConfigs for both `allServices` and a 188 specific service, the union of the two AuditConfigs is used for that 189 service: the log_types specified in each AuditConfig are enabled, and the 190 exempted_members in each AuditLogConfig are exempted. Example Policy with 191 multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", 192 "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ 193 "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": 194 "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", 195 "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": 196 "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For 197 sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 198 logging. It also exempts jose@example.com from DATA_READ logging, and 199 aliya@example.com from DATA_WRITE logging. 200 201 Fields: 202 auditLogConfigs: The configuration for logging of each type of permission. 203 service: Specifies a service that will be enabled for audit logging. For 204 example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 205 `allServices` is a special value that covers all services. 206 """ 207 208 auditLogConfigs = _messages.MessageField('AuditLogConfig', 1, repeated=True) 209 service = _messages.StringField(2) 210 211 212class AuditLogConfig(_messages.Message): 213 r"""Provides the configuration for logging a type of permissions. Example: { 214 "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ 215 "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 216 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from 217 DATA_READ logging. 218 219 Enums: 220 LogTypeValueValuesEnum: The log type that this config enables. 221 222 Fields: 223 exemptedMembers: Specifies the identities that do not cause logging for 224 this type of permission. Follows the same format of Binding.members. 225 logType: The log type that this config enables. 226 """ 227 228 class LogTypeValueValuesEnum(_messages.Enum): 229 r"""The log type that this config enables. 230 231 Values: 232 LOG_TYPE_UNSPECIFIED: Default case. Should never be this. 233 ADMIN_READ: Admin reads. Example: CloudIAM getIamPolicy 234 DATA_WRITE: Data writes. Example: CloudSQL Users create 235 DATA_READ: Data reads. Example: CloudSQL Users list 236 """ 237 LOG_TYPE_UNSPECIFIED = 0 238 ADMIN_READ = 1 239 DATA_WRITE = 2 240 DATA_READ = 3 241 242 exemptedMembers = _messages.StringField(1, repeated=True) 243 logType = _messages.EnumField('LogTypeValueValuesEnum', 2) 244 245 246class Binding(_messages.Message): 247 r"""Associates `members` with a `role`. 248 249 Fields: 250 condition: The condition that is associated with this binding. If the 251 condition evaluates to `true`, then this binding applies to the current 252 request. If the condition evaluates to `false`, then this binding does 253 not apply to the current request. However, a different role binding 254 might grant the same role to one or more of the members in this binding. 255 To learn which resources support conditions in their IAM policies, see 256 the [IAM 257 documentation](https://cloud.google.com/iam/help/conditions/resource- 258 policies). 259 members: Specifies the identities requesting access for a Cloud Platform 260 resource. `members` can have the following values: * `allUsers`: A 261 special identifier that represents anyone who is on the internet; with 262 or without a Google account. * `allAuthenticatedUsers`: A special 263 identifier that represents anyone who is authenticated with a Google 264 account or a service account. * `user:{emailid}`: An email address that 265 represents a specific Google account. For example, `alice@example.com` . 266 * `serviceAccount:{emailid}`: An email address that represents a service 267 account. For example, `my-other-app@appspot.gserviceaccount.com`. * 268 `group:{emailid}`: An email address that represents a Google group. For 269 example, `admins@example.com`. * 270 `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique 271 identifier) representing a user that has been recently deleted. For 272 example, `alice@example.com?uid=123456789012345678901`. If the user is 273 recovered, this value reverts to `user:{emailid}` and the recovered user 274 retains the role in the binding. * 275 `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address 276 (plus unique identifier) representing a service account that has been 277 recently deleted. For example, `my-other- 278 app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the 279 service account is undeleted, this value reverts to 280 `serviceAccount:{emailid}` and the undeleted service account retains the 281 role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An 282 email address (plus unique identifier) representing a Google group that 283 has been recently deleted. For example, 284 `admins@example.com?uid=123456789012345678901`. If the group is 285 recovered, this value reverts to `group:{emailid}` and the recovered 286 group retains the role in the binding. * `domain:{domain}`: The G Suite 287 domain (primary) that represents all the users of that domain. For 288 example, `google.com` or `example.com`. 289 role: Role that is assigned to `members`. For example, `roles/viewer`, 290 `roles/editor`, or `roles/owner`. 291 """ 292 293 condition = _messages.MessageField('Expr', 1) 294 members = _messages.StringField(2, repeated=True) 295 role = _messages.StringField(3) 296 297 298class CertificateChains(_messages.Message): 299 r"""Certificate chains needed to verify the attestation. Certificates in 300 chains are PEM-encoded and are ordered based on 301 https://tools.ietf.org/html/rfc5246#section-7.4.2. 302 303 Fields: 304 caviumCerts: Cavium certificate chain corresponding to the attestation. 305 googleCardCerts: Google card certificate chain corresponding to the 306 attestation. 307 googlePartitionCerts: Google partition certificate chain corresponding to 308 the attestation. 309 """ 310 311 caviumCerts = _messages.StringField(1, repeated=True) 312 googleCardCerts = _messages.StringField(2, repeated=True) 313 googlePartitionCerts = _messages.StringField(3, repeated=True) 314 315 316class CloudkmsProjectsLocationsGetRequest(_messages.Message): 317 r"""A CloudkmsProjectsLocationsGetRequest object. 318 319 Fields: 320 name: Resource name for the location. 321 """ 322 323 name = _messages.StringField(1, required=True) 324 325 326class CloudkmsProjectsLocationsKeyRingsCreateRequest(_messages.Message): 327 r"""A CloudkmsProjectsLocationsKeyRingsCreateRequest object. 328 329 Fields: 330 keyRing: A KeyRing resource to be passed as the request body. 331 keyRingId: Required. It must be unique within a location and match the 332 regular expression `[a-zA-Z0-9_-]{1,63}` 333 parent: Required. The resource name of the location associated with the 334 KeyRings, in the format `projects/*/locations/*`. 335 """ 336 337 keyRing = _messages.MessageField('KeyRing', 1) 338 keyRingId = _messages.StringField(2) 339 parent = _messages.StringField(3, required=True) 340 341 342class CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(_messages.Message): 343 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest object. 344 345 Fields: 346 cryptoKey: A CryptoKey resource to be passed as the request body. 347 cryptoKeyId: Required. It must be unique within a KeyRing and match the 348 regular expression `[a-zA-Z0-9_-]{1,63}` 349 parent: Required. The name of the KeyRing associated with the CryptoKeys. 350 skipInitialVersionCreation: If set to true, the request will create a 351 CryptoKey without any CryptoKeyVersions. You must manually call 352 CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this 353 CryptoKey. 354 """ 355 356 cryptoKey = _messages.MessageField('CryptoKey', 1) 357 cryptoKeyId = _messages.StringField(2) 358 parent = _messages.StringField(3, required=True) 359 skipInitialVersionCreation = _messages.BooleanField(4) 360 361 362class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricDecryptRequest(_messages.Message): 363 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetric 364 DecryptRequest object. 365 366 Fields: 367 asymmetricDecryptRequest: A AsymmetricDecryptRequest resource to be passed 368 as the request body. 369 name: Required. The resource name of the CryptoKeyVersion to use for 370 decryption. 371 """ 372 373 asymmetricDecryptRequest = _messages.MessageField('AsymmetricDecryptRequest', 1) 374 name = _messages.StringField(2, required=True) 375 376 377class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest(_messages.Message): 378 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetric 379 SignRequest object. 380 381 Fields: 382 asymmetricSignRequest: A AsymmetricSignRequest resource to be passed as 383 the request body. 384 name: Required. The resource name of the CryptoKeyVersion to use for 385 signing. 386 """ 387 388 asymmetricSignRequest = _messages.MessageField('AsymmetricSignRequest', 1) 389 name = _messages.StringField(2, required=True) 390 391 392class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(_messages.Message): 393 r"""A 394 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest 395 object. 396 397 Fields: 398 cryptoKeyVersion: A CryptoKeyVersion resource to be passed as the request 399 body. 400 parent: Required. The name of the CryptoKey associated with the 401 CryptoKeyVersions. 402 """ 403 404 cryptoKeyVersion = _messages.MessageField('CryptoKeyVersion', 1) 405 parent = _messages.StringField(2, required=True) 406 407 408class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDestroyRequest(_messages.Message): 409 r"""A 410 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDestroyRequest 411 object. 412 413 Fields: 414 destroyCryptoKeyVersionRequest: A DestroyCryptoKeyVersionRequest resource 415 to be passed as the request body. 416 name: Required. The resource name of the CryptoKeyVersion to destroy. 417 """ 418 419 destroyCryptoKeyVersionRequest = _messages.MessageField('DestroyCryptoKeyVersionRequest', 1) 420 name = _messages.StringField(2, required=True) 421 422 423class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest(_messages.Message): 424 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicK 425 eyRequest object. 426 427 Fields: 428 name: Required. The name of the CryptoKeyVersion public key to get. 429 """ 430 431 name = _messages.StringField(1, required=True) 432 433 434class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(_messages.Message): 435 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest 436 object. 437 438 Fields: 439 name: Required. The name of the CryptoKeyVersion to get. 440 """ 441 442 name = _messages.StringField(1, required=True) 443 444 445class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest(_messages.Message): 446 r"""A 447 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest 448 object. 449 450 Fields: 451 importCryptoKeyVersionRequest: A ImportCryptoKeyVersionRequest resource to 452 be passed as the request body. 453 parent: Required. The name of the CryptoKey to be imported into. 454 """ 455 456 importCryptoKeyVersionRequest = _messages.MessageField('ImportCryptoKeyVersionRequest', 1) 457 parent = _messages.StringField(2, required=True) 458 459 460class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest(_messages.Message): 461 r"""A 462 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest 463 object. 464 465 Enums: 466 ViewValueValuesEnum: The fields to include in the response. 467 468 Fields: 469 filter: Optional. Only include resources that match the filter in the 470 response. For more information, see [Sorting and filtering list 471 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 472 orderBy: Optional. Specify how the results should be sorted. If not 473 specified, the results will be sorted in the default order. For more 474 information, see [Sorting and filtering list 475 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 476 pageSize: Optional. Optional limit on the number of CryptoKeyVersions to 477 include in the response. Further CryptoKeyVersions can subsequently be 478 obtained by including the ListCryptoKeyVersionsResponse.next_page_token 479 in a subsequent request. If unspecified, the server will pick an 480 appropriate default. 481 pageToken: Optional. Optional pagination token, returned earlier via 482 ListCryptoKeyVersionsResponse.next_page_token. 483 parent: Required. The resource name of the CryptoKey to list, in the 484 format `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 485 view: The fields to include in the response. 486 """ 487 488 class ViewValueValuesEnum(_messages.Enum): 489 r"""The fields to include in the response. 490 491 Values: 492 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED: Default view for each 493 CryptoKeyVersion. Does not include the attestation field. 494 FULL: Provides all fields in each CryptoKeyVersion, including the 495 attestation. 496 """ 497 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0 498 FULL = 1 499 500 filter = _messages.StringField(1) 501 orderBy = _messages.StringField(2) 502 pageSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 503 pageToken = _messages.StringField(4) 504 parent = _messages.StringField(5, required=True) 505 view = _messages.EnumField('ViewValueValuesEnum', 6) 506 507 508class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsPatchRequest(_messages.Message): 509 r"""A 510 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsPatchRequest 511 object. 512 513 Fields: 514 cryptoKeyVersion: A CryptoKeyVersion resource to be passed as the request 515 body. 516 name: Output only. The resource name for this CryptoKeyVersion in the 517 format 518 `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 519 updateMask: Required. List of fields to be updated in this request. 520 """ 521 522 cryptoKeyVersion = _messages.MessageField('CryptoKeyVersion', 1) 523 name = _messages.StringField(2, required=True) 524 updateMask = _messages.StringField(3) 525 526 527class CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsRestoreRequest(_messages.Message): 528 r"""A 529 CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsRestoreRequest 530 object. 531 532 Fields: 533 name: Required. The resource name of the CryptoKeyVersion to restore. 534 restoreCryptoKeyVersionRequest: A RestoreCryptoKeyVersionRequest resource 535 to be passed as the request body. 536 """ 537 538 name = _messages.StringField(1, required=True) 539 restoreCryptoKeyVersionRequest = _messages.MessageField('RestoreCryptoKeyVersionRequest', 2) 540 541 542class CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest(_messages.Message): 543 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest object. 544 545 Fields: 546 decryptRequest: A DecryptRequest resource to be passed as the request 547 body. 548 name: Required. The resource name of the CryptoKey to use for decryption. 549 The server will choose the appropriate version. 550 """ 551 552 decryptRequest = _messages.MessageField('DecryptRequest', 1) 553 name = _messages.StringField(2, required=True) 554 555 556class CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest(_messages.Message): 557 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest object. 558 559 Fields: 560 encryptRequest: A EncryptRequest resource to be passed as the request 561 body. 562 name: Required. The resource name of the CryptoKey or CryptoKeyVersion to 563 use for encryption. If a CryptoKey is specified, the server will use its 564 primary version. 565 """ 566 567 encryptRequest = _messages.MessageField('EncryptRequest', 1) 568 name = _messages.StringField(2, required=True) 569 570 571class CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequest(_messages.Message): 572 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequest object. 573 574 Fields: 575 options_requestedPolicyVersion: Optional. The policy format version to be 576 returned. Valid values are 0, 1, and 3. Requests specifying an invalid 577 value will be rejected. Requests for policies with any conditional 578 bindings must specify version 3. Policies without any conditional 579 bindings may specify any valid value or leave the field unset. To learn 580 which resources support conditions in their IAM policies, see the [IAM 581 documentation](https://cloud.google.com/iam/help/conditions/resource- 582 policies). 583 resource: REQUIRED: The resource for which the policy is being requested. 584 See the operation documentation for the appropriate value for this 585 field. 586 """ 587 588 options_requestedPolicyVersion = _messages.IntegerField(1, variant=_messages.Variant.INT32) 589 resource = _messages.StringField(2, required=True) 590 591 592class CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(_messages.Message): 593 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest object. 594 595 Fields: 596 name: Required. The name of the CryptoKey to get. 597 """ 598 599 name = _messages.StringField(1, required=True) 600 601 602class CloudkmsProjectsLocationsKeyRingsCryptoKeysListRequest(_messages.Message): 603 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysListRequest object. 604 605 Enums: 606 VersionViewValueValuesEnum: The fields of the primary version to include 607 in the response. 608 609 Fields: 610 filter: Optional. Only include resources that match the filter in the 611 response. For more information, see [Sorting and filtering list 612 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 613 orderBy: Optional. Specify how the results should be sorted. If not 614 specified, the results will be sorted in the default order. For more 615 information, see [Sorting and filtering list 616 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 617 pageSize: Optional. Optional limit on the number of CryptoKeys to include 618 in the response. Further CryptoKeys can subsequently be obtained by 619 including the ListCryptoKeysResponse.next_page_token in a subsequent 620 request. If unspecified, the server will pick an appropriate default. 621 pageToken: Optional. Optional pagination token, returned earlier via 622 ListCryptoKeysResponse.next_page_token. 623 parent: Required. The resource name of the KeyRing to list, in the format 624 `projects/*/locations/*/keyRings/*`. 625 versionView: The fields of the primary version to include in the response. 626 """ 627 628 class VersionViewValueValuesEnum(_messages.Enum): 629 r"""The fields of the primary version to include in the response. 630 631 Values: 632 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED: Default view for each 633 CryptoKeyVersion. Does not include the attestation field. 634 FULL: Provides all fields in each CryptoKeyVersion, including the 635 attestation. 636 """ 637 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0 638 FULL = 1 639 640 filter = _messages.StringField(1) 641 orderBy = _messages.StringField(2) 642 pageSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 643 pageToken = _messages.StringField(4) 644 parent = _messages.StringField(5, required=True) 645 versionView = _messages.EnumField('VersionViewValueValuesEnum', 6) 646 647 648class CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(_messages.Message): 649 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest object. 650 651 Fields: 652 cryptoKey: A CryptoKey resource to be passed as the request body. 653 name: Output only. The resource name for this CryptoKey in the format 654 `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 655 updateMask: Required. List of fields to be updated in this request. 656 """ 657 658 cryptoKey = _messages.MessageField('CryptoKey', 1) 659 name = _messages.StringField(2, required=True) 660 updateMask = _messages.StringField(3) 661 662 663class CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequest(_messages.Message): 664 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequest object. 665 666 Fields: 667 resource: REQUIRED: The resource for which the policy is being specified. 668 See the operation documentation for the appropriate value for this 669 field. 670 setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the 671 request body. 672 """ 673 674 resource = _messages.StringField(1, required=True) 675 setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2) 676 677 678class CloudkmsProjectsLocationsKeyRingsCryptoKeysTestIamPermissionsRequest(_messages.Message): 679 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysTestIamPermissionsRequest 680 object. 681 682 Fields: 683 resource: REQUIRED: The resource for which the policy detail is being 684 requested. See the operation documentation for the appropriate value for 685 this field. 686 testIamPermissionsRequest: A TestIamPermissionsRequest resource to be 687 passed as the request body. 688 """ 689 690 resource = _messages.StringField(1, required=True) 691 testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2) 692 693 694class CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(_messages.Message): 695 r"""A CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest 696 object. 697 698 Fields: 699 name: Required. The resource name of the CryptoKey to update. 700 updateCryptoKeyPrimaryVersionRequest: A 701 UpdateCryptoKeyPrimaryVersionRequest resource to be passed as the 702 request body. 703 """ 704 705 name = _messages.StringField(1, required=True) 706 updateCryptoKeyPrimaryVersionRequest = _messages.MessageField('UpdateCryptoKeyPrimaryVersionRequest', 2) 707 708 709class CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest(_messages.Message): 710 r"""A CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest object. 711 712 Fields: 713 options_requestedPolicyVersion: Optional. The policy format version to be 714 returned. Valid values are 0, 1, and 3. Requests specifying an invalid 715 value will be rejected. Requests for policies with any conditional 716 bindings must specify version 3. Policies without any conditional 717 bindings may specify any valid value or leave the field unset. To learn 718 which resources support conditions in their IAM policies, see the [IAM 719 documentation](https://cloud.google.com/iam/help/conditions/resource- 720 policies). 721 resource: REQUIRED: The resource for which the policy is being requested. 722 See the operation documentation for the appropriate value for this 723 field. 724 """ 725 726 options_requestedPolicyVersion = _messages.IntegerField(1, variant=_messages.Variant.INT32) 727 resource = _messages.StringField(2, required=True) 728 729 730class CloudkmsProjectsLocationsKeyRingsGetRequest(_messages.Message): 731 r"""A CloudkmsProjectsLocationsKeyRingsGetRequest object. 732 733 Fields: 734 name: Required. The name of the KeyRing to get. 735 """ 736 737 name = _messages.StringField(1, required=True) 738 739 740class CloudkmsProjectsLocationsKeyRingsImportJobsCreateRequest(_messages.Message): 741 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsCreateRequest object. 742 743 Fields: 744 importJob: A ImportJob resource to be passed as the request body. 745 importJobId: Required. It must be unique within a KeyRing and match the 746 regular expression `[a-zA-Z0-9_-]{1,63}` 747 parent: Required. The name of the KeyRing associated with the ImportJobs. 748 """ 749 750 importJob = _messages.MessageField('ImportJob', 1) 751 importJobId = _messages.StringField(2) 752 parent = _messages.StringField(3, required=True) 753 754 755class CloudkmsProjectsLocationsKeyRingsImportJobsGetIamPolicyRequest(_messages.Message): 756 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsGetIamPolicyRequest object. 757 758 Fields: 759 options_requestedPolicyVersion: Optional. The policy format version to be 760 returned. Valid values are 0, 1, and 3. Requests specifying an invalid 761 value will be rejected. Requests for policies with any conditional 762 bindings must specify version 3. Policies without any conditional 763 bindings may specify any valid value or leave the field unset. To learn 764 which resources support conditions in their IAM policies, see the [IAM 765 documentation](https://cloud.google.com/iam/help/conditions/resource- 766 policies). 767 resource: REQUIRED: The resource for which the policy is being requested. 768 See the operation documentation for the appropriate value for this 769 field. 770 """ 771 772 options_requestedPolicyVersion = _messages.IntegerField(1, variant=_messages.Variant.INT32) 773 resource = _messages.StringField(2, required=True) 774 775 776class CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(_messages.Message): 777 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest object. 778 779 Fields: 780 name: Required. The name of the ImportJob to get. 781 """ 782 783 name = _messages.StringField(1, required=True) 784 785 786class CloudkmsProjectsLocationsKeyRingsImportJobsListRequest(_messages.Message): 787 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsListRequest object. 788 789 Fields: 790 filter: Optional. Only include resources that match the filter in the 791 response. For more information, see [Sorting and filtering list 792 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 793 orderBy: Optional. Specify how the results should be sorted. If not 794 specified, the results will be sorted in the default order. For more 795 information, see [Sorting and filtering list 796 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 797 pageSize: Optional. Optional limit on the number of ImportJobs to include 798 in the response. Further ImportJobs can subsequently be obtained by 799 including the ListImportJobsResponse.next_page_token in a subsequent 800 request. If unspecified, the server will pick an appropriate default. 801 pageToken: Optional. Optional pagination token, returned earlier via 802 ListImportJobsResponse.next_page_token. 803 parent: Required. The resource name of the KeyRing to list, in the format 804 `projects/*/locations/*/keyRings/*`. 805 """ 806 807 filter = _messages.StringField(1) 808 orderBy = _messages.StringField(2) 809 pageSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 810 pageToken = _messages.StringField(4) 811 parent = _messages.StringField(5, required=True) 812 813 814class CloudkmsProjectsLocationsKeyRingsImportJobsSetIamPolicyRequest(_messages.Message): 815 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsSetIamPolicyRequest object. 816 817 Fields: 818 resource: REQUIRED: The resource for which the policy is being specified. 819 See the operation documentation for the appropriate value for this 820 field. 821 setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the 822 request body. 823 """ 824 825 resource = _messages.StringField(1, required=True) 826 setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2) 827 828 829class CloudkmsProjectsLocationsKeyRingsImportJobsTestIamPermissionsRequest(_messages.Message): 830 r"""A CloudkmsProjectsLocationsKeyRingsImportJobsTestIamPermissionsRequest 831 object. 832 833 Fields: 834 resource: REQUIRED: The resource for which the policy detail is being 835 requested. See the operation documentation for the appropriate value for 836 this field. 837 testIamPermissionsRequest: A TestIamPermissionsRequest resource to be 838 passed as the request body. 839 """ 840 841 resource = _messages.StringField(1, required=True) 842 testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2) 843 844 845class CloudkmsProjectsLocationsKeyRingsListRequest(_messages.Message): 846 r"""A CloudkmsProjectsLocationsKeyRingsListRequest object. 847 848 Fields: 849 filter: Optional. Only include resources that match the filter in the 850 response. For more information, see [Sorting and filtering list 851 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 852 orderBy: Optional. Specify how the results should be sorted. If not 853 specified, the results will be sorted in the default order. For more 854 information, see [Sorting and filtering list 855 results](https://cloud.google.com/kms/docs/sorting-and-filtering). 856 pageSize: Optional. Optional limit on the number of KeyRings to include in 857 the response. Further KeyRings can subsequently be obtained by including 858 the ListKeyRingsResponse.next_page_token in a subsequent request. If 859 unspecified, the server will pick an appropriate default. 860 pageToken: Optional. Optional pagination token, returned earlier via 861 ListKeyRingsResponse.next_page_token. 862 parent: Required. The resource name of the location associated with the 863 KeyRings, in the format `projects/*/locations/*`. 864 """ 865 866 filter = _messages.StringField(1) 867 orderBy = _messages.StringField(2) 868 pageSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 869 pageToken = _messages.StringField(4) 870 parent = _messages.StringField(5, required=True) 871 872 873class CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest(_messages.Message): 874 r"""A CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest object. 875 876 Fields: 877 resource: REQUIRED: The resource for which the policy is being specified. 878 See the operation documentation for the appropriate value for this 879 field. 880 setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the 881 request body. 882 """ 883 884 resource = _messages.StringField(1, required=True) 885 setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2) 886 887 888class CloudkmsProjectsLocationsKeyRingsTestIamPermissionsRequest(_messages.Message): 889 r"""A CloudkmsProjectsLocationsKeyRingsTestIamPermissionsRequest object. 890 891 Fields: 892 resource: REQUIRED: The resource for which the policy detail is being 893 requested. See the operation documentation for the appropriate value for 894 this field. 895 testIamPermissionsRequest: A TestIamPermissionsRequest resource to be 896 passed as the request body. 897 """ 898 899 resource = _messages.StringField(1, required=True) 900 testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2) 901 902 903class CloudkmsProjectsLocationsListRequest(_messages.Message): 904 r"""A CloudkmsProjectsLocationsListRequest object. 905 906 Fields: 907 filter: The standard list filter. 908 name: The resource that owns the locations collection, if applicable. 909 pageSize: The standard list page size. 910 pageToken: The standard list page token. 911 """ 912 913 filter = _messages.StringField(1) 914 name = _messages.StringField(2, required=True) 915 pageSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 916 pageToken = _messages.StringField(4) 917 918 919class CryptoKey(_messages.Message): 920 r"""A CryptoKey represents a logical key that can be used for cryptographic 921 operations. A CryptoKey is made up of zero or more versions, which represent 922 the actual key material used in cryptographic operations. 923 924 Enums: 925 PurposeValueValuesEnum: Immutable. The immutable purpose of this 926 CryptoKey. 927 928 Messages: 929 LabelsValue: Labels with user-defined metadata. For more information, see 930 [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 931 932 Fields: 933 createTime: Output only. The time at which this CryptoKey was created. 934 labels: Labels with user-defined metadata. For more information, see 935 [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 936 name: Output only. The resource name for this CryptoKey in the format 937 `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 938 nextRotationTime: At next_rotation_time, the Key Management Service will 939 automatically: 1. Create a new version of this CryptoKey. 2. Mark the 940 new version as primary. Key rotations performed manually via 941 CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect 942 next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic 943 rotation. For other keys, this field must be omitted. 944 primary: Output only. A copy of the "primary" CryptoKeyVersion that will 945 be used by Encrypt when this CryptoKey is given in EncryptRequest.name. 946 The CryptoKey's primary version can be updated via 947 UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may 948 have a primary. For other keys, this field will be omitted. 949 purpose: Immutable. The immutable purpose of this CryptoKey. 950 rotationPeriod: next_rotation_time will be advanced by this period when 951 the service automatically rotates a key. Must be at least 24 hours and 952 at most 876,000 hours. If rotation_period is set, next_rotation_time 953 must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic 954 rotation. For other keys, this field must be omitted. 955 versionTemplate: A template describing settings for new CryptoKeyVersion 956 instances. The properties of new CryptoKeyVersion instances created by 957 either CreateCryptoKeyVersion or auto-rotation are controlled by this 958 template. 959 """ 960 961 class PurposeValueValuesEnum(_messages.Enum): 962 r"""Immutable. The immutable purpose of this CryptoKey. 963 964 Values: 965 CRYPTO_KEY_PURPOSE_UNSPECIFIED: Not specified. 966 ENCRYPT_DECRYPT: CryptoKeys with this purpose may be used with Encrypt 967 and Decrypt. 968 ASYMMETRIC_SIGN: CryptoKeys with this purpose may be used with 969 AsymmetricSign and GetPublicKey. 970 ASYMMETRIC_DECRYPT: CryptoKeys with this purpose may be used with 971 AsymmetricDecrypt and GetPublicKey. 972 """ 973 CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0 974 ENCRYPT_DECRYPT = 1 975 ASYMMETRIC_SIGN = 2 976 ASYMMETRIC_DECRYPT = 3 977 978 @encoding.MapUnrecognizedFields('additionalProperties') 979 class LabelsValue(_messages.Message): 980 r"""Labels with user-defined metadata. For more information, see [Labeling 981 Keys](https://cloud.google.com/kms/docs/labeling-keys). 982 983 Messages: 984 AdditionalProperty: An additional property for a LabelsValue object. 985 986 Fields: 987 additionalProperties: Additional properties of type LabelsValue 988 """ 989 990 class AdditionalProperty(_messages.Message): 991 r"""An additional property for a LabelsValue object. 992 993 Fields: 994 key: Name of the additional property. 995 value: A string attribute. 996 """ 997 998 key = _messages.StringField(1) 999 value = _messages.StringField(2) 1000 1001 additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True) 1002 1003 createTime = _messages.StringField(1) 1004 labels = _messages.MessageField('LabelsValue', 2) 1005 name = _messages.StringField(3) 1006 nextRotationTime = _messages.StringField(4) 1007 primary = _messages.MessageField('CryptoKeyVersion', 5) 1008 purpose = _messages.EnumField('PurposeValueValuesEnum', 6) 1009 rotationPeriod = _messages.StringField(7) 1010 versionTemplate = _messages.MessageField('CryptoKeyVersionTemplate', 8) 1011 1012 1013class CryptoKeyVersion(_messages.Message): 1014 r"""A CryptoKeyVersion represents an individual cryptographic key, and the 1015 associated key material. An ENABLED version can be used for cryptographic 1016 operations. For security reasons, the raw cryptographic key material 1017 represented by a CryptoKeyVersion can never be viewed or exported. It can 1018 only be used to encrypt, decrypt, or sign data when an authorized user or 1019 application invokes Cloud KMS. 1020 1021 Enums: 1022 AlgorithmValueValuesEnum: Output only. The CryptoKeyVersionAlgorithm that 1023 this CryptoKeyVersion supports. 1024 ProtectionLevelValueValuesEnum: Output only. The ProtectionLevel 1025 describing how crypto operations are performed with this 1026 CryptoKeyVersion. 1027 StateValueValuesEnum: The current state of the CryptoKeyVersion. 1028 1029 Fields: 1030 algorithm: Output only. The CryptoKeyVersionAlgorithm that this 1031 CryptoKeyVersion supports. 1032 attestation: Output only. Statement that was generated and signed by the 1033 HSM at key creation time. Use this statement to verify attributes of the 1034 key as stored on the HSM, independently of Google. Only provided for key 1035 versions with protection_level HSM. 1036 createTime: Output only. The time at which this CryptoKeyVersion was 1037 created. 1038 destroyEventTime: Output only. The time this CryptoKeyVersion's key 1039 material was destroyed. Only present if state is DESTROYED. 1040 destroyTime: Output only. The time this CryptoKeyVersion's key material is 1041 scheduled for destruction. Only present if state is DESTROY_SCHEDULED. 1042 externalProtectionLevelOptions: ExternalProtectionLevelOptions stores a 1043 group of additional fields for configuring a CryptoKeyVersion that are 1044 specific to the EXTERNAL protection level. 1045 generateTime: Output only. The time this CryptoKeyVersion's key material 1046 was generated. 1047 importFailureReason: Output only. The root cause of an import failure. 1048 Only present if state is IMPORT_FAILED. 1049 importJob: Output only. The name of the ImportJob used to import this 1050 CryptoKeyVersion. Only present if the underlying key material was 1051 imported. 1052 importTime: Output only. The time at which this CryptoKeyVersion's key 1053 material was imported. 1054 name: Output only. The resource name for this CryptoKeyVersion in the 1055 format 1056 `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 1057 protectionLevel: Output only. The ProtectionLevel describing how crypto 1058 operations are performed with this CryptoKeyVersion. 1059 state: The current state of the CryptoKeyVersion. 1060 """ 1061 1062 class AlgorithmValueValuesEnum(_messages.Enum): 1063 r"""Output only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion 1064 supports. 1065 1066 Values: 1067 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED: Not specified. 1068 GOOGLE_SYMMETRIC_ENCRYPTION: Creates symmetric encryption keys. 1069 RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest. 1070 RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest. 1071 RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest. 1072 RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest. 1073 RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a 1074 SHA256 digest. 1075 RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a 1076 SHA256 digest. 1077 RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1078 SHA256 digest. 1079 RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1080 SHA512 digest. 1081 RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 1082 digest. 1083 RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 1084 digest. 1085 RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 1086 digest. 1087 RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 1088 digest. 1089 EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest. 1090 EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest. 1091 EXTERNAL_SYMMETRIC_ENCRYPTION: Algorithm representing symmetric 1092 encryption by an external key manager. 1093 """ 1094 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0 1095 GOOGLE_SYMMETRIC_ENCRYPTION = 1 1096 RSA_SIGN_PSS_2048_SHA256 = 2 1097 RSA_SIGN_PSS_3072_SHA256 = 3 1098 RSA_SIGN_PSS_4096_SHA256 = 4 1099 RSA_SIGN_PSS_4096_SHA512 = 5 1100 RSA_SIGN_PKCS1_2048_SHA256 = 6 1101 RSA_SIGN_PKCS1_3072_SHA256 = 7 1102 RSA_SIGN_PKCS1_4096_SHA256 = 8 1103 RSA_SIGN_PKCS1_4096_SHA512 = 9 1104 RSA_DECRYPT_OAEP_2048_SHA256 = 10 1105 RSA_DECRYPT_OAEP_3072_SHA256 = 11 1106 RSA_DECRYPT_OAEP_4096_SHA256 = 12 1107 RSA_DECRYPT_OAEP_4096_SHA512 = 13 1108 EC_SIGN_P256_SHA256 = 14 1109 EC_SIGN_P384_SHA384 = 15 1110 EXTERNAL_SYMMETRIC_ENCRYPTION = 16 1111 1112 class ProtectionLevelValueValuesEnum(_messages.Enum): 1113 r"""Output only. The ProtectionLevel describing how crypto operations are 1114 performed with this CryptoKeyVersion. 1115 1116 Values: 1117 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 1118 SOFTWARE: Crypto operations are performed in software. 1119 HSM: Crypto operations are performed in a Hardware Security Module. 1120 EXTERNAL: Crypto operations are performed by an external key manager. 1121 """ 1122 PROTECTION_LEVEL_UNSPECIFIED = 0 1123 SOFTWARE = 1 1124 HSM = 2 1125 EXTERNAL = 3 1126 1127 class StateValueValuesEnum(_messages.Enum): 1128 r"""The current state of the CryptoKeyVersion. 1129 1130 Values: 1131 CRYPTO_KEY_VERSION_STATE_UNSPECIFIED: Not specified. 1132 PENDING_GENERATION: This version is still being generated. It may not be 1133 used, enabled, disabled, or destroyed yet. Cloud KMS will 1134 automatically mark this version ENABLED as soon as the version is 1135 ready. 1136 ENABLED: This version may be used for cryptographic operations. 1137 DISABLED: This version may not be used, but the key material is still 1138 available, and the version can be placed back into the ENABLED state. 1139 DESTROYED: This version is destroyed, and the key material is no longer 1140 stored. A version may not leave this state once entered. 1141 DESTROY_SCHEDULED: This version is scheduled for destruction, and will 1142 be destroyed soon. Call RestoreCryptoKeyVersion to put it back into 1143 the DISABLED state. 1144 PENDING_IMPORT: This version is still being imported. It may not be 1145 used, enabled, disabled, or destroyed yet. Cloud KMS will 1146 automatically mark this version ENABLED as soon as the version is 1147 ready. 1148 IMPORT_FAILED: This version was not imported successfully. It may not be 1149 used, enabled, disabled, or destroyed. The submitted key material has 1150 been discarded. Additional details can be found in 1151 CryptoKeyVersion.import_failure_reason. 1152 """ 1153 CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0 1154 PENDING_GENERATION = 1 1155 ENABLED = 2 1156 DISABLED = 3 1157 DESTROYED = 4 1158 DESTROY_SCHEDULED = 5 1159 PENDING_IMPORT = 6 1160 IMPORT_FAILED = 7 1161 1162 algorithm = _messages.EnumField('AlgorithmValueValuesEnum', 1) 1163 attestation = _messages.MessageField('KeyOperationAttestation', 2) 1164 createTime = _messages.StringField(3) 1165 destroyEventTime = _messages.StringField(4) 1166 destroyTime = _messages.StringField(5) 1167 externalProtectionLevelOptions = _messages.MessageField('ExternalProtectionLevelOptions', 6) 1168 generateTime = _messages.StringField(7) 1169 importFailureReason = _messages.StringField(8) 1170 importJob = _messages.StringField(9) 1171 importTime = _messages.StringField(10) 1172 name = _messages.StringField(11) 1173 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 12) 1174 state = _messages.EnumField('StateValueValuesEnum', 13) 1175 1176 1177class CryptoKeyVersionTemplate(_messages.Message): 1178 r"""A CryptoKeyVersionTemplate specifies the properties to use when creating 1179 a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or 1180 automatically as a result of auto-rotation. 1181 1182 Enums: 1183 AlgorithmValueValuesEnum: Required. Algorithm to use when creating a 1184 CryptoKeyVersion based on this template. For backwards compatibility, 1185 GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and 1186 CryptoKey.purpose is ENCRYPT_DECRYPT. 1187 ProtectionLevelValueValuesEnum: ProtectionLevel to use when creating a 1188 CryptoKeyVersion based on this template. Immutable. Defaults to 1189 SOFTWARE. 1190 1191 Fields: 1192 algorithm: Required. Algorithm to use when creating a CryptoKeyVersion 1193 based on this template. For backwards compatibility, 1194 GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and 1195 CryptoKey.purpose is ENCRYPT_DECRYPT. 1196 protectionLevel: ProtectionLevel to use when creating a CryptoKeyVersion 1197 based on this template. Immutable. Defaults to SOFTWARE. 1198 """ 1199 1200 class AlgorithmValueValuesEnum(_messages.Enum): 1201 r"""Required. Algorithm to use when creating a CryptoKeyVersion based on 1202 this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is 1203 implied if both this field is omitted and CryptoKey.purpose is 1204 ENCRYPT_DECRYPT. 1205 1206 Values: 1207 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED: Not specified. 1208 GOOGLE_SYMMETRIC_ENCRYPTION: Creates symmetric encryption keys. 1209 RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest. 1210 RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest. 1211 RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest. 1212 RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest. 1213 RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a 1214 SHA256 digest. 1215 RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a 1216 SHA256 digest. 1217 RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1218 SHA256 digest. 1219 RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1220 SHA512 digest. 1221 RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 1222 digest. 1223 RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 1224 digest. 1225 RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 1226 digest. 1227 RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 1228 digest. 1229 EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest. 1230 EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest. 1231 EXTERNAL_SYMMETRIC_ENCRYPTION: Algorithm representing symmetric 1232 encryption by an external key manager. 1233 """ 1234 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0 1235 GOOGLE_SYMMETRIC_ENCRYPTION = 1 1236 RSA_SIGN_PSS_2048_SHA256 = 2 1237 RSA_SIGN_PSS_3072_SHA256 = 3 1238 RSA_SIGN_PSS_4096_SHA256 = 4 1239 RSA_SIGN_PSS_4096_SHA512 = 5 1240 RSA_SIGN_PKCS1_2048_SHA256 = 6 1241 RSA_SIGN_PKCS1_3072_SHA256 = 7 1242 RSA_SIGN_PKCS1_4096_SHA256 = 8 1243 RSA_SIGN_PKCS1_4096_SHA512 = 9 1244 RSA_DECRYPT_OAEP_2048_SHA256 = 10 1245 RSA_DECRYPT_OAEP_3072_SHA256 = 11 1246 RSA_DECRYPT_OAEP_4096_SHA256 = 12 1247 RSA_DECRYPT_OAEP_4096_SHA512 = 13 1248 EC_SIGN_P256_SHA256 = 14 1249 EC_SIGN_P384_SHA384 = 15 1250 EXTERNAL_SYMMETRIC_ENCRYPTION = 16 1251 1252 class ProtectionLevelValueValuesEnum(_messages.Enum): 1253 r"""ProtectionLevel to use when creating a CryptoKeyVersion based on this 1254 template. Immutable. Defaults to SOFTWARE. 1255 1256 Values: 1257 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 1258 SOFTWARE: Crypto operations are performed in software. 1259 HSM: Crypto operations are performed in a Hardware Security Module. 1260 EXTERNAL: Crypto operations are performed by an external key manager. 1261 """ 1262 PROTECTION_LEVEL_UNSPECIFIED = 0 1263 SOFTWARE = 1 1264 HSM = 2 1265 EXTERNAL = 3 1266 1267 algorithm = _messages.EnumField('AlgorithmValueValuesEnum', 1) 1268 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 2) 1269 1270 1271class DecryptRequest(_messages.Message): 1272 r"""Request message for KeyManagementService.Decrypt. 1273 1274 Fields: 1275 additionalAuthenticatedData: Optional. Optional data that must match the 1276 data originally supplied in 1277 EncryptRequest.additional_authenticated_data. 1278 additionalAuthenticatedDataCrc32c: Optional. An optional CRC32C checksum 1279 of the DecryptRequest.additional_authenticated_data. If specified, 1280 KeyManagementService will verify the integrity of the received 1281 DecryptRequest.additional_authenticated_data using this checksum. 1282 KeyManagementService will report an error if the checksum verification 1283 fails. If you receive a checksum error, your client should verify that 1284 CRC32C(DecryptRequest.additional_authenticated_data) is equal to 1285 DecryptRequest.additional_authenticated_data_crc32c, and if so, perform 1286 a limited number of retries. A persistent mismatch may indicate an issue 1287 in your computation of the CRC32C checksum. Note: This field is defined 1288 as int64 for reasons of compatibility across different languages. 1289 However, it is a non-negative integer, which will never exceed 2^32-1, 1290 and can be safely downconverted to uint32 in languages that support this 1291 type. NOTE: This field is in Beta. 1292 ciphertext: Required. The encrypted data originally returned in 1293 EncryptResponse.ciphertext. 1294 ciphertextCrc32c: Optional. An optional CRC32C checksum of the 1295 DecryptRequest.ciphertext. If specified, KeyManagementService will 1296 verify the integrity of the received DecryptRequest.ciphertext using 1297 this checksum. KeyManagementService will report an error if the checksum 1298 verification fails. If you receive a checksum error, your client should 1299 verify that CRC32C(DecryptRequest.ciphertext) is equal to 1300 DecryptRequest.ciphertext_crc32c, and if so, perform a limited number of 1301 retries. A persistent mismatch may indicate an issue in your computation 1302 of the CRC32C checksum. Note: This field is defined as int64 for reasons 1303 of compatibility across different languages. However, it is a non- 1304 negative integer, which will never exceed 2^32-1, and can be safely 1305 downconverted to uint32 in languages that support this type. NOTE: This 1306 field is in Beta. 1307 """ 1308 1309 additionalAuthenticatedData = _messages.BytesField(1) 1310 additionalAuthenticatedDataCrc32c = _messages.IntegerField(2) 1311 ciphertext = _messages.BytesField(3) 1312 ciphertextCrc32c = _messages.IntegerField(4) 1313 1314 1315class DecryptResponse(_messages.Message): 1316 r"""Response message for KeyManagementService.Decrypt. 1317 1318 Enums: 1319 ProtectionLevelValueValuesEnum: The ProtectionLevel of the 1320 CryptoKeyVersion used in decryption. 1321 1322 Fields: 1323 plaintext: The decrypted data originally supplied in 1324 EncryptRequest.plaintext. 1325 plaintextCrc32c: Integrity verification field. A CRC32C checksum of the 1326 returned DecryptResponse.plaintext. An integrity check of 1327 DecryptResponse.plaintext can be performed by computing the CRC32C 1328 checksum of DecryptResponse.plaintext and comparing your results to this 1329 field. Discard the response in case of non-matching checksum values, and 1330 perform a limited number of retries. A persistent mismatch may indicate 1331 an issue in your computation of the CRC32C checksum. Note: receiving 1332 this response message indicates that KeyManagementService is able to 1333 successfully decrypt the ciphertext. Note: This field is defined as 1334 int64 for reasons of compatibility across different languages. However, 1335 it is a non-negative integer, which will never exceed 2^32-1, and can be 1336 safely downconverted to uint32 in languages that support this type. 1337 NOTE: This field is in Beta. 1338 protectionLevel: The ProtectionLevel of the CryptoKeyVersion used in 1339 decryption. 1340 usedPrimary: Whether the Decryption was performed using the primary key 1341 version. 1342 """ 1343 1344 class ProtectionLevelValueValuesEnum(_messages.Enum): 1345 r"""The ProtectionLevel of the CryptoKeyVersion used in decryption. 1346 1347 Values: 1348 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 1349 SOFTWARE: Crypto operations are performed in software. 1350 HSM: Crypto operations are performed in a Hardware Security Module. 1351 EXTERNAL: Crypto operations are performed by an external key manager. 1352 """ 1353 PROTECTION_LEVEL_UNSPECIFIED = 0 1354 SOFTWARE = 1 1355 HSM = 2 1356 EXTERNAL = 3 1357 1358 plaintext = _messages.BytesField(1) 1359 plaintextCrc32c = _messages.IntegerField(2) 1360 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 3) 1361 usedPrimary = _messages.BooleanField(4) 1362 1363 1364class DestroyCryptoKeyVersionRequest(_messages.Message): 1365 r"""Request message for KeyManagementService.DestroyCryptoKeyVersion.""" 1366 1367 1368class Digest(_messages.Message): 1369 r"""A Digest holds a cryptographic message digest. 1370 1371 Fields: 1372 sha256: A message digest produced with the SHA-256 algorithm. 1373 sha384: A message digest produced with the SHA-384 algorithm. 1374 sha512: A message digest produced with the SHA-512 algorithm. 1375 """ 1376 1377 sha256 = _messages.BytesField(1) 1378 sha384 = _messages.BytesField(2) 1379 sha512 = _messages.BytesField(3) 1380 1381 1382class EncryptRequest(_messages.Message): 1383 r"""Request message for KeyManagementService.Encrypt. 1384 1385 Fields: 1386 additionalAuthenticatedData: Optional. Optional data that, if specified, 1387 must also be provided during decryption through 1388 DecryptRequest.additional_authenticated_data. The maximum size depends 1389 on the key version's protection_level. For SOFTWARE keys, the AAD must 1390 be no larger than 64KiB. For HSM keys, the combined length of the 1391 plaintext and additional_authenticated_data fields must be no larger 1392 than 8KiB. 1393 additionalAuthenticatedDataCrc32c: Optional. An optional CRC32C checksum 1394 of the EncryptRequest.additional_authenticated_data. If specified, 1395 KeyManagementService will verify the integrity of the received 1396 EncryptRequest.additional_authenticated_data using this checksum. 1397 KeyManagementService will report an error if the checksum verification 1398 fails. If you receive a checksum error, your client should verify that 1399 CRC32C(EncryptRequest.additional_authenticated_data) is equal to 1400 EncryptRequest.additional_authenticated_data_crc32c, and if so, perform 1401 a limited number of retries. A persistent mismatch may indicate an issue 1402 in your computation of the CRC32C checksum. Note: This field is defined 1403 as int64 for reasons of compatibility across different languages. 1404 However, it is a non-negative integer, which will never exceed 2^32-1, 1405 and can be safely downconverted to uint32 in languages that support this 1406 type. NOTE: This field is in Beta. 1407 plaintext: Required. The data to encrypt. Must be no larger than 64KiB. 1408 The maximum size depends on the key version's protection_level. For 1409 SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, 1410 the combined length of the plaintext and additional_authenticated_data 1411 fields must be no larger than 8KiB. 1412 plaintextCrc32c: Optional. An optional CRC32C checksum of the 1413 EncryptRequest.plaintext. If specified, KeyManagementService will verify 1414 the integrity of the received EncryptRequest.plaintext using this 1415 checksum. KeyManagementService will report an error if the checksum 1416 verification fails. If you receive a checksum error, your client should 1417 verify that CRC32C(EncryptRequest.plaintext) is equal to 1418 EncryptRequest.plaintext_crc32c, and if so, perform a limited number of 1419 retries. A persistent mismatch may indicate an issue in your computation 1420 of the CRC32C checksum. Note: This field is defined as int64 for reasons 1421 of compatibility across different languages. However, it is a non- 1422 negative integer, which will never exceed 2^32-1, and can be safely 1423 downconverted to uint32 in languages that support this type. NOTE: This 1424 field is in Beta. 1425 """ 1426 1427 additionalAuthenticatedData = _messages.BytesField(1) 1428 additionalAuthenticatedDataCrc32c = _messages.IntegerField(2) 1429 plaintext = _messages.BytesField(3) 1430 plaintextCrc32c = _messages.IntegerField(4) 1431 1432 1433class EncryptResponse(_messages.Message): 1434 r"""Response message for KeyManagementService.Encrypt. 1435 1436 Enums: 1437 ProtectionLevelValueValuesEnum: The ProtectionLevel of the 1438 CryptoKeyVersion used in encryption. 1439 1440 Fields: 1441 ciphertext: The encrypted data. 1442 ciphertextCrc32c: Integrity verification field. A CRC32C checksum of the 1443 returned EncryptResponse.ciphertext. An integrity check of 1444 EncryptResponse.ciphertext can be performed by computing the CRC32C 1445 checksum of EncryptResponse.ciphertext and comparing your results to 1446 this field. Discard the response in case of non-matching checksum 1447 values, and perform a limited number of retries. A persistent mismatch 1448 may indicate an issue in your computation of the CRC32C checksum. Note: 1449 This field is defined as int64 for reasons of compatibility across 1450 different languages. However, it is a non-negative integer, which will 1451 never exceed 2^32-1, and can be safely downconverted to uint32 in 1452 languages that support this type. NOTE: This field is in Beta. 1453 name: The resource name of the CryptoKeyVersion used in encryption. Check 1454 this field to verify that the intended resource was used for encryption. 1455 protectionLevel: The ProtectionLevel of the CryptoKeyVersion used in 1456 encryption. 1457 verifiedAdditionalAuthenticatedDataCrc32c: Integrity verification field. A 1458 flag indicating whether 1459 EncryptRequest.additional_authenticated_data_crc32c was received by 1460 KeyManagementService and used for the integrity verification of the AAD. 1461 A false value of this field indicates either that 1462 EncryptRequest.additional_authenticated_data_crc32c was left unset or 1463 that it was not delivered to KeyManagementService. If you've set 1464 EncryptRequest.additional_authenticated_data_crc32c but this field is 1465 still false, discard the response and perform a limited number of 1466 retries. NOTE: This field is in Beta. 1467 verifiedPlaintextCrc32c: Integrity verification field. A flag indicating 1468 whether EncryptRequest.plaintext_crc32c was received by 1469 KeyManagementService and used for the integrity verification of the 1470 plaintext. A false value of this field indicates either that 1471 EncryptRequest.plaintext_crc32c was left unset or that it was not 1472 delivered to KeyManagementService. If you've set 1473 EncryptRequest.plaintext_crc32c but this field is still false, discard 1474 the response and perform a limited number of retries. NOTE: This field 1475 is in Beta. 1476 """ 1477 1478 class ProtectionLevelValueValuesEnum(_messages.Enum): 1479 r"""The ProtectionLevel of the CryptoKeyVersion used in encryption. 1480 1481 Values: 1482 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 1483 SOFTWARE: Crypto operations are performed in software. 1484 HSM: Crypto operations are performed in a Hardware Security Module. 1485 EXTERNAL: Crypto operations are performed by an external key manager. 1486 """ 1487 PROTECTION_LEVEL_UNSPECIFIED = 0 1488 SOFTWARE = 1 1489 HSM = 2 1490 EXTERNAL = 3 1491 1492 ciphertext = _messages.BytesField(1) 1493 ciphertextCrc32c = _messages.IntegerField(2) 1494 name = _messages.StringField(3) 1495 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 4) 1496 verifiedAdditionalAuthenticatedDataCrc32c = _messages.BooleanField(5) 1497 verifiedPlaintextCrc32c = _messages.BooleanField(6) 1498 1499 1500class Expr(_messages.Message): 1501 r"""Represents a textual expression in the Common Expression Language (CEL) 1502 syntax. CEL is a C-like expression language. The syntax and semantics of CEL 1503 are documented at https://github.com/google/cel-spec. Example (Comparison): 1504 title: "Summary size limit" description: "Determines if a summary is less 1505 than 100 chars" expression: "document.summary.size() < 100" Example 1506 (Equality): title: "Requestor is owner" description: "Determines if 1507 requestor is the document owner" expression: "document.owner == 1508 request.auth.claims.email" Example (Logic): title: "Public documents" 1509 description: "Determine whether the document should be publicly visible" 1510 expression: "document.type != 'private' && document.type != 'internal'" 1511 Example (Data Manipulation): title: "Notification string" description: 1512 "Create a notification string with a timestamp." expression: "'New message 1513 received at ' + string(document.create_time)" The exact variables and 1514 functions that may be referenced within an expression are determined by the 1515 service that evaluates it. See the service documentation for additional 1516 information. 1517 1518 Fields: 1519 description: Optional. Description of the expression. This is a longer 1520 text which describes the expression, e.g. when hovered over it in a UI. 1521 expression: Textual representation of an expression in Common Expression 1522 Language syntax. 1523 location: Optional. String indicating the location of the expression for 1524 error reporting, e.g. a file name and a position in the file. 1525 title: Optional. Title for the expression, i.e. a short string describing 1526 its purpose. This can be used e.g. in UIs which allow to enter the 1527 expression. 1528 """ 1529 1530 description = _messages.StringField(1) 1531 expression = _messages.StringField(2) 1532 location = _messages.StringField(3) 1533 title = _messages.StringField(4) 1534 1535 1536class ExternalProtectionLevelOptions(_messages.Message): 1537 r"""ExternalProtectionLevelOptions stores a group of additional fields for 1538 configuring a CryptoKeyVersion that are specific to the EXTERNAL protection 1539 level. 1540 1541 Fields: 1542 externalKeyUri: The URI for an external resource that this 1543 CryptoKeyVersion represents. 1544 """ 1545 1546 externalKeyUri = _messages.StringField(1) 1547 1548 1549class ImportCryptoKeyVersionRequest(_messages.Message): 1550 r"""Request message for KeyManagementService.ImportCryptoKeyVersion. 1551 1552 Enums: 1553 AlgorithmValueValuesEnum: Required. The algorithm of the key being 1554 imported. This does not need to match the version_template of the 1555 CryptoKey this version imports into. 1556 1557 Fields: 1558 algorithm: Required. The algorithm of the key being imported. This does 1559 not need to match the version_template of the CryptoKey this version 1560 imports into. 1561 importJob: Required. The name of the ImportJob that was used to wrap this 1562 key material. 1563 rsaAesWrappedKey: Wrapped key material produced with 1564 RSA_OAEP_3072_SHA1_AES_256 or RSA_OAEP_4096_SHA1_AES_256. This field 1565 contains the concatenation of two wrapped keys: 1. An ephemeral AES-256 1566 wrapping key wrapped with the public_key using RSAES-OAEP with SHA-1, 1567 MGF1 with SHA-1, and an empty label. 2. The key to be imported, wrapped 1568 with the ephemeral AES-256 key using AES-KWP (RFC 5649). If importing 1569 symmetric key material, it is expected that the unwrapped key contains 1570 plain bytes. If importing asymmetric key material, it is expected that 1571 the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo 1572 structure from RFC 5208). This format is the same as the format produced 1573 by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP. 1574 """ 1575 1576 class AlgorithmValueValuesEnum(_messages.Enum): 1577 r"""Required. The algorithm of the key being imported. This does not need 1578 to match the version_template of the CryptoKey this version imports into. 1579 1580 Values: 1581 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED: Not specified. 1582 GOOGLE_SYMMETRIC_ENCRYPTION: Creates symmetric encryption keys. 1583 RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest. 1584 RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest. 1585 RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest. 1586 RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest. 1587 RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a 1588 SHA256 digest. 1589 RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a 1590 SHA256 digest. 1591 RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1592 SHA256 digest. 1593 RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1594 SHA512 digest. 1595 RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 1596 digest. 1597 RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 1598 digest. 1599 RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 1600 digest. 1601 RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 1602 digest. 1603 EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest. 1604 EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest. 1605 EXTERNAL_SYMMETRIC_ENCRYPTION: Algorithm representing symmetric 1606 encryption by an external key manager. 1607 """ 1608 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0 1609 GOOGLE_SYMMETRIC_ENCRYPTION = 1 1610 RSA_SIGN_PSS_2048_SHA256 = 2 1611 RSA_SIGN_PSS_3072_SHA256 = 3 1612 RSA_SIGN_PSS_4096_SHA256 = 4 1613 RSA_SIGN_PSS_4096_SHA512 = 5 1614 RSA_SIGN_PKCS1_2048_SHA256 = 6 1615 RSA_SIGN_PKCS1_3072_SHA256 = 7 1616 RSA_SIGN_PKCS1_4096_SHA256 = 8 1617 RSA_SIGN_PKCS1_4096_SHA512 = 9 1618 RSA_DECRYPT_OAEP_2048_SHA256 = 10 1619 RSA_DECRYPT_OAEP_3072_SHA256 = 11 1620 RSA_DECRYPT_OAEP_4096_SHA256 = 12 1621 RSA_DECRYPT_OAEP_4096_SHA512 = 13 1622 EC_SIGN_P256_SHA256 = 14 1623 EC_SIGN_P384_SHA384 = 15 1624 EXTERNAL_SYMMETRIC_ENCRYPTION = 16 1625 1626 algorithm = _messages.EnumField('AlgorithmValueValuesEnum', 1) 1627 importJob = _messages.StringField(2) 1628 rsaAesWrappedKey = _messages.BytesField(3) 1629 1630 1631class ImportJob(_messages.Message): 1632 r"""An ImportJob can be used to create CryptoKeys and CryptoKeyVersions 1633 using pre-existing key material, generated outside of Cloud KMS. When an 1634 ImportJob is created, Cloud KMS will generate a "wrapping key", which is a 1635 public/private key pair. You use the wrapping key to encrypt (also known as 1636 wrap) the pre-existing key material to protect it during the import process. 1637 The nature of the wrapping key depends on the choice of import_method. When 1638 the wrapping key generation is complete, the state will be set to ACTIVE and 1639 the public_key can be fetched. The fetched public key can then be used to 1640 wrap your pre-existing key material. Once the key material is wrapped, it 1641 can be imported into a new CryptoKeyVersion in an existing CryptoKey by 1642 calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported 1643 with a single ImportJob. Cloud KMS uses the private key portion of the 1644 wrapping key to unwrap the key material. Only Cloud KMS has access to the 1645 private key. An ImportJob expires 3 days after it is created. Once expired, 1646 Cloud KMS will no longer be able to import or unwrap any key material that 1647 was wrapped with the ImportJob's public key. For more information, see 1648 [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). 1649 1650 Enums: 1651 ImportMethodValueValuesEnum: Required. Immutable. The wrapping method to 1652 be used for incoming key material. 1653 ProtectionLevelValueValuesEnum: Required. Immutable. The protection level 1654 of the ImportJob. This must match the protection_level of the 1655 version_template on the CryptoKey you attempt to import into. 1656 StateValueValuesEnum: Output only. The current state of the ImportJob, 1657 indicating if it can be used. 1658 1659 Fields: 1660 attestation: Output only. Statement that was generated and signed by the 1661 key creator (for example, an HSM) at key creation time. Use this 1662 statement to verify attributes of the key as stored on the HSM, 1663 independently of Google. Only present if the chosen ImportMethod is one 1664 with a protection level of HSM. 1665 createTime: Output only. The time at which this ImportJob was created. 1666 expireEventTime: Output only. The time this ImportJob expired. Only 1667 present if state is EXPIRED. 1668 expireTime: Output only. The time at which this ImportJob is scheduled for 1669 expiration and can no longer be used to import key material. 1670 generateTime: Output only. The time this ImportJob's key material was 1671 generated. 1672 importMethod: Required. Immutable. The wrapping method to be used for 1673 incoming key material. 1674 name: Output only. The resource name for this ImportJob in the format 1675 `projects/*/locations/*/keyRings/*/importJobs/*`. 1676 protectionLevel: Required. Immutable. The protection level of the 1677 ImportJob. This must match the protection_level of the version_template 1678 on the CryptoKey you attempt to import into. 1679 publicKey: Output only. The public key with which to wrap key material 1680 prior to import. Only returned if state is ACTIVE. 1681 state: Output only. The current state of the ImportJob, indicating if it 1682 can be used. 1683 """ 1684 1685 class ImportMethodValueValuesEnum(_messages.Enum): 1686 r"""Required. Immutable. The wrapping method to be used for incoming key 1687 material. 1688 1689 Values: 1690 IMPORT_METHOD_UNSPECIFIED: Not specified. 1691 RSA_OAEP_3072_SHA1_AES_256: This ImportMethod represents the 1692 CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 1693 standard. In summary, this involves wrapping the raw key with an 1694 ephemeral AES key, and wrapping the ephemeral AES key with a 3072 bit 1695 RSA key. For more details, see [RSA AES key wrap 1696 mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/p 1697 kcs11-curr-v2.40-cos01.html#_Toc408226908). 1698 RSA_OAEP_4096_SHA1_AES_256: This ImportMethod represents the 1699 CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 1700 standard. In summary, this involves wrapping the raw key with an 1701 ephemeral AES key, and wrapping the ephemeral AES key with a 4096 bit 1702 RSA key. For more details, see [RSA AES key wrap 1703 mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/p 1704 kcs11-curr-v2.40-cos01.html#_Toc408226908). 1705 """ 1706 IMPORT_METHOD_UNSPECIFIED = 0 1707 RSA_OAEP_3072_SHA1_AES_256 = 1 1708 RSA_OAEP_4096_SHA1_AES_256 = 2 1709 1710 class ProtectionLevelValueValuesEnum(_messages.Enum): 1711 r"""Required. Immutable. The protection level of the ImportJob. This must 1712 match the protection_level of the version_template on the CryptoKey you 1713 attempt to import into. 1714 1715 Values: 1716 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 1717 SOFTWARE: Crypto operations are performed in software. 1718 HSM: Crypto operations are performed in a Hardware Security Module. 1719 EXTERNAL: Crypto operations are performed by an external key manager. 1720 """ 1721 PROTECTION_LEVEL_UNSPECIFIED = 0 1722 SOFTWARE = 1 1723 HSM = 2 1724 EXTERNAL = 3 1725 1726 class StateValueValuesEnum(_messages.Enum): 1727 r"""Output only. The current state of the ImportJob, indicating if it can 1728 be used. 1729 1730 Values: 1731 IMPORT_JOB_STATE_UNSPECIFIED: Not specified. 1732 PENDING_GENERATION: The wrapping key for this job is still being 1733 generated. It may not be used. Cloud KMS will automatically mark this 1734 job as ACTIVE as soon as the wrapping key is generated. 1735 ACTIVE: This job may be used in CreateCryptoKey and 1736 CreateCryptoKeyVersion requests. 1737 EXPIRED: This job can no longer be used and may not leave this state 1738 once entered. 1739 """ 1740 IMPORT_JOB_STATE_UNSPECIFIED = 0 1741 PENDING_GENERATION = 1 1742 ACTIVE = 2 1743 EXPIRED = 3 1744 1745 attestation = _messages.MessageField('KeyOperationAttestation', 1) 1746 createTime = _messages.StringField(2) 1747 expireEventTime = _messages.StringField(3) 1748 expireTime = _messages.StringField(4) 1749 generateTime = _messages.StringField(5) 1750 importMethod = _messages.EnumField('ImportMethodValueValuesEnum', 6) 1751 name = _messages.StringField(7) 1752 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 8) 1753 publicKey = _messages.MessageField('WrappingPublicKey', 9) 1754 state = _messages.EnumField('StateValueValuesEnum', 10) 1755 1756 1757class KeyOperationAttestation(_messages.Message): 1758 r"""Contains an HSM-generated attestation about a key operation. For more 1759 information, see [Verifying attestations] 1760 (https://cloud.google.com/kms/docs/attest-key). 1761 1762 Enums: 1763 FormatValueValuesEnum: Output only. The format of the attestation data. 1764 1765 Fields: 1766 certChains: Output only. The certificate chains needed to validate the 1767 attestation 1768 content: Output only. The attestation data provided by the HSM when the 1769 key operation was performed. 1770 format: Output only. The format of the attestation data. 1771 """ 1772 1773 class FormatValueValuesEnum(_messages.Enum): 1774 r"""Output only. The format of the attestation data. 1775 1776 Values: 1777 ATTESTATION_FORMAT_UNSPECIFIED: Not specified. 1778 CAVIUM_V1_COMPRESSED: Cavium HSM attestation compressed with gzip. Note 1779 that this format is defined by Cavium and subject to change at any 1780 time. 1781 CAVIUM_V2_COMPRESSED: Cavium HSM attestation V2 compressed with gzip. 1782 This is a new format introduced in Cavium's version 3.2-08. 1783 """ 1784 ATTESTATION_FORMAT_UNSPECIFIED = 0 1785 CAVIUM_V1_COMPRESSED = 1 1786 CAVIUM_V2_COMPRESSED = 2 1787 1788 certChains = _messages.MessageField('CertificateChains', 1) 1789 content = _messages.BytesField(2) 1790 format = _messages.EnumField('FormatValueValuesEnum', 3) 1791 1792 1793class KeyRing(_messages.Message): 1794 r"""A KeyRing is a toplevel logical grouping of CryptoKeys. 1795 1796 Fields: 1797 createTime: Output only. The time at which this KeyRing was created. 1798 name: Output only. The resource name for the KeyRing in the format 1799 `projects/*/locations/*/keyRings/*`. 1800 """ 1801 1802 createTime = _messages.StringField(1) 1803 name = _messages.StringField(2) 1804 1805 1806class ListCryptoKeyVersionsResponse(_messages.Message): 1807 r"""Response message for KeyManagementService.ListCryptoKeyVersions. 1808 1809 Fields: 1810 cryptoKeyVersions: The list of CryptoKeyVersions. 1811 nextPageToken: A token to retrieve next page of results. Pass this value 1812 in ListCryptoKeyVersionsRequest.page_token to retrieve the next page of 1813 results. 1814 totalSize: The total number of CryptoKeyVersions that matched the query. 1815 """ 1816 1817 cryptoKeyVersions = _messages.MessageField('CryptoKeyVersion', 1, repeated=True) 1818 nextPageToken = _messages.StringField(2) 1819 totalSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 1820 1821 1822class ListCryptoKeysResponse(_messages.Message): 1823 r"""Response message for KeyManagementService.ListCryptoKeys. 1824 1825 Fields: 1826 cryptoKeys: The list of CryptoKeys. 1827 nextPageToken: A token to retrieve next page of results. Pass this value 1828 in ListCryptoKeysRequest.page_token to retrieve the next page of 1829 results. 1830 totalSize: The total number of CryptoKeys that matched the query. 1831 """ 1832 1833 cryptoKeys = _messages.MessageField('CryptoKey', 1, repeated=True) 1834 nextPageToken = _messages.StringField(2) 1835 totalSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 1836 1837 1838class ListImportJobsResponse(_messages.Message): 1839 r"""Response message for KeyManagementService.ListImportJobs. 1840 1841 Fields: 1842 importJobs: The list of ImportJobs. 1843 nextPageToken: A token to retrieve next page of results. Pass this value 1844 in ListImportJobsRequest.page_token to retrieve the next page of 1845 results. 1846 totalSize: The total number of ImportJobs that matched the query. 1847 """ 1848 1849 importJobs = _messages.MessageField('ImportJob', 1, repeated=True) 1850 nextPageToken = _messages.StringField(2) 1851 totalSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 1852 1853 1854class ListKeyRingsResponse(_messages.Message): 1855 r"""Response message for KeyManagementService.ListKeyRings. 1856 1857 Fields: 1858 keyRings: The list of KeyRings. 1859 nextPageToken: A token to retrieve next page of results. Pass this value 1860 in ListKeyRingsRequest.page_token to retrieve the next page of results. 1861 totalSize: The total number of KeyRings that matched the query. 1862 """ 1863 1864 keyRings = _messages.MessageField('KeyRing', 1, repeated=True) 1865 nextPageToken = _messages.StringField(2) 1866 totalSize = _messages.IntegerField(3, variant=_messages.Variant.INT32) 1867 1868 1869class ListLocationsResponse(_messages.Message): 1870 r"""The response message for Locations.ListLocations. 1871 1872 Fields: 1873 locations: A list of locations that matches the specified filter in the 1874 request. 1875 nextPageToken: The standard List next-page token. 1876 """ 1877 1878 locations = _messages.MessageField('Location', 1, repeated=True) 1879 nextPageToken = _messages.StringField(2) 1880 1881 1882class Location(_messages.Message): 1883 r"""A resource that represents Google Cloud Platform location. 1884 1885 Messages: 1886 LabelsValue: Cross-service attributes for the location. For example 1887 {"cloud.googleapis.com/region": "us-east1"} 1888 MetadataValue: Service-specific metadata. For example the available 1889 capacity at the given location. 1890 1891 Fields: 1892 displayName: The friendly name for this location, typically a nearby city 1893 name. For example, "Tokyo". 1894 labels: Cross-service attributes for the location. For example 1895 {"cloud.googleapis.com/region": "us-east1"} 1896 locationId: The canonical id for this location. For example: `"us-east1"`. 1897 metadata: Service-specific metadata. For example the available capacity at 1898 the given location. 1899 name: Resource name for the location, which may vary between 1900 implementations. For example: `"projects/example-project/locations/us- 1901 east1"` 1902 """ 1903 1904 @encoding.MapUnrecognizedFields('additionalProperties') 1905 class LabelsValue(_messages.Message): 1906 r"""Cross-service attributes for the location. For example 1907 {"cloud.googleapis.com/region": "us-east1"} 1908 1909 Messages: 1910 AdditionalProperty: An additional property for a LabelsValue object. 1911 1912 Fields: 1913 additionalProperties: Additional properties of type LabelsValue 1914 """ 1915 1916 class AdditionalProperty(_messages.Message): 1917 r"""An additional property for a LabelsValue object. 1918 1919 Fields: 1920 key: Name of the additional property. 1921 value: A string attribute. 1922 """ 1923 1924 key = _messages.StringField(1) 1925 value = _messages.StringField(2) 1926 1927 additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True) 1928 1929 @encoding.MapUnrecognizedFields('additionalProperties') 1930 class MetadataValue(_messages.Message): 1931 r"""Service-specific metadata. For example the available capacity at the 1932 given location. 1933 1934 Messages: 1935 AdditionalProperty: An additional property for a MetadataValue object. 1936 1937 Fields: 1938 additionalProperties: Properties of the object. Contains field @type 1939 with type URL. 1940 """ 1941 1942 class AdditionalProperty(_messages.Message): 1943 r"""An additional property for a MetadataValue object. 1944 1945 Fields: 1946 key: Name of the additional property. 1947 value: A extra_types.JsonValue attribute. 1948 """ 1949 1950 key = _messages.StringField(1) 1951 value = _messages.MessageField('extra_types.JsonValue', 2) 1952 1953 additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True) 1954 1955 displayName = _messages.StringField(1) 1956 labels = _messages.MessageField('LabelsValue', 2) 1957 locationId = _messages.StringField(3) 1958 metadata = _messages.MessageField('MetadataValue', 4) 1959 name = _messages.StringField(5) 1960 1961 1962class LocationMetadata(_messages.Message): 1963 r"""Cloud KMS metadata for the given google.cloud.location.Location. 1964 1965 Fields: 1966 ekmAvailable: Indicates whether CryptoKeys with protection_level EXTERNAL 1967 can be created in this location. 1968 hsmAvailable: Indicates whether CryptoKeys with protection_level HSM can 1969 be created in this location. 1970 """ 1971 1972 ekmAvailable = _messages.BooleanField(1) 1973 hsmAvailable = _messages.BooleanField(2) 1974 1975 1976class Policy(_messages.Message): 1977 r"""An Identity and Access Management (IAM) policy, which specifies access 1978 controls for Google Cloud resources. A `Policy` is a collection of 1979 `bindings`. A `binding` binds one or more `members` to a single `role`. 1980 Members can be user accounts, service accounts, Google groups, and domains 1981 (such as G Suite). A `role` is a named list of permissions; each `role` can 1982 be an IAM predefined role or a user-created custom role. For some types of 1983 Google Cloud resources, a `binding` can also specify a `condition`, which is 1984 a logical expression that allows access to a resource only if the expression 1985 evaluates to `true`. A condition can add constraints based on attributes of 1986 the request, the resource, or both. To learn which resources support 1987 conditions in their IAM policies, see the [IAM 1988 documentation](https://cloud.google.com/iam/help/conditions/resource- 1989 policies). **JSON example:** { "bindings": [ { "role": 1990 "roles/resourcemanager.organizationAdmin", "members": [ 1991 "user:mike@example.com", "group:admins@example.com", "domain:google.com", 1992 "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": 1993 "roles/resourcemanager.organizationViewer", "members": [ 1994 "user:eve@example.com" ], "condition": { "title": "expirable access", 1995 "description": "Does not grant access after Sep 2020", "expression": 1996 "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": 1997 "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - members: - 1998 user:mike@example.com - group:admins@example.com - domain:google.com - 1999 serviceAccount:my-project-id@appspot.gserviceaccount.com role: 2000 roles/resourcemanager.organizationAdmin - members: - user:eve@example.com 2001 role: roles/resourcemanager.organizationViewer condition: title: expirable 2002 access description: Does not grant access after Sep 2020 expression: 2003 request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - 2004 version: 3 For a description of IAM and its features, see the [IAM 2005 documentation](https://cloud.google.com/iam/docs/). 2006 2007 Fields: 2008 auditConfigs: Specifies cloud audit logging configuration for this policy. 2009 bindings: Associates a list of `members` to a `role`. Optionally, may 2010 specify a `condition` that determines how and when the `bindings` are 2011 applied. Each of the `bindings` must contain at least one member. 2012 etag: `etag` is used for optimistic concurrency control as a way to help 2013 prevent simultaneous updates of a policy from overwriting each other. It 2014 is strongly suggested that systems make use of the `etag` in the read- 2015 modify-write cycle to perform policy updates in order to avoid race 2016 conditions: An `etag` is returned in the response to `getIamPolicy`, and 2017 systems are expected to put that etag in the request to `setIamPolicy` 2018 to ensure that their change will be applied to the same version of the 2019 policy. **Important:** If you use IAM Conditions, you must include the 2020 `etag` field whenever you call `setIamPolicy`. If you omit this field, 2021 then IAM allows you to overwrite a version `3` policy with a version `1` 2022 policy, and all of the conditions in the version `3` policy are lost. 2023 version: Specifies the format of the policy. Valid values are `0`, `1`, 2024 and `3`. Requests that specify an invalid value are rejected. Any 2025 operation that affects conditional role bindings must specify version 2026 `3`. This requirement applies to the following operations: * Getting a 2027 policy that includes a conditional role binding * Adding a conditional 2028 role binding to a policy * Changing a conditional role binding in a 2029 policy * Removing any role binding, with or without a condition, from a 2030 policy that includes conditions **Important:** If you use IAM 2031 Conditions, you must include the `etag` field whenever you call 2032 `setIamPolicy`. If you omit this field, then IAM allows you to overwrite 2033 a version `3` policy with a version `1` policy, and all of the 2034 conditions in the version `3` policy are lost. If a policy does not 2035 include any conditions, operations on that policy may specify any valid 2036 version or leave the field unset. To learn which resources support 2037 conditions in their IAM policies, see the [IAM 2038 documentation](https://cloud.google.com/iam/help/conditions/resource- 2039 policies). 2040 """ 2041 2042 auditConfigs = _messages.MessageField('AuditConfig', 1, repeated=True) 2043 bindings = _messages.MessageField('Binding', 2, repeated=True) 2044 etag = _messages.BytesField(3) 2045 version = _messages.IntegerField(4, variant=_messages.Variant.INT32) 2046 2047 2048class PublicKey(_messages.Message): 2049 r"""The public key for a given CryptoKeyVersion. Obtained via GetPublicKey. 2050 2051 Enums: 2052 AlgorithmValueValuesEnum: The Algorithm associated with this key. 2053 ProtectionLevelValueValuesEnum: The ProtectionLevel of the 2054 CryptoKeyVersion public key. 2055 2056 Fields: 2057 algorithm: The Algorithm associated with this key. 2058 name: The name of the CryptoKeyVersion public key. Provided here for 2059 verification. NOTE: This field is in Beta. 2060 pem: The public key, encoded in PEM format. For more information, see the 2061 [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for [General 2062 Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 2063 [Textual Encoding of Subject Public Key Info] 2064 (https://tools.ietf.org/html/rfc7468#section-13). 2065 pemCrc32c: Integrity verification field. A CRC32C checksum of the returned 2066 PublicKey.pem. An integrity check of PublicKey.pem can be performed by 2067 computing the CRC32C checksum of PublicKey.pem and comparing your 2068 results to this field. Discard the response in case of non-matching 2069 checksum values, and perform a limited number of retries. A persistent 2070 mismatch may indicate an issue in your computation of the CRC32C 2071 checksum. Note: This field is defined as int64 for reasons of 2072 compatibility across different languages. However, it is a non-negative 2073 integer, which will never exceed 2^32-1, and can be safely downconverted 2074 to uint32 in languages that support this type. NOTE: This field is in 2075 Beta. 2076 protectionLevel: The ProtectionLevel of the CryptoKeyVersion public key. 2077 """ 2078 2079 class AlgorithmValueValuesEnum(_messages.Enum): 2080 r"""The Algorithm associated with this key. 2081 2082 Values: 2083 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED: Not specified. 2084 GOOGLE_SYMMETRIC_ENCRYPTION: Creates symmetric encryption keys. 2085 RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest. 2086 RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest. 2087 RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest. 2088 RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest. 2089 RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a 2090 SHA256 digest. 2091 RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a 2092 SHA256 digest. 2093 RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 2094 SHA256 digest. 2095 RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a 2096 SHA512 digest. 2097 RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 2098 digest. 2099 RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 2100 digest. 2101 RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 2102 digest. 2103 RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 2104 digest. 2105 EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest. 2106 EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest. 2107 EXTERNAL_SYMMETRIC_ENCRYPTION: Algorithm representing symmetric 2108 encryption by an external key manager. 2109 """ 2110 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0 2111 GOOGLE_SYMMETRIC_ENCRYPTION = 1 2112 RSA_SIGN_PSS_2048_SHA256 = 2 2113 RSA_SIGN_PSS_3072_SHA256 = 3 2114 RSA_SIGN_PSS_4096_SHA256 = 4 2115 RSA_SIGN_PSS_4096_SHA512 = 5 2116 RSA_SIGN_PKCS1_2048_SHA256 = 6 2117 RSA_SIGN_PKCS1_3072_SHA256 = 7 2118 RSA_SIGN_PKCS1_4096_SHA256 = 8 2119 RSA_SIGN_PKCS1_4096_SHA512 = 9 2120 RSA_DECRYPT_OAEP_2048_SHA256 = 10 2121 RSA_DECRYPT_OAEP_3072_SHA256 = 11 2122 RSA_DECRYPT_OAEP_4096_SHA256 = 12 2123 RSA_DECRYPT_OAEP_4096_SHA512 = 13 2124 EC_SIGN_P256_SHA256 = 14 2125 EC_SIGN_P384_SHA384 = 15 2126 EXTERNAL_SYMMETRIC_ENCRYPTION = 16 2127 2128 class ProtectionLevelValueValuesEnum(_messages.Enum): 2129 r"""The ProtectionLevel of the CryptoKeyVersion public key. 2130 2131 Values: 2132 PROTECTION_LEVEL_UNSPECIFIED: Not specified. 2133 SOFTWARE: Crypto operations are performed in software. 2134 HSM: Crypto operations are performed in a Hardware Security Module. 2135 EXTERNAL: Crypto operations are performed by an external key manager. 2136 """ 2137 PROTECTION_LEVEL_UNSPECIFIED = 0 2138 SOFTWARE = 1 2139 HSM = 2 2140 EXTERNAL = 3 2141 2142 algorithm = _messages.EnumField('AlgorithmValueValuesEnum', 1) 2143 name = _messages.StringField(2) 2144 pem = _messages.StringField(3) 2145 pemCrc32c = _messages.IntegerField(4) 2146 protectionLevel = _messages.EnumField('ProtectionLevelValueValuesEnum', 5) 2147 2148 2149class RestoreCryptoKeyVersionRequest(_messages.Message): 2150 r"""Request message for KeyManagementService.RestoreCryptoKeyVersion.""" 2151 2152 2153class SetIamPolicyRequest(_messages.Message): 2154 r"""Request message for `SetIamPolicy` method. 2155 2156 Fields: 2157 policy: REQUIRED: The complete policy to be applied to the `resource`. The 2158 size of the policy is limited to a few 10s of KB. An empty policy is a 2159 valid policy but certain Cloud Platform services (such as Projects) 2160 might reject them. 2161 updateMask: OPTIONAL: A FieldMask specifying which fields of the policy to 2162 modify. Only the fields in the mask will be modified. If no mask is 2163 provided, the following default mask is used: `paths: "bindings, etag"` 2164 """ 2165 2166 policy = _messages.MessageField('Policy', 1) 2167 updateMask = _messages.StringField(2) 2168 2169 2170class StandardQueryParameters(_messages.Message): 2171 r"""Query parameters accepted by all methods. 2172 2173 Enums: 2174 FXgafvValueValuesEnum: V1 error format. 2175 AltValueValuesEnum: Data format for response. 2176 2177 Fields: 2178 f__xgafv: V1 error format. 2179 access_token: OAuth access token. 2180 alt: Data format for response. 2181 callback: JSONP 2182 fields: Selector specifying which fields to include in a partial response. 2183 key: API key. Your API key identifies your project and provides you with 2184 API access, quota, and reports. Required unless you provide an OAuth 2.0 2185 token. 2186 oauth_token: OAuth 2.0 token for the current user. 2187 prettyPrint: Returns response with indentations and line breaks. 2188 quotaUser: Available to use for quota purposes for server-side 2189 applications. Can be any arbitrary string assigned to a user, but should 2190 not exceed 40 characters. 2191 trace: A tracing token of the form "token:<tokenid>" to include in api 2192 requests. 2193 uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). 2194 upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). 2195 """ 2196 2197 class AltValueValuesEnum(_messages.Enum): 2198 r"""Data format for response. 2199 2200 Values: 2201 json: Responses with Content-Type of application/json 2202 media: Media download with context-dependent Content-Type 2203 proto: Responses with Content-Type of application/x-protobuf 2204 """ 2205 json = 0 2206 media = 1 2207 proto = 2 2208 2209 class FXgafvValueValuesEnum(_messages.Enum): 2210 r"""V1 error format. 2211 2212 Values: 2213 _1: v1 error format 2214 _2: v2 error format 2215 """ 2216 _1 = 0 2217 _2 = 1 2218 2219 f__xgafv = _messages.EnumField('FXgafvValueValuesEnum', 1) 2220 access_token = _messages.StringField(2) 2221 alt = _messages.EnumField('AltValueValuesEnum', 3, default='json') 2222 callback = _messages.StringField(4) 2223 fields = _messages.StringField(5) 2224 key = _messages.StringField(6) 2225 oauth_token = _messages.StringField(7) 2226 prettyPrint = _messages.BooleanField(8, default=True) 2227 quotaUser = _messages.StringField(9) 2228 trace = _messages.StringField(10) 2229 uploadType = _messages.StringField(11) 2230 upload_protocol = _messages.StringField(12) 2231 2232 2233class TestIamPermissionsRequest(_messages.Message): 2234 r"""Request message for `TestIamPermissions` method. 2235 2236 Fields: 2237 permissions: The set of permissions to check for the `resource`. 2238 Permissions with wildcards (such as '*' or 'storage.*') are not allowed. 2239 For more information see [IAM 2240 Overview](https://cloud.google.com/iam/docs/overview#permissions). 2241 """ 2242 2243 permissions = _messages.StringField(1, repeated=True) 2244 2245 2246class TestIamPermissionsResponse(_messages.Message): 2247 r"""Response message for `TestIamPermissions` method. 2248 2249 Fields: 2250 permissions: A subset of `TestPermissionsRequest.permissions` that the 2251 caller is allowed. 2252 """ 2253 2254 permissions = _messages.StringField(1, repeated=True) 2255 2256 2257class UpdateCryptoKeyPrimaryVersionRequest(_messages.Message): 2258 r"""Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion. 2259 2260 Fields: 2261 cryptoKeyVersionId: Required. The id of the child CryptoKeyVersion to use 2262 as primary. 2263 """ 2264 2265 cryptoKeyVersionId = _messages.StringField(1) 2266 2267 2268class WrappingPublicKey(_messages.Message): 2269 r"""The public key component of the wrapping key. For details of the type of 2270 key this public key corresponds to, see the ImportMethod. 2271 2272 Fields: 2273 pem: The public key, encoded in PEM format. For more information, see the 2274 [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for [General 2275 Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 2276 [Textual Encoding of Subject Public Key Info] 2277 (https://tools.ietf.org/html/rfc7468#section-13). 2278 """ 2279 2280 pem = _messages.StringField(1) 2281 2282 2283encoding.AddCustomJsonFieldMapping( 2284 StandardQueryParameters, 'f__xgafv', '$.xgafv') 2285encoding.AddCustomJsonEnumMapping( 2286 StandardQueryParameters.FXgafvValueValuesEnum, '_1', '1') 2287encoding.AddCustomJsonEnumMapping( 2288 StandardQueryParameters.FXgafvValueValuesEnum, '_2', '2') 2289