crypto_key_version#

Exec module for managing Cloud Key Management Service crypto key versions.

async idem_gcp.exec.gcp.cloudkms.crypto_key_version.get(hub, ctx, resource_id: str)[source]#

Returns a crypto key version by its Idem resource ID.

Parameters:

resource_id (str) – Idem resource ID. projects/{project id}/locations/{location id}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}/cryptoKeyVersions/{cryptoKeyVersion}

Returns:

CryptoKeyVersion resource

Examples

{% set project_id = 'project-name' %}
{% set location_id = 'us-east1' %}
{% set key_ring = 'key-ring' %}
{% set crypto_key = 'crypto-key' %}
{% set crypto_key_version = 'crypto-key-version' %}
get-crypto-key-version:
    exec.run:
        - path: gcp.cloudkms.crypto_key_version.get
        - kwargs:
            resource_id: projects/{{project_id}}/locations/{{location_id}}/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}/cryptoKeyVersions/{{crypto_key_version}}
async idem_gcp.exec.gcp.cloudkms.crypto_key_version.list_(hub, ctx, crypto_key: str, filter_: (<class 'str'>, 'alias=filter') = None, order_by: str = None) Dict[str, Any][source]#

Retrieves the crypto key versions in a crypto key.

Parameters:

  • crypto_key (str) – crypto key resource_id.

  • filter (str, Optional) – Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.

  • order_by (str, Optional) – Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.

Examples

list-crypto-key_versions-filtered:
    exec.run:
       - path: gcp.cloudkms.crypto_key_version.list
       - kwargs:
             crypto_key: projects/project-name/locations/global/keyRings/kr-global-test
             filter_: algorithm = GOOGLE_SYMMETRIC_ENCRYPTION
async idem_gcp.exec.gcp.cloudkms.crypto_key_version.import_(hub, ctx, parent: str, import_job: str, import_job_pub_key: str, algorithm: str, key_material: str, crypto_key_version: str = None) Dict[str, Any][source]#

Import key material in crypto key version.

Parameters:

  • parent (str) –

    Required. The Idem resource_id of the CryptoKey to be imported into. The create permission is only required on this key when creating a new CryptoKeyVersion. Authorization requires the following IAM permission on the specified resource parent:

    • cloudkms.cryptoKeyVersions.create

  • import_job (str) – Required. Idem resource_id of the import job to be used.

  • import_job_pub_key (str) –

    Required. PEM encoded public key of the import job to be used to wrap this key material. Authorization requires the following IAM permission on the specified resource import_job:

    • cloudkms.importjobs.useToImport

  • algorithm (str) – Required. The algorithm of the key being imported. This does not need to match the versionTemplate of the CryptoKey this version imports into.

  • key_material (str) – Base64 encoded key material. If importing symmetric key material, it is expected that the key contains plain bytes. If importing asymmetric key material, it is expected that the key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208).

  • crypto_key_version (str, Optional) –

    The optional Idem resource_id of an existing CryptoKeyVersion to target for an import operation. If this field is not present, a new CryptoKeyVersion containing the supplied key material is created. If this field is present, the supplied key material is imported into the existing CryptoKeyVersion. To import into an existing CryptoKeyVersion, the CryptoKeyVersion must be a child of ImportCryptoKeyVersionRequest.parent, have been previously created via [cryptoKeyVersions.import][], and be in DESTROYED or IMPORT_FAILED state. The key material and algorithm must match the previous CryptoKeyVersion exactly if the CryptoKeyVersion has ever contained key material. Authorization requires the following IAM permission on the specified resource cryptoKeyVersion:

    • cloudkms.cryptoKeyVersions.update

Returns:

Dict[str, Any] - If successful, the response body contains an instance of CryptoKeyVersion.

Examples

{% set project_id = 'project-name' %}
{% set location_id = 'us-east1' %}
{% set key_ring_id = 'key-ring' %}
{% set crypto_key_id = 'crypto-key' %}
{% set import_job_id = 'import-job-id' %}

import-job:
  gcp.cloudkms.import_job.present:
      - import_method: RSA_OAEP_3072_SHA1_AES_256
      - protection_level: SOFTWARE
      - project_id: {{project_id}}
      - location_id: {{location_id}}
      - key_ring_id: {{key_ring_id}}
      - import_job_id: {{import_job_id}}

import-crypto-key:
    exec.run:
       - path: gcp.cloudkms.crypto_key_version.import
       - kwargs:
             parent: projects/{{project_id}}/locations/{{location_id}}/keyRings/{{key_ring_id}}/cryptoKeys/{{crypto_key_id}}
             import_job: ${gcp.cloudkms.import_job:import-job:resource_id}
             import_job_pub_key: ${gcp.cloudkms.import_job:import-job:public_key:pem}
             algorithm: "EC_SIGN_P256_SHA256"
             key_material: rr5Y2UNi6+i3UQDrR8PO6s5ajAorN/SnHfZu+OCHx+w=