crypto_key

State module for managing Cloud Key Management Service crypto keys.

async idem_gcp.states.gcp.cloudkms.crypto_key.present(hub, ctx, name: str, crypto_key_id: str = None, project_id: str = None, location_id: str = None, key_ring_id: str = None, primary: CryptoKeyVersion = None, purpose: str = None, create_time: str = None, next_rotation_time: str = None, version_template: CryptoKeyVersionTemplate = None, labels: Dict[str, str] = None, import_only: bool = None, destroy_scheduled_duration: str = None, crypto_key_backend: str = None, rotation_period: str = None, resource_id: str = None) → Dict[str, Any]

Create or update a CryptoKey within a KeyRing.

CryptoKey.purpose and CryptoKey.version_template.algorithm are required for a new CryptoKey.

Parameters:

• name (str) – Idem name.

• crypto_key_id (str, Optional) – Crypto key id.

• project_id (str, Optional) – Project Id of the new crypto key.

• location_id (str, Optional) – Location Id of the new crypto key.

• key_ring_id (str, Optional) – Keyring Id of the new crypto key.

• primary (Dict[str, Any], Optional) –

  A copy of the “primary” CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted. To update the primary key provide only primary.name = new_resource_id. All other CryptoKeyVersion are output only.

  • name(str, Optional):

    Output only. The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

  • state(str, Optional):

    The current state of the CryptoKeyVersion. Enum type. Allowed values:

    ”CRYPTO_KEY_VERSION_STATE_UNSPECIFIED” “PENDING_GENERATION” “ENABLED” “DISABLED” “DESTROYED” “DESTROY_SCHEDULED” “PENDING_IMPORT” “IMPORT_FAILED” “GENERATION_FAILED” “PENDING_EXTERNAL_DESTRUCTION” “EXTERNAL_DESTRUCTION_FAILED”

  • protection_level(str, Optional):

    Output only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. Enum type. Allowed values:

    ”PROTECTION_LEVEL_UNSPECIFIED” “SOFTWARE” “HSM” “EXTERNAL” “EXTERNAL_VPC”

  • algorithm(str, Optional):

    Output only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports. Enum type. Allowed values:

    ”CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED” “GOOGLE_SYMMETRIC_ENCRYPTION” “RSA_SIGN_PSS_2048_SHA256” “RSA_SIGN_PSS_3072_SHA256” “RSA_SIGN_PSS_4096_SHA256” “RSA_SIGN_PSS_4096_SHA512” “RSA_SIGN_PKCS1_2048_SHA256” “RSA_SIGN_PKCS1_3072_SHA256” “RSA_SIGN_PKCS1_4096_SHA256” “RSA_SIGN_PKCS1_4096_SHA512” “RSA_SIGN_RAW_PKCS1_2048” “RSA_SIGN_RAW_PKCS1_3072” “RSA_SIGN_RAW_PKCS1_4096” “RSA_DECRYPT_OAEP_2048_SHA256” “RSA_DECRYPT_OAEP_3072_SHA256” “RSA_DECRYPT_OAEP_4096_SHA256” “RSA_DECRYPT_OAEP_4096_SHA512” “RSA_DECRYPT_OAEP_2048_SHA1” “RSA_DECRYPT_OAEP_3072_SHA1” “RSA_DECRYPT_OAEP_4096_SHA1” “EC_SIGN_P256_SHA256” “EC_SIGN_P384_SHA384” “EC_SIGN_SECP256K1_SHA256” “HMAC_SHA256” “HMAC_SHA1” “HMAC_SHA384” “HMAC_SHA512” “HMAC_SHA224” “EXTERNAL_SYMMETRIC_ENCRYPTION”

  • attestation(Dict[str, Any], Optional):

    Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.

    • format(str, Optional):

      Output only. The format of the attestation data. Enum type. Allowed values:

      ”ATTESTATION_FORMAT_UNSPECIFIED” “CAVIUM_V1_COMPRESSED” “CAVIUM_V2_COMPRESSED”

    • content(str, Optional):

      Output only. The attestation data provided by the HSM when the key operation was performed.

    • cert_chains(Dict[str, Any], Optional):

      Output only. The certificate chains needed to validate the attestation. Certificate chains needed to verify the attestation. Certificates in chains are PEM-encoded and are ordered based on https://tools.ietf.org/html/rfc5246#section-7.4.2.

      • cavium_certs(list[str], Optional):

        Cavium certificate chain corresponding to the attestation.

      • google_card_certs(list[str], Optional):

        Google card certificate chain corresponding to the attestation.

      • google_partition_certs(list[str], Optional):

        Google partition certificate chain corresponding to the attestation.

  • create_time(str, Optional):

    Output only. The time at which this CryptoKeyVersion was created.

  • generate_time(str, Optional):

    Output only. The time this CryptoKeyVersion’s key material was generated.

  • destroy_time(str, Optional):

    Output only. The time this CryptoKeyVersion’s key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.

  • destroy_event_time(str, Optional):

    Output only. The time this CryptoKeyVersion’s key material was destroyed. Only present if state is DESTROYED.

  • import_job(str, Optional):

    Output only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.

  • import_time(str, Optional):

    Output only. The time at which this CryptoKeyVersion’s key material was most recently imported.

  • import_failure_reason(str, Optional):

    Output only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.

  • external_protection_level_options(Dict[str, Any], Optional):

    ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. * external_key_uri(str, Optional):

    The URI for an external resource that this CryptoKeyVersion represents.

    • ekm_connection_key_path(str, Optional):

      The path to the external key material on the EKM when using EkmConnection e.g., “v0/my/key”. Set this field instead of external_key_uri when using an EkmConnection.

  • reimport_eligible(bool, Optional):

    Output only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.

• purpose (str, Optional) – Immutable. The immutable purpose of this CryptoKey.

• create_time (str, Optional) – Output only. The time at which this CryptoKey was created. A timestamp in RFC3339 UTC “Zulu” format, with nanosecond resolution and up to nine fractional digits. Examples: “2014-10-02T15:01:23Z” and “2014-10-02T15:01:23.045123456Z”.

• next_rotation_time (str, Optional) –

  At nextRotationTime, the Key Management Service will automatically:

  • Create a new version of this CryptoKey.

  • Mark the new version as primary.

  Key rotations performed manually via cryptoKeyVersions.create and cryptoKeys.updatePrimaryVersion do not affect nextRotationTime. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted. A timestamp in RFC3339 UTC “Zulu” format, with nanosecond resolution and up to nine fractional digits. Examples: “2014-10-02T15:01:23Z” and “2014-10-02T15:01:23.045123456Z”.

• version_template (Dict[str, Any], Optional) –

  A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either cryptoKeyVersions.create or auto-rotation are controlled by this template.

  • algorithm(str, Optional):

    ”Required. Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.” Enum type. Allowed values:

    ”CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED” “GOOGLE_SYMMETRIC_ENCRYPTION” “RSA_SIGN_PSS_2048_SHA256” “RSA_SIGN_PSS_3072_SHA256” “RSA_SIGN_PSS_4096_SHA256” “RSA_SIGN_PSS_4096_SHA512” “RSA_SIGN_PKCS1_2048_SHA256” “RSA_SIGN_PKCS1_3072_SHA256” “RSA_SIGN_PKCS1_4096_SHA256” “RSA_SIGN_PKCS1_4096_SHA512” “RSA_SIGN_RAW_PKCS1_2048” “RSA_SIGN_RAW_PKCS1_3072” “RSA_SIGN_RAW_PKCS1_4096” “RSA_DECRYPT_OAEP_2048_SHA256” “RSA_DECRYPT_OAEP_3072_SHA256” “RSA_DECRYPT_OAEP_4096_SHA256” “RSA_DECRYPT_OAEP_4096_SHA512” “RSA_DECRYPT_OAEP_2048_SHA1” “RSA_DECRYPT_OAEP_3072_SHA1” “RSA_DECRYPT_OAEP_4096_SHA1” “EC_SIGN_P256_SHA256” “EC_SIGN_P384_SHA384” “EC_SIGN_SECP256K1_SHA256” “HMAC_SHA256” “HMAC_SHA1” “HMAC_SHA384” “HMAC_SHA512” “HMAC_SHA224” “EXTERNAL_SYMMETRIC_ENCRYPTION”

  • protection_level(str, Optional):

    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE. Enum type. Allowed values:

    ”PROTECTION_LEVEL_UNSPECIFIED” “SOFTWARE” “HSM” “EXTERNAL” “EXTERNAL_VPC”

• labels (Dict[str, str], Optional) – Labels with user-defined metadata. For more information, see Labeling Keys.

• import_only (bool, Optional) – Immutable. Whether this key may contain imported versions only.

• destroy_scheduled_duration (str, Optional) – Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours. A duration in seconds with up to nine fractional digits, terminated by ‘s’. Example: “3.5s”.

• crypto_key_backend (str, Optional) – Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the resource name in the format projects/\*/locations/\*/ekmConnections/\*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.

• rotation_period (str, Optional) –

  next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

  If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

  A duration in seconds with up to nine fractional digits, terminated by ‘s’. Example: “3.5s”.

• resource_id (str, Optional) –

  Idem resource id. Formatted as

  projects/{project_id}/locations/{location_id}/keyRings/{key_ring_id}/cryptoKeys/{crypto_key_id}

Returns:

Dict[str, Any]

Examples

crypto_key_present:
  gcp.cloudkms.crypto_key.present:
  - primary:
      name: projects/project-name/locations/us-east1/keyRings/key-ring/cryptoKeys/key-1/cryptoKeyVersions/1
  - purpose: ENCRYPT_DECRYPT
  - labels:
      lbl_key_1: lbl-value-1
  - version_template:
      algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
      protection_level: SOFTWARE
  - destroy_scheduled_duration: 86400s
  - rotation_period: 31500001s
  - next_rotation_time: "2024-10-02T15:01:23Z"
  - resource_id: projects/project-name/locations/us-east1/keyRings/key-ring/cryptoKeys/key-1
  - project_id: project-name
  - location_id: us-east1
  - key_ring_id: key-ring
  - crypto_key_id: key-1

async idem_gcp.states.gcp.cloudkms.crypto_key.absent(hub, ctx, name: str) → Dict[str, Any]

Absent is not supported for this resource.

Parameters:

name (str) – Idem name

Returns:

{
    "result": False,
    "comment": "...",
    "old_state": None,
    "new_state": None,
}

async idem_gcp.states.gcp.cloudkms.crypto_key.describe(hub, ctx) → Dict[str, Dict[str, Any]]

Describe the resource in a way that can be recreated/managed with the corresponding “present” function.

Retrieve the list of available crypto keys.

Returns:

Dict[str, Any]

Examples

$ idem describe gcp.cloudkms.crypto_key

idem_gcp.states.gcp.cloudkms.crypto_key.is_pending(hub, ret: dict, state: str = None, **pending_kwargs) → bool

Default implemented for each module.