Skip to main content

Google Key Management Service

This Integration is part of the Google Key Management Service Pack.#

Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality.

Configure Google Key Management Service in Cortex#

ParameterRequired
User's Service Account JSONTrue
Project in Google Cloud KMSTrue
Default LocationTrue
Default Key RingFalse
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

google-kms-create-key#


Creates a new CryptoKey within a KeyRing.

Base Command#

google-kms-create-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the created crypto-key. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}.Required
labelsLabels with user-defined metadata.Optional
next_rotation_timeDate of the next scheduled rotation time. The Key Management Service automatically creates a new version of this CryptoKey and
marks the new version as primary at the next rotation time.
Key rotations performed manually through cryptoKeyVersions.create and cryptoKeys.updatePrimaryVersion do not affect nextRotationTime.

Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

A timestamp or a date in RFC3339 UTC "Zulu" format, accurate to nanoseconds. For example, "2014-10-02T15:01:23.045123456Z".

If left empty, it is set in 90 days.
Optional
attestationThe statement that was generated and signed by the HSM at the key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM.Optional
stateThe state of a CryptoKeyVersion, indicating if it can be used. Can be: "CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, "PENDING_GENERATION", "ENABLED", "DISABLED", "DESTROYED", "DESTROY_SCHEDULED" , "PENDING_IMPORT", " IMPORT_FAILED". Possible values are: CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED. Default is ENABLED.Optional
purposeThe cryptographic capabilities of a CryptoKey. A given key can only be used for the operations allowed by its purpose. Can be: "CRYPTO_KEY_PURPOSE_UNSPECIFIED", "ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT". Possible values are: CRYPTO_KEY_PURPOSE_UNSPECIFIED, ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT. Default is ENCRYPT_DECRYPT.Required
rotation_periodThe time between when new key versions are generated automatically. Must be between 24 hours and 876,000 hours. Keys with ENCRYPT_DECRYPT purpose support automatic rotation. For other keys, this field must be omitted. A duration in seconds. Default is 7776000.Required
algorithmAlgorithm to use when creating a CryptoKeyVersion based on this template. Possible values are: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED, GOOGLE_SYMMETRIC_ENCRYPTION, RSA_SIGN_PSS_2048_SHA256, RSA_SIGN_PSS_3072_SHA256, RSA_SIGN_PSS_4096_SHA256, RSA_SIGN_PSS_4096_SHA512, RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256, RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512, RSA_DECRYPT_OAEP_2048_SHA256, RSA_DECRYPT_OAEP_3072_SHA256, RSA_DECRYPT_OAEP_4096_SHA256, RSA_DECRYPT_OAEP_4096_SHA512, EC_SIGN_P256_SHA256, EC_SIGN_P384_SHA384. Default is GOOGLE_SYMMETRIC_ENCRYPTION.Optional
protection_levelProtections levels for cryptographic operations when creating a CryptoKeyVersion. Can be: Can be: "PROECTECTION_LEVEL_UNSPECIFIED", "SOFTWARE", "HSM". Default is "SOFTWARE". Possible values are: PROTECTION_LEVEL_UNSPECIFIED, SOFTWARE, HSM. Default is SOFTWARE.Optional
skip_initial_version_creationWhether to create a CryptoKey without any CryptoKeyVersions. You have to create the CryptoKeyVersion to use this key. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
GoogleKMS.CryptoKey.NameStringThe resource name for this CryptoKey.
GoogleKMS.CryptoKey.PurposeStringThe immutable purpose of this CryptoKey.
GoogleKMS.CryptoKey.CreationTimeStringThe time when this CryptoKey was created.
GoogleKMS.CryptoKey.NextRotationTimeDateThe date when the next scheduled rotation is due to run. At nextRotationTime, the Key Management Service automatically
creates a new version of this CryptoKey and marks the new version as primary.
GoogleKMS.CryptoKey.RotationPeriodStringThe period for which the nextRotationTime is advanced, when the service automatically rotates a key.
GoogleKMS.CryptoKey.LabelsStringLabels with user-defined metadata.
GoogleKMS.CryptoKey.VersionTemplate.ProtectionLevelStringThe protection level describing how cryptographic operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.VersionTemplate.AlgorithmStringThe CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.NameStringThe resource name for this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.StateStringThe current state of the CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.CreationTimeDateThe time when this CryptoKeyVersion was created.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.ProtectionLevelStringThe ProtectionLevel describing how cryptographic operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.AlgorithmStringThe algorithm in use in the primary CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.GenerateTimeDateThe time this CryptoKeyVersion's key material was generated.

google-kms-symmetric-decrypt#


Decrypts data that was protected by Encrypt.

Base Command#

google-kms-symmetric-decrypt

Input#

Argument NameDescriptionRequired
locationThe geographical region where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to use.Required
simple_ciphertextThe ciphertext to decrypt to simple plain text.Optional
additional_authenticated_dataA base64-encoded string passed to Cloud KMS as part of an encrypt or decrypt request.
The optional data that must match the data originally supplied in the EncryptRequest.additional_authenticated_data.
Optional
base64_ciphertextThe ciphertext to decrypt to base64 plain text.Optional
entry_idThe entry ID for the file to decrypt.Optional

Context Output#

PathTypeDescription
GoogleKMS.SymmetricDecrypt.CryptoKeyStringThe CryptoKey in use.
GoogleKMS.SymmetricDecrypt.IsBase64BooleanWhether the original plain text is in base64.
GoogleKMS.SymmetricDecrypt.PlaintextStringThe decrypted plaintext.

google-kms-symmetric-encrypt#


Encrypts data, so it can only be recovered by a call to Decrypt.

Base Command#

google-kms-symmetric-encrypt

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For example, https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to use.Required
simple_plaintextSimple plain text to encrypt. Must be no larger than 64KiB.Optional
additional_authenticated_dataA base64-encoded string passed to Cloud KMS as part of an encrypt or decrypt request. Must also be provided during decryption through DecryptRequest.additional_authenticated_data.
The maximum size depends on the key version's protection level.
For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plain text and additionalAuthenticatedData fields must be no larger than 8KiB.
Optional
base64_plaintextThe Base64 plain text to encrypt.Optional
entry_idThe entry ID for the file to encrypt.Optional

Context Output#

PathTypeDescription
GoogleKMS.SymmetricEncrypt.CryptoKeyStringThe CryptoKey used.
GoogleKMS.SymmetricEncrypt.IsBase64BooleanWhether the original plain text is in base 64.
GoogleKMS.SymmetricEncrypt.CiphertextStringThe encrypted ciphertext.

google-kms-get-key#


Returns metadata for a given CryptoKey, and its primary CryptoKeyVersion.

Base Command#

google-kms-get-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For example, https://cloud.google.com/kms/docs/locations.
Keyword 'default' sets the location to the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the fetched crypto-key.Required

Context Output#

PathTypeDescription
GoogleKMS.CryptoKey.NameStringThe resource name for this CryptoKey.
GoogleKMS.CryptoKey.PurposeStringThe immutable purpose of this CryptoKey.
GoogleKMS.CryptoKey.CreationTimeDateThe time at which this CryptoKey was created.
GoogleKMS.CryptoKey.NextRotationTimeDateThe date when the next scheduled rotation is due to run. At nextRotationTime, the Key Management Service automatically
creates a new version of this CryptoKey and marks the new version as primary.
GoogleKMS.CryptoKey.RotationPeriodStringThe period for which the nextRotationTime is advanced, when the service automatically rotates a key. hours.
GoogleKMS.CryptoKey.LabelsStringLabels with user-defined metadata.
GoogleKMS.CryptoKey.VersionTemplate.ProtectionLevelStringThe ProtectionLevel describing how cryptographic operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.VersionTemplate.AlgorithmStringThe CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.NameStringThe resource name for this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.StateStringThe current state of the CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.CreationTimeDateThe time at which this CryptoKeyVersion was created.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.ProtectionLevelStringThe ProtectionLevel describing how cryptographic operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.AlgorithmStringThe algorithm used in the primary CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.GenerateTimeDateThe time this CryptoKeyVersion's key material was generated.

google-kms-update-key#


Updates a CryptoKey.

Base Command#

google-kms-update-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the updated crypto-key.Required
next_rotation_timeThe date when the next scheduled rotation is due to run. At nextRotationTime, the Key Management Service automatically
creates a new version of this CryptoKey and marks the new version as primary.
Key rotations performed manually via cryptoKeyVersions.create and cryptoKeys.updatePrimaryVersion do not affect nextRotationTime.

Keys with purpose ENCRYPT_DECRYPT, support automatic rotation. For other keys, this field must be omitted.

A timestamp or a date in RFC3339 UTC "Zulu" format, accurate to nanoseconds. For example, "2014-10-02T15:01:23.045123456Z".
Optional
attestationStatement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM.Optional
stateThe state of a CryptoKeyVersion, indicating if it can be used. Can be: "CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, "PENDING_GENERATION", "ENABLED", "DISABLED", "DESTROYED", "DESTROY_SCHEDULED" , "PENDING_IMPORT", " IMPORT_FAILED". Possible values are: CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.Optional
purposeCryptoKeyPurpose describes the cryptographic capabilities of a CryptoKey. A given key can only be used for the operations allowed by its purpose. Can be: "CRYPTO_KEY_PURPOSE_UNSPECIFIED", "ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT". Possible values are: CRYPTO_KEY_PURPOSE_UNSPECIFIED, ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT.Optional
rotation_periodTime between when new key versions are generated automatically. Must between 24 hours and 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted. A duration in seconds.Optional
algorithmAlgorithm to use when creating a CryptoKeyVersion based on this template. Possible values are: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED, GOOGLE_SYMMETRIC_ENCRYPTION, RSA_SIGN_PSS_2048_SHA256, RSA_SIGN_PSS_3072_SHA256, RSA_SIGN_PSS_4096_SHA256, RSA_SIGN_PSS_4096_SHA512, RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256, RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512, RSA_DECRYPT_OAEP_2048_SHA256, RSA_DECRYPT_OAEP_3072_SHA256, RSA_DECRYPT_OAEP_4096_SHA256, RSA_DECRYPT_OAEP_4096_SHA512, EC_SIGN_P256_SHA256, EC_SIGN_P384_SHA384.Optional
protection_levelThe protection_level to use when creating a CryptoKeyVersion based on this template. Can be: "PROTECTION_LEVEL_UNSPECIFIED", "SOFTWARE", "HSM". Possible values are: PROTECTION_LEVEL_UNSPECIFIED, SOFTWARE, HSM.Optional
labelsLabels with user-defined metadata.Optional

Context Output#

PathTypeDescription
GoogleKMS.CryptoKey.NameStringThe resource name for this CryptoKey.
GoogleKMS.CryptoKey.PurposeStringThe immutable purpose of this CryptoKey.
GoogleKMS.CryptoKey.CreationTimeStringThe time at which this CryptoKey was created.
GoogleKMS.CryptoKey.NextRotationTimeDateThe date when the next scheduled rotation is due to run. At nextRotationTime, the Key Management Service automatically
creates a new version of this CryptoKey and marks the new version as primary.
GoogleKMS.CryptoKey.RotationPeriodStringThe period for which the nextRotationTime is advanced, when the service automatically rotates a key.
GoogleKMS.CryptoKey.LabelsStringLabels with user-defined metadata.
GoogleKMS.CryptoKey.VersionTemplate.ProtectionLevelStringThe ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.VersionTemplate.AlgorithmStringThe CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.NameStringThe resource name for this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.StateStringThe current state of the CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.CreationTimeDateThe time at which this CryptoKeyVersion was created.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.ProtectionLevelStringThe ProtectionLevel describing how cryptographic operations are performed with this CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.AlgorithmStringThe algorithm in use in the primary CryptoKeyVersion.
GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.GenerateTimeDateThe time this CryptoKeyVersion's key material was generated.

google-kms-destroy-key#


Schedules a CryptoKeyVersion for destruction.

Base Command#

google-kms-destroy-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For example, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to destroy.Required
crypto_key_versionThe CryptoKeyVersion ID to destroy. Use keyword 'default' to use the primary CryptoKeyVersion of the given CryptoKey. Default is default.Required

Context Output#

There is no context output for this command.

google-kms-restore-key#


Restores a CryptoKeyVersion in the DESTROY_SCHEDULED state.

Base Command#

google-kms-restore-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For example, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to restore.Required
crypto_key_versionThe CryptoKeyVersion ID to restore. Use keyword 'default' to use the primary CryptoKeyVersion of the given CryptoKey. Default is default.Required

Context Output#

There is no context output for this command.

google-kms-disable-key#


Disables a CryptoKeyVersion of a given CryptoKey.

Base Command#

google-kms-disable-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to disable.Required
crypto_key_versionThe CryptoKeyVersion ID to disable. Use keyword 'default' to use the primary CryptoKeyVersion of the given CryptoKey. Default is default.Required

Context Output#

There is no context output for this command.

google-kms-enable-key#


Enables a CryptoKeyVersion of a given CryptoKey.

Base Command#

google-kms-enable-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to enable.Required
crypto_key_versionThe CryptoKeyVersion ID to enable. Use keyword 'default' to use the primary CryptoKeyVersion of the given CryptoKey. Default is default.Required

Context Output#

There is no context output for this command.

google-kms-list-keys#


Lists all keys in key ring.

Base Command#

google-kms-list-keys

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
key_stateShows only keys with this primary CryptoKeyVersion state. Leave empty to show all. Can be: "CRYPTO_KEY_VERSION_STATE_UNSPECIFIED", "PENDING_GENERATION", "ENABLED", "DISABLED", "DESTROYED", "DESTROY_SCHEDULED", "PENDING_IMPORT", "IMPORT_FAILED". Possible values are: CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.Optional

Context Output#

There is no context output for this command.

google-kms-asymmetric-encrypt#


Encrypts data using a asymmetric CryptoKey

Base Command#

google-kms-asymmetric-encrypt

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the location to the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to use.Required
crypto_key_versionThe CryptoKeyVersion to use.Required
simple_plaintextSimple plain text to encrypt. Must be no larger than 64KiB.Optional
base64_plaintextBase64 plain text to encrypt.Optional
entry_idThe entry ID of the file to encrypt.Optional

Context Output#

PathTypeDescription
GoogleKMS.AsymmetricEncrypt.CryptoKeyStringThe CryptoKey used
GoogleKMS.AsymmetricEncrypt.IsBase64BooleanIs the original plaintext in base 64
GoogleKMS.AsymmetricEncrypt.CiphertextStringThe encrypted ciphertext

google-kms-asymmetric-decrypt#


Decrypts data using an asymmetric CryptoKey.

Base Command#

google-kms-asymmetric-decrypt

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled, and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to use.Required
crypto_key_versionThe CryptoKeyVersion to use.Required
simple_ciphertextCiphertext to decrypt to simple plain text.Optional
base64_ciphertextCiphertext to decrypt to base64 plain text.Optional
entry_idThe entry ID of the file to decrypt.Optional

Context Output#

PathTypeDescription
GoogleKMS.AsymmetricDecrypt.CryptoKeyStringThe CryptoKey in use.
GoogleKMS.AsymmetricDecrypt.IsBase64BooleanWhether the original plain text is in base64.
GoogleKMS.AsymmetricDecrypt.PlaintextStringThe decrypted plain text.

google-kms-list-key-rings#


Lists all KeyRings in a given location.

Base Command#

google-kms-list-key-rings

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
allReturns all KeyRings from all locations. Default is no. Possible values are: yes, no. Default is no.Optional

Context Output#

PathTypeDescription
GoogleKMS.KeyRing.NameStringThe name of the KeyRing.
GoogleKMS.KeyRing.CreateTimeDateThe creation time of the KeyRing.

google-kms-list-all-keys#


Lists all CryptoKeys across all KeyRings in a given location.

Base Command#

google-kms-list-all-keys

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
allWhether to return all CryptoKeys from all KeyRings across all locations. Possible values are: yes, no. Default is no.Optional
key_stateShows only keys with this primary CryptoKeyVersion state. Leave empty to show all. Possible values are: CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, PENDING_GENERATION, ENABLED, DISABLED, DESTROYED, DESTROY_SCHEDULED, PENDING_IMPORT, IMPORT_FAILED.Optional

Context Output#

PathTypeDescription
GoogleKMS.CryptoKey.NameStringThe resource name for this CryptoKey.
GoogleKMS.CryptoKey.PurposeStringThe immutable purpose of this CryptoKey.
GoogleKMS.CryptoKey.CreationTimeDateThe time at which this CryptoKey was created.
GoogleKMS.CryptoKey.NextRotationTimeDateThe date when the next scheduled rotation is due to run. At nextRotationTime, the Key Management Service automatically

creates a new version of this CryptoKey and marks the new version as primary. | | GoogleKMS.CryptoKey.RotationPeriod | String | The period for which the nextRotationTime is advanced, when the service automatically rotates a key. | | GoogleKMS.CryptoKey.Labels | String | Labels with user-defined metadata. | | GoogleKMS.CryptoKey.VersionTemplate.ProtectionLevel | String | The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. | | GoogleKMS.CryptoKey.VersionTemplate.Algorithm | String | The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports. | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.Name | String | The resource name for this CryptoKeyVersion. | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.State | String | The current state of the CryptoKeyVersion. | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.CreationTime | String | The time at which this CryptoKeyVersion was created. | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.ProtectionLevel | String | The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.Algorithm | String | The algorithm in use in the primary CryptoKeyVersion | | GoogleKMS.CryptoKey.PrimaryCryptoKeyVersion.GenerateTime | Date | The time this CryptoKeyVersion's key material was generated. |

google-kms-get-public-key#


Returns the public key from a given CryptoKey.

Base Command#

google-kms-get-public-key

Input#

Argument NameDescriptionRequired
locationThe geographical regions where requests to Cloud KMS for a given resource are handled,
and where the corresponding cryptographic keys are stored. For more information, see https://cloud.google.com/kms/docs/locations.
Keyword 'default' uses the default location. Possible values are: default, global, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-south1, asia-southeast1, australia-southeast1, europe-north1, europe-west1, europe-west2, europe-west3, europe-west4, europe-west6, northamerica-northeast1, us-central1, us-east1, us-east4, us-west1, us-west2, southamerica-east1, eur4, nam4, asia, europe, us. Default is default.
Required
key_ringA grouping of keys for organizational purposes.
Keyword 'default' uses the default KeyRing. Default is default.
Required
crypto_keyThe ID for the crypto-key to use.Required
crypto_key_versionThe CryptoKeyVersion to use.Required

Context Output#

PathTypeDescription
GoogleKMS.PublicKey.CryptoKeyStringThe CryptoKey to which the public key is connected.
GoogleKMS.PublicKey.PEMStringThe PEM of the public key.
GoogleKMS.PublicKey.AlgorithmStringThe algorithm used in the CryptoKey