Namespace Pulumi.Gcp.Kms
Classes
CryptoKey
A CryptoKey represents a logical key that can be used for cryptographic operations.
Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource on the server. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.
To get more information about CryptoKey, see:
- API documentation
- How-to Guides
- Creating a key
Example Usage - Kms Crypto Key Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var example_key = new Gcp.Kms.CryptoKey("example-key", new Gcp.Kms.CryptoKeyArgs
{
KeyRing = keyring.Id,
RotationPeriod = "100000s",
});
}
}
CryptoKeyArgs
CryptoKeyIAMBinding
Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:
gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.
Note:
gcp.kms.CryptoKeyIAMPolicycannot be used in conjunction withgcp.kms.CryptoKeyIAMBindingandgcp.kms.CryptoKeyIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.CryptoKeyIAMBindingresources can be used in conjunction withgcp.kms.CryptoKeyIAMMemberresources only if they do not grant privilege to the same role.
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var key = new Gcp.Kms.CryptoKey("key", new Gcp.Kms.CryptoKeyArgs
{
KeyRing = keyring.Id,
RotationPeriod = "100000s",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/cloudkms.cryptoKeyEncrypter" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var cryptoKey = new Gcp.Kms.CryptoKeyIAMPolicy("cryptoKey", new Gcp.Kms.CryptoKeyIAMPolicyArgs
{
CryptoKeyId = key.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Bindings =
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingArgs
{
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/cloudkms.cryptoKeyEncrypter",
},
},
}));
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
CryptoKeyIAMBindingArgs
CryptoKeyIAMBindingState
CryptoKeyIAMMember
Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:
gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.
Note:
gcp.kms.CryptoKeyIAMPolicycannot be used in conjunction withgcp.kms.CryptoKeyIAMBindingandgcp.kms.CryptoKeyIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.CryptoKeyIAMBindingresources can be used in conjunction withgcp.kms.CryptoKeyIAMMemberresources only if they do not grant privilege to the same role.
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var key = new Gcp.Kms.CryptoKey("key", new Gcp.Kms.CryptoKeyArgs
{
KeyRing = keyring.Id,
RotationPeriod = "100000s",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/cloudkms.cryptoKeyEncrypter" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var cryptoKey = new Gcp.Kms.CryptoKeyIAMPolicy("cryptoKey", new Gcp.Kms.CryptoKeyIAMPolicyArgs
{
CryptoKeyId = key.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Bindings =
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingArgs
{
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/cloudkms.cryptoKeyEncrypter",
},
},
}));
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
CryptoKeyIAMMemberArgs
CryptoKeyIAMMemberState
CryptoKeyIAMPolicy
Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:
gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.
Note:
gcp.kms.CryptoKeyIAMPolicycannot be used in conjunction withgcp.kms.CryptoKeyIAMBindingandgcp.kms.CryptoKeyIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.CryptoKeyIAMBindingresources can be used in conjunction withgcp.kms.CryptoKeyIAMMemberresources only if they do not grant privilege to the same role.
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var key = new Gcp.Kms.CryptoKey("key", new Gcp.Kms.CryptoKeyArgs
{
KeyRing = keyring.Id,
RotationPeriod = "100000s",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/cloudkms.cryptoKeyEncrypter" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var cryptoKey = new Gcp.Kms.CryptoKeyIAMPolicy("cryptoKey", new Gcp.Kms.CryptoKeyIAMPolicyArgs
{
CryptoKeyId = key.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Bindings =
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingArgs
{
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/cloudkms.cryptoKeyEncrypter",
},
},
}));
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
{
CryptoKeyId = google_kms_crypto_key.Key.Id,
Role = "roles/cloudkms.cryptoKeyEncrypter",
Member = "user:jane@example.com",
Condition = new Gcp.Kms.Inputs.CryptoKeyIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
CryptoKeyIAMPolicyArgs
CryptoKeyIAMPolicyState
CryptoKeyState
GetKMSCryptoKey
GetKMSCryptoKeyArgs
GetKMSCryptoKeyResult
GetKMSCryptoKeyVersion
GetKMSCryptoKeyVersionArgs
GetKMSCryptoKeyVersionResult
GetKMSKeyRing
GetKMSKeyRingArgs
GetKMSKeyRingResult
GetKMSSecret
GetKMSSecretArgs
GetKMSSecretCiphertext
GetKMSSecretCiphertextArgs
GetKMSSecretCiphertextResult
GetKMSSecretResult
KeyRing
A KeyRing is a toplevel logical grouping of CryptoKeys.
Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a provider-managed KeyRing will remove it from state but will not delete the resource on the server.
To get more information about KeyRing, see:
- API documentation
- How-to Guides
- Creating a key ring
Example Usage - Kms Key Ring Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var example_keyring = new Gcp.Kms.KeyRing("example-keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
}
}
KeyRingArgs
KeyRingIAMBinding
Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:
gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.
Note:
gcp.kms.KeyRingIAMPolicycannot be used in conjunction withgcp.kms.KeyRingIAMBindingandgcp.kms.KeyRingIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.KeyRingIAMBindingresources can be used in conjunction withgcp.kms.KeyRingIAMMemberresources only if they do not grant privilege to the same role.
google_kms_key_ring_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_kms_key_ring_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
google_kms_key_ring_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
KeyRingIAMBindingArgs
KeyRingIAMBindingState
KeyRingIAMMember
Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:
gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.
Note:
gcp.kms.KeyRingIAMPolicycannot be used in conjunction withgcp.kms.KeyRingIAMBindingandgcp.kms.KeyRingIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.KeyRingIAMBindingresources can be used in conjunction withgcp.kms.KeyRingIAMMemberresources only if they do not grant privilege to the same role.
google_kms_key_ring_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_kms_key_ring_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
google_kms_key_ring_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
KeyRingIAMMemberArgs
KeyRingIAMMemberState
KeyRingIAMPolicy
Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:
gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.
Note:
gcp.kms.KeyRingIAMPolicycannot be used in conjunction withgcp.kms.KeyRingIAMBindingandgcp.kms.KeyRingIAMMemberor they will fight over what your policy should be.
Note:
gcp.kms.KeyRingIAMBindingresources can be used in conjunction withgcp.kms.KeyRingIAMMemberresources only if they do not grant privilege to the same role.
google_kms_key_ring_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
{
Location = "global",
});
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/editor" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var keyRing = new Gcp.Kms.KeyRingIAMPolicy("keyRing", new Gcp.Kms.KeyRingIAMPolicyArgs
{
KeyRingId = keyring.Id,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_kms_key_ring_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMBinding("keyRing", new Gcp.Kms.KeyRingIAMBindingArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Members =
{
"user:jane@example.com",
},
Role = "roles/editor",
});
}
}
google_kms_key_ring_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var keyRing = new Gcp.Kms.KeyRingIAMMember("keyRing", new Gcp.Kms.KeyRingIAMMemberArgs
{
Condition = new Gcp.Kms.Inputs.KeyRingIAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
KeyRingId = "your-key-ring-id",
Member = "user:jane@example.com",
Role = "roles/editor",
});
}
}
KeyRingIAMPolicyArgs
KeyRingIAMPolicyState
KeyRingState
Registry
A Google Cloud IoT Core device registry.
To get more information about DeviceRegistry, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Cloudiot Device Registry Basic
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var test_registry = new Gcp.Iot.Registry("test-registry", new Gcp.Iot.RegistryArgs
{
});
}
}
RegistryArgs
RegistryState
SecretCiphertext
Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.
To get more information about SecretCiphertext, see:
Warning: All arguments including
plaintextandadditional_authenticated_datawill be stored in the raw state as plain-text. Read more about secrets in state.