1. Docs
  2. Reference
  3. API
  4. pulumi_gcp
  5. kms

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

kms

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.kms.AwaitableGetKMSCryptoKeyResult(id=None, key_ring=None, labels=None, name=None, purpose=None, rotation_period=None, self_link=None, version_templates=None)
class pulumi_gcp.kms.AwaitableGetKMSCryptoKeyVersionResult(algorithm=None, crypto_key=None, id=None, protection_level=None, public_key=None, state=None, version=None)
class pulumi_gcp.kms.AwaitableGetKMSKeyRingResult(id=None, location=None, name=None, project=None, self_link=None)
class pulumi_gcp.kms.AwaitableGetKMSSecretCiphertextResult(ciphertext=None, crypto_key=None, id=None, plaintext=None)
class pulumi_gcp.kms.AwaitableGetKMSSecretResult(additional_authenticated_data=None, ciphertext=None, crypto_key=None, id=None, plaintext=None)
class pulumi_gcp.kms.CryptoKey(resource_name, opts=None, key_ring=None, labels=None, name=None, purpose=None, rotation_period=None, version_template=None, __props__=None, __name__=None, __opts__=None)

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource on the server. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

To get more information about CryptoKey, see:

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
example_key = gcp.kms.CryptoKey("example-key",
    key_ring=keyring.id,
    rotation_period="100000s")

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
    key_ring=keyring.id,
    purpose="ASYMMETRIC_SIGN",
    version_template={
        "algorithm": "EC_SIGN_P384_SHA384",
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • key_ring (pulumi.Input[str]) – The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

  • labels (pulumi.Input[dict]) – Labels with user-defined metadata to apply to this resource.

  • name (pulumi.Input[str]) – The resource name for the CryptoKey.

  • purpose (pulumi.Input[str]) – The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

  • rotation_period (pulumi.Input[str]) – Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

  • version_template (pulumi.Input[dict]) – A template describing settings for new crypto key versions. Structure is documented below.

The version_template object supports the following:

  • algorithm (pulumi.Input[str]) - The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protectionLevel (pulumi.Input[str]) - The protection level to use when creating a version based on this template.

key_ring: pulumi.Output[str] = None

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

labels: pulumi.Output[dict] = None

Labels with user-defined metadata to apply to this resource.

name: pulumi.Output[str] = None

The resource name for the CryptoKey.

purpose: pulumi.Output[str] = None

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

rotation_period: pulumi.Output[str] = None

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

version_template: pulumi.Output[dict] = None

A template describing settings for new crypto key versions. Structure is documented below.

  • algorithm (str) - The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protectionLevel (str) - The protection level to use when creating a version based on this template.

static get(resource_name, id, opts=None, key_ring=None, labels=None, name=None, purpose=None, rotation_period=None, self_link=None, version_template=None)

Get an existing CryptoKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • key_ring (pulumi.Input[str]) – The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

  • labels (pulumi.Input[dict]) – Labels with user-defined metadata to apply to this resource.

  • name (pulumi.Input[str]) – The resource name for the CryptoKey.

  • purpose (pulumi.Input[str]) –

    The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

  • rotation_period (pulumi.Input[str]) – Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

  • version_template (pulumi.Input[dict]) – A template describing settings for new crypto key versions. Structure is documented below.

The version_template object supports the following:

  • algorithm (pulumi.Input[str]) - The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protectionLevel (pulumi.Input[str]) - The protection level to use when creating a version based on this template.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.CryptoKeyIAMBinding(resource_name, opts=None, condition=None, crypto_key_id=None, members=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.

  • kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.

  • kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: kms.CryptoKeyIAMPolicy cannot be used in conjunction with kms.CryptoKeyIAMBinding and kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: kms.CryptoKeyIAMBinding resources can be used in conjunction with kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
key = gcp.kms.CryptoKey("key",
    key_ring=keyring.id,
    rotation_period="100000s")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/cloudkms.cryptoKeyEncrypter",
    "members": ["user:jane@example.com"],
}])
crypto_key = gcp.kms.CryptoKeyIAMPolicy("cryptoKey",
    crypto_key_id=key.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/cloudkms.cryptoKeyEncrypter",
}])

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) – An IAM Condition for a given binding. Structure is documented below.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None

An IAM Condition for a given binding. Structure is documented below.

  • description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (str) - Textual representation of an expression in Common Expression Language syntax.

  • title (str) - A title for the expression, i.e. a short string describing its purpose.

crypto_key_id: pulumi.Output[str] = None

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

etag: pulumi.Output[str] = None

(Computed) The etag of the project’s IAM policy.

role: pulumi.Output[str] = None

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, crypto_key_id=None, etag=None, members=None, role=None)

Get an existing CryptoKeyIAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.CryptoKeyIAMMember(resource_name, opts=None, condition=None, crypto_key_id=None, member=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.

  • kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.

  • kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: kms.CryptoKeyIAMPolicy cannot be used in conjunction with kms.CryptoKeyIAMBinding and kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: kms.CryptoKeyIAMBinding resources can be used in conjunction with kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
key = gcp.kms.CryptoKey("key",
    key_ring=keyring.id,
    rotation_period="100000s")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/cloudkms.cryptoKeyEncrypter",
    "members": ["user:jane@example.com"],
}])
crypto_key = gcp.kms.CryptoKeyIAMPolicy("cryptoKey",
    crypto_key_id=key.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/cloudkms.cryptoKeyEncrypter",
}])

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None

An IAM Condition for a given binding. Structure is documented below.

  • description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (str) - Textual representation of an expression in Common Expression Language syntax.

  • title (str) - A title for the expression, i.e. a short string describing its purpose.

crypto_key_id: pulumi.Output[str] = None

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

etag: pulumi.Output[str] = None

(Computed) The etag of the project’s IAM policy.

role: pulumi.Output[str] = None

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, crypto_key_id=None, etag=None, member=None, role=None)

Get an existing CryptoKeyIAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.CryptoKeyIAMPolicy(resource_name, opts=None, crypto_key_id=None, policy_data=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.

  • kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.

  • kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: kms.CryptoKeyIAMPolicy cannot be used in conjunction with kms.CryptoKeyIAMBinding and kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: kms.CryptoKeyIAMBinding resources can be used in conjunction with kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
key = gcp.kms.CryptoKey("key",
    key_ring=keyring.id,
    rotation_period="100000s")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/cloudkms.cryptoKeyEncrypter",
    "members": ["user:jane@example.com"],
}])
crypto_key = gcp.kms.CryptoKeyIAMPolicy("cryptoKey",
    crypto_key_id=key.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/cloudkms.cryptoKeyEncrypter",
}])

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

crypto_key_id: pulumi.Output[str] = None

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

etag: pulumi.Output[str] = None

(Computed) The etag of the project’s IAM policy.

policy_data: pulumi.Output[str] = None

The policy data generated by a organizations.getIAMPolicy data source.

static get(resource_name, id, opts=None, crypto_key_id=None, etag=None, policy_data=None)

Get an existing CryptoKeyIAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • crypto_key_id (pulumi.Input[str]) – The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

  • etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.GetKMSCryptoKeyResult(id=None, key_ring=None, labels=None, name=None, purpose=None, rotation_period=None, self_link=None, version_templates=None)

A collection of values returned by getKMSCryptoKey.

id = None

The provider-assigned unique ID for this managed resource.

purpose = None

Defines the cryptographic capabilities of the key.

rotation_period = None

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).

The self link of the created CryptoKey. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}.

class pulumi_gcp.kms.GetKMSCryptoKeyVersionResult(algorithm=None, crypto_key=None, id=None, protection_level=None, public_key=None, state=None, version=None)

A collection of values returned by getKMSCryptoKeyVersion.

algorithm = None

The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.

id = None

The provider-assigned unique ID for this managed resource.

protection_level = None

The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. See the protection_level reference for possible outputs.

public_key = None

If the enclosing CryptoKey has purpose ASYMMETRIC_SIGN or ASYMMETRIC_DECRYPT, this block contains details about the public key associated to this CryptoKeyVersion. Structure is documented below.

state = None

The current state of the CryptoKeyVersion. See the state reference for possible outputs.

class pulumi_gcp.kms.GetKMSKeyRingResult(id=None, location=None, name=None, project=None, self_link=None)

A collection of values returned by getKMSKeyRing.

id = None

The provider-assigned unique ID for this managed resource.

The self link of the created KeyRing. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}.

class pulumi_gcp.kms.GetKMSSecretCiphertextResult(ciphertext=None, crypto_key=None, id=None, plaintext=None)

A collection of values returned by getKMSSecretCiphertext.

ciphertext = None

Contains the result of encrypting the provided plaintext, encoded in base64.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_gcp.kms.GetKMSSecretResult(additional_authenticated_data=None, ciphertext=None, crypto_key=None, id=None, plaintext=None)

A collection of values returned by getKMSSecret.

id = None

The provider-assigned unique ID for this managed resource.

plaintext = None

Contains the result of decrypting the provided ciphertext.

class pulumi_gcp.kms.KeyRing(resource_name, opts=None, location=None, name=None, project=None, __props__=None, __name__=None, __opts__=None)

A KeyRing is a toplevel logical grouping of CryptoKeys.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a provider-managed KeyRing will remove it from state but will not delete the resource on the server.

To get more information about KeyRing, see:

import pulumi
import pulumi_gcp as gcp

example_keyring = gcp.kms.KeyRing("example-keyring", location="global")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • location (pulumi.Input[str]) – The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

  • name (pulumi.Input[str]) – The resource name for the KeyRing.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location: pulumi.Output[str] = None

The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

name: pulumi.Output[str] = None

The resource name for the KeyRing.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

static get(resource_name, id, opts=None, location=None, name=None, project=None, self_link=None)

Get an existing KeyRing resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • location (pulumi.Input[str]) – The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

  • name (pulumi.Input[str]) – The resource name for the KeyRing.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.KeyRingIAMBinding(resource_name, opts=None, condition=None, key_ring_id=None, members=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.

  • kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.

  • kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: kms.KeyRingIAMPolicy cannot be used in conjunction with kms.KeyRingIAMBinding and kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: kms.KeyRingIAMBinding resources can be used in conjunction with kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None

An IAM Condition for a given binding. Structure is documented below.

  • description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (str) - Textual representation of an expression in Common Expression Language syntax.

  • title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None

(Computed) The etag of the key ring’s IAM policy.

key_ring_id: pulumi.Output[str] = None

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

role: pulumi.Output[str] = None

The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, key_ring_id=None, members=None, role=None)

Get an existing KeyRingIAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • etag (pulumi.Input[str]) – (Computed) The etag of the key ring’s IAM policy.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.KeyRingIAMMember(resource_name, opts=None, condition=None, key_ring_id=None, member=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.

  • kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.

  • kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: kms.KeyRingIAMPolicy cannot be used in conjunction with kms.KeyRingIAMBinding and kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: kms.KeyRingIAMBinding resources can be used in conjunction with kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None

An IAM Condition for a given binding. Structure is documented below.

  • description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (str) - Textual representation of an expression in Common Expression Language syntax.

  • title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None

(Computed) The etag of the key ring’s IAM policy.

key_ring_id: pulumi.Output[str] = None

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

role: pulumi.Output[str] = None

The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, key_ring_id=None, member=None, role=None)

Get an existing KeyRingIAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • condition (pulumi.Input[dict]) –

    An IAM Condition for a given binding. Structure is documented below.

  • etag (pulumi.Input[str]) – (Computed) The etag of the key ring’s IAM policy.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • role (pulumi.Input[str]) – The role that should be applied. Only one kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

  • title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.KeyRingIAMPolicy(resource_name, opts=None, key_ring_id=None, policy_data=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.

  • kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.

  • kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: kms.KeyRingIAMPolicy cannot be used in conjunction with kms.KeyRingIAMBinding and kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: kms.KeyRingIAMBinding resources can be used in conjunction with kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
key_ring = gcp.kms.KeyRingIAMPolicy("keyRing",
    key_ring_id=keyring.id,
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMBinding("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    members=["user:jane@example.com"],
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRingIAMMember("keyRing",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    key_ring_id="your-key-ring-id",
    member="user:jane@example.com",
    role="roles/editor")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

etag: pulumi.Output[str] = None

(Computed) The etag of the key ring’s IAM policy.

key_ring_id: pulumi.Output[str] = None

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

policy_data: pulumi.Output[str] = None

The policy data generated by a organizations.getIAMPolicy data source.

static get(resource_name, id, opts=None, etag=None, key_ring_id=None, policy_data=None)

Get an existing KeyRingIAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the key ring’s IAM policy.

  • key_ring_id (pulumi.Input[str]) – The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.Registry(resource_name, opts=None, credentials=None, event_notification_configs=None, http_config=None, log_level=None, mqtt_config=None, name=None, project=None, region=None, state_notification_config=None, __props__=None, __name__=None, __opts__=None)

A Google Cloud IoT Core device registry.

To get more information about DeviceRegistry, see:

import pulumi
import pulumi_gcp as gcp

test_registry = gcp.iot.Registry("test-registry")

import pulumi
import pulumi_gcp as gcp

default_telemetry = gcp.pubsub.Topic("default-telemetry")
test_registry = gcp.iot.Registry("test-registry", event_notification_configs=[{
    "pubsub_topic_name": default_telemetry.id,
    "subfolderMatches": "",
}])

import pulumi
import pulumi_gcp as gcp

default_devicestatus = gcp.pubsub.Topic("default-devicestatus")
default_telemetry = gcp.pubsub.Topic("default-telemetry")
additional_telemetry = gcp.pubsub.Topic("additional-telemetry")
test_registry = gcp.iot.Registry("test-registry",
    event_notification_configs=[
        {
            "pubsub_topic_name": additional_telemetry.id,
            "subfolderMatches": "test/path",
        },
        {
            "pubsub_topic_name": default_telemetry.id,
            "subfolderMatches": "",
        },
    ],
    state_notification_config={
        "pubsub_topic_name": default_devicestatus.id,
    },
    mqtt_config={
        "mqtt_enabled_state": "MQTT_ENABLED",
    },
    http_config={
        "http_enabled_state": "HTTP_ENABLED",
    },
    log_level="INFO",
    credentials=[{
        "publicKeyCertificate": {
            "format": "X509_CERTIFICATE_PEM",
            "certificate": (lambda path: open(path).read())("test-fixtures/rsa_cert.pem"),
        },
    }])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • credentials (pulumi.Input[list]) – List of public key certificates to authenticate devices. The structure is documented below.

  • event_notification_configs (pulumi.Input[list]) – List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

  • http_config (pulumi.Input[dict]) – Activate or deactivate HTTP. The structure is documented below.

  • log_level (pulumi.Input[str]) – The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

  • mqtt_config (pulumi.Input[dict]) – Activate or deactivate MQTT. The structure is documented below.

  • name (pulumi.Input[str]) – A unique name for the resource, required by device registry.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

  • region (pulumi.Input[str]) – The region in which the created registry should reside. If it is not provided, the provider region is used.

  • state_notification_config (pulumi.Input[dict]) – A PubSub topic to publish device state updates. The structure is documented below.

The credentials object supports the following:

  • publicKeyCertificate (pulumi.Input[dict]) - A public key certificate format and data.

    • certificate (pulumi.Input[str]) - The certificate data.

    • format (pulumi.Input[str]) - The field allows only X509_CERTIFICATE_PEM.

The event_notification_configs object supports the following:

  • pubsub_topic_name (pulumi.Input[str]) - PubSub topic name to publish device events.

  • subfolderMatches (pulumi.Input[str]) - If the subfolder name matches this string exactly, this configuration will be used. The string must not include the leading ‘/’ character. If empty, all strings are matched. Empty value can only be used for the last event_notification_configs item.

The http_config object supports the following:

  • http_enabled_state (pulumi.Input[str]) - The field allows HTTP_ENABLED or HTTP_DISABLED.

The mqtt_config object supports the following:

  • mqtt_enabled_state (pulumi.Input[str]) - The field allows MQTT_ENABLED or MQTT_DISABLED.

The state_notification_config object supports the following:

  • pubsub_topic_name (pulumi.Input[str]) - PubSub topic name to publish device events.

credentials: pulumi.Output[list] = None

List of public key certificates to authenticate devices. The structure is documented below.

  • publicKeyCertificate (dict) - A public key certificate format and data.

    • certificate (str) - The certificate data.

    • format (str) - The field allows only X509_CERTIFICATE_PEM.

event_notification_configs: pulumi.Output[list] = None

List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

  • pubsub_topic_name (str) - PubSub topic name to publish device events.

  • subfolderMatches (str) - If the subfolder name matches this string exactly, this configuration will be used. The string must not include the leading ‘/’ character. If empty, all strings are matched. Empty value can only be used for the last event_notification_configs item.

http_config: pulumi.Output[dict] = None

Activate or deactivate HTTP. The structure is documented below.

  • http_enabled_state (str) - The field allows HTTP_ENABLED or HTTP_DISABLED.

log_level: pulumi.Output[str] = None

The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

mqtt_config: pulumi.Output[dict] = None

Activate or deactivate MQTT. The structure is documented below.

  • mqtt_enabled_state (str) - The field allows MQTT_ENABLED or MQTT_DISABLED.

name: pulumi.Output[str] = None

A unique name for the resource, required by device registry.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

region: pulumi.Output[str] = None

The region in which the created registry should reside. If it is not provided, the provider region is used.

state_notification_config: pulumi.Output[dict] = None

A PubSub topic to publish device state updates. The structure is documented below.

  • pubsub_topic_name (str) - PubSub topic name to publish device events.

static get(resource_name, id, opts=None, credentials=None, event_notification_configs=None, http_config=None, log_level=None, mqtt_config=None, name=None, project=None, region=None, state_notification_config=None)

Get an existing Registry resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • credentials (pulumi.Input[list]) – List of public key certificates to authenticate devices. The structure is documented below.

  • event_notification_configs (pulumi.Input[list]) – List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

  • http_config (pulumi.Input[dict]) – Activate or deactivate HTTP. The structure is documented below.

  • log_level (pulumi.Input[str]) – The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

  • mqtt_config (pulumi.Input[dict]) – Activate or deactivate MQTT. The structure is documented below.

  • name (pulumi.Input[str]) – A unique name for the resource, required by device registry.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

  • region (pulumi.Input[str]) – The region in which the created registry should reside. If it is not provided, the provider region is used.

  • state_notification_config (pulumi.Input[dict]) – A PubSub topic to publish device state updates. The structure is documented below.

The credentials object supports the following:

  • publicKeyCertificate (pulumi.Input[dict]) - A public key certificate format and data.

    • certificate (pulumi.Input[str]) - The certificate data.

    • format (pulumi.Input[str]) - The field allows only X509_CERTIFICATE_PEM.

The event_notification_configs object supports the following:

  • pubsub_topic_name (pulumi.Input[str]) - PubSub topic name to publish device events.

  • subfolderMatches (pulumi.Input[str]) - If the subfolder name matches this string exactly, this configuration will be used. The string must not include the leading ‘/’ character. If empty, all strings are matched. Empty value can only be used for the last event_notification_configs item.

The http_config object supports the following:

  • http_enabled_state (pulumi.Input[str]) - The field allows HTTP_ENABLED or HTTP_DISABLED.

The mqtt_config object supports the following:

  • mqtt_enabled_state (pulumi.Input[str]) - The field allows MQTT_ENABLED or MQTT_DISABLED.

The state_notification_config object supports the following:

  • pubsub_topic_name (pulumi.Input[str]) - PubSub topic name to publish device events.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.kms.SecretCiphertext(resource_name, opts=None, additional_authenticated_data=None, crypto_key=None, plaintext=None, __props__=None, __name__=None, __opts__=None)

Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.

NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

To get more information about SecretCiphertext, see:

Warning: All arguments including plaintext and additional_authenticated_data will be stored in the raw state as plain-text. Read more about secrets in state.

import pulumi
import pulumi_gcp as gcp

keyring = gcp.kms.KeyRing("keyring", location="global")
cryptokey = gcp.kms.CryptoKey("cryptokey",
    key_ring=keyring.id,
    rotation_period="100000s")
my_password = gcp.kms.SecretCiphertext("myPassword",
    crypto_key=cryptokey.id,
    plaintext="my-secret-password")
instance = gcp.compute.Instance("instance",
    machine_type="n1-standard-1",
    zone="us-central1-a",
    boot_disk={
        "initialize_params": {
            "image": "debian-cloud/debian-9",
        },
    },
    network_interface=[{
        "network": "default",
        "access_config": [{}],
    }],
    metadata={
        "password": my_password.ciphertext,
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • additional_authenticated_data (pulumi.Input[str]) – The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

  • crypto_key (pulumi.Input[str]) – The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

  • plaintext (pulumi.Input[str]) – The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

additional_authenticated_data: pulumi.Output[str] = None

The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

ciphertext: pulumi.Output[str] = None

Contains the result of encrypting the provided plaintext, encoded in base64.

crypto_key: pulumi.Output[str] = None

The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

plaintext: pulumi.Output[str] = None

The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

static get(resource_name, id, opts=None, additional_authenticated_data=None, ciphertext=None, crypto_key=None, plaintext=None)

Get an existing SecretCiphertext resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • additional_authenticated_data (pulumi.Input[str]) – The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

  • ciphertext (pulumi.Input[str]) – Contains the result of encrypting the provided plaintext, encoded in base64.

  • crypto_key (pulumi.Input[str]) – The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

  • plaintext (pulumi.Input[str]) – The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_gcp.kms.get_kms_crypto_key(key_ring=None, name=None, opts=None)

Provides access to a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.

A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.

import pulumi
import pulumi_gcp as gcp

my_key_ring = gcp.kms.get_kms_key_ring(name="my-key-ring",
    location="us-central1")
my_crypto_key = gcp.kms.get_kms_crypto_key(name="my-crypto-key",
    key_ring=my_key_ring.self_link)
Parameters

  • key_ring (str) – The self_link of the Google Cloud Platform KeyRing to which the key belongs.

  • name (str) – The CryptoKey’s name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

pulumi_gcp.kms.get_kms_crypto_key_version(crypto_key=None, version=None, opts=None)

Provides access to a Google Cloud Platform KMS CryptoKeyVersion. For more information see the official documentation and API.

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

import pulumi
import pulumi_gcp as gcp

my_key_ring = gcp.kms.get_kms_key_ring(name="my-key-ring",
    location="us-central1")
my_crypto_key = gcp.kms.get_kms_crypto_key(name="my-crypto-key",
    key_ring=my_key_ring.self_link)
my_crypto_key_version = gcp.kms.get_kms_crypto_key_version(crypto_key=data["google_kms_key"]["my_key"]["self_link"])
Parameters

  • crypto_key (str) – The self_link of the Google Cloud Platform CryptoKey to which the key version belongs.

  • version (float) – The version number for this CryptoKeyVersion. Defaults to 1.

pulumi_gcp.kms.get_kms_key_ring(location=None, name=None, project=None, opts=None)

Provides access to Google Cloud Platform KMS KeyRing. For more information see the official documentation and API.

A KeyRing is a grouping of CryptoKeys for organizational purposes. A KeyRing belongs to a Google Cloud Platform Project and resides in a specific location.

import pulumi
import pulumi_gcp as gcp

my_key_ring = gcp.kms.get_kms_key_ring(location="us-central1",
    name="my-key-ring")
Parameters

  • location (str) – The Google Cloud Platform location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

  • name (str) – The KeyRing’s name. A KeyRing name must exist within the provided location and match the regular expression [a-zA-Z0-9_-]{1,63}

  • project (str) – The project in which the resource belongs. If it is not provided, the provider project is used.

pulumi_gcp.kms.get_kms_secret(additional_authenticated_data=None, ciphertext=None, crypto_key=None, opts=None)

This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions.

For more information see the official documentation.

NOTE: Using this data provider will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Parameters

  • additional_authenticated_data (str) – The additional authenticated data used for integrity checks during encryption and decryption.

  • ciphertext (str) – The ciphertext to be decrypted, encoded in base64

  • crypto_key (str) – The id of the CryptoKey that will be used to decrypt the provided ciphertext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

pulumi_gcp.kms.get_kms_secret_ciphertext(crypto_key=None, plaintext=None, opts=None)

!> Warning: This data source is deprecated. Use the kms.SecretCiphertext resource instead.

This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.

For more information see the official documentation.

NOTE: Using this data source will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Parameters

  • crypto_key (str) – The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

  • plaintext (str) – The plaintext to be encrypted