diff --git a/api_names_out.yaml b/api_names_out.yaml index 9570f8efdde..706ff688d7a 100644 --- a/api_names_out.yaml +++ b/api_names_out.yaml @@ -88251,6 +88251,7 @@ "/cloudkms:v1/CryptoKeyVersion/externalProtectionLevelOptions": external_protection_level_options "/cloudkms:v1/CryptoKeyVersion/generateTime": generate_time "/cloudkms:v1/CryptoKeyVersion/generationFailureReason": generation_failure_reason +"/cloudkms:v1/CryptoKeyVersion/hsmTrusted": hsm_trusted "/cloudkms:v1/CryptoKeyVersion/importFailureReason": import_failure_reason "/cloudkms:v1/CryptoKeyVersion/importJob": import_job "/cloudkms:v1/CryptoKeyVersion/importTime": import_time @@ -88258,6 +88259,7 @@ "/cloudkms:v1/CryptoKeyVersion/protectionLevel": protection_level "/cloudkms:v1/CryptoKeyVersion/reimportEligible": reimport_eligible "/cloudkms:v1/CryptoKeyVersion/state": state +"/cloudkms:v1/CryptoKeyVersion/trustedWrappingEnabled": trusted_wrapping_enabled "/cloudkms:v1/CryptoKeyVersionTemplate": crypto_key_version_template "/cloudkms:v1/CryptoKeyVersionTemplate/algorithm": algorithm "/cloudkms:v1/CryptoKeyVersionTemplate/protectionLevel": protection_level @@ -88316,12 +88318,16 @@ "/cloudkms:v1/EncryptResponse/verifiedAdditionalAuthenticatedDataCrc32c": verified_additional_authenticated_data_crc32c "/cloudkms:v1/EncryptResponse/verifiedPlaintextCrc32c": verified_plaintext_crc32c "/cloudkms:v1/ExecuteSingleTenantHsmInstanceProposalRequest": execute_single_tenant_hsm_instance_proposal_request +"/cloudkms:v1/ExportTrustedKeyWrappedCryptoKeyVersionResponse": export_trusted_key_wrapped_crypto_key_version_response +"/cloudkms:v1/ExportTrustedKeyWrappedCryptoKeyVersionResponse/wrappedKey": wrapped_key +"/cloudkms:v1/ExportTrustedKeyWrappedCryptoKeyVersionResponse/wrappedKeyCrc32c": wrapped_key_crc32c "/cloudkms:v1/Expr": expr "/cloudkms:v1/Expr/description": description "/cloudkms:v1/Expr/expression": expression "/cloudkms:v1/Expr/location": location "/cloudkms:v1/Expr/title": title "/cloudkms:v1/ExternalProtectionLevelOptions": external_protection_level_options +"/cloudkms:v1/ExternalProtectionLevelOptions/ekmConnectionBackendOverride": ekm_connection_backend_override "/cloudkms:v1/ExternalProtectionLevelOptions/ekmConnectionKeyPath": ekm_connection_key_path "/cloudkms:v1/ExternalProtectionLevelOptions/externalKeyUri": external_key_uri "/cloudkms:v1/GenerateRandomBytesRequest": generate_random_bytes_request @@ -88335,6 +88341,7 @@ "/cloudkms:v1/ImportCryptoKeyVersionRequest/cryptoKeyVersion": crypto_key_version "/cloudkms:v1/ImportCryptoKeyVersionRequest/importJob": import_job "/cloudkms:v1/ImportCryptoKeyVersionRequest/rsaAesWrappedKey": rsa_aes_wrapped_key +"/cloudkms:v1/ImportCryptoKeyVersionRequest/trustedWrappingEnabled": trusted_wrapping_enabled "/cloudkms:v1/ImportCryptoKeyVersionRequest/wrappedKey": wrapped_key "/cloudkms:v1/ImportJob": import_job "/cloudkms:v1/ImportJob/attestation": attestation @@ -88349,6 +88356,11 @@ "/cloudkms:v1/ImportJob/publicKey": public_key "/cloudkms:v1/ImportJob/publicKeyFormat": public_key_format "/cloudkms:v1/ImportJob/state": state +"/cloudkms:v1/ImportTrustedKeyWrappedCryptoKeyVersionRequest": import_trusted_key_wrapped_crypto_key_version_request +"/cloudkms:v1/ImportTrustedKeyWrappedCryptoKeyVersionRequest/algorithm": algorithm +"/cloudkms:v1/ImportTrustedKeyWrappedCryptoKeyVersionRequest/cryptoKeyVersion": crypto_key_version +"/cloudkms:v1/ImportTrustedKeyWrappedCryptoKeyVersionRequest/importingKey": importing_key +"/cloudkms:v1/ImportTrustedKeyWrappedCryptoKeyVersionRequest/wrappedKey": wrapped_key "/cloudkms:v1/KeyAccessJustificationsEnrollmentConfig": key_access_justifications_enrollment_config "/cloudkms:v1/KeyAccessJustificationsEnrollmentConfig/auditLogging": audit_logging "/cloudkms:v1/KeyAccessJustificationsEnrollmentConfig/policyEnforcement": policy_enforcement @@ -88578,6 +88590,8 @@ "/cloudkms:v1/SetIamPolicyRequest/updateMask": update_mask "/cloudkms:v1/ShowEffectiveAutokeyConfigResponse": show_effective_autokey_config_response "/cloudkms:v1/ShowEffectiveAutokeyConfigResponse/keyProject": key_project +"/cloudkms:v1/ShowEffectiveAutokeyConfigResponse/keyProjectResolutionMode": key_project_resolution_mode +"/cloudkms:v1/ShowEffectiveAutokeyConfigResponse/source": source "/cloudkms:v1/ShowEffectiveKeyAccessJustificationsEnrollmentConfigResponse": show_effective_key_access_justifications_enrollment_config_response "/cloudkms:v1/ShowEffectiveKeyAccessJustificationsEnrollmentConfigResponse/externalConfig": external_config "/cloudkms:v1/ShowEffectiveKeyAccessJustificationsEnrollmentConfigResponse/hardwareConfig": hardware_config @@ -88611,6 +88625,9 @@ "/cloudkms:v1/SingleTenantHsmInstanceProposal/requiredActionQuorumParameters": required_action_quorum_parameters "/cloudkms:v1/SingleTenantHsmInstanceProposal/state": state "/cloudkms:v1/SingleTenantHsmInstanceProposal/ttl": ttl +"/cloudkms:v1/SingleTenantHsmInstanceProposal/upgradeKeyTrust": upgrade_key_trust +"/cloudkms:v1/Source": source +"/cloudkms:v1/Source/name": name "/cloudkms:v1/Status": status "/cloudkms:v1/Status/code": code "/cloudkms:v1/Status/details": details @@ -88625,6 +88642,9 @@ "/cloudkms:v1/TestIamPermissionsResponse/permissions/permission": permission "/cloudkms:v1/UpdateCryptoKeyPrimaryVersionRequest": update_crypto_key_primary_version_request "/cloudkms:v1/UpdateCryptoKeyPrimaryVersionRequest/cryptoKeyVersionId": crypto_key_version_id +"/cloudkms:v1/UpgradeKeyTrust": upgrade_key_trust +"/cloudkms:v1/UpgradeKeyTrust/name": name +"/cloudkms:v1/UpgradeKeyTrust/twoFactorPublicKeyPem": two_factor_public_key_pem "/cloudkms:v1/VerifyConnectivityResponse": verify_connectivity_response "/cloudkms:v1/WrappingPublicKey": wrapping_public_key "/cloudkms:v1/WrappingPublicKey/data": data @@ -88633,6 +88653,8 @@ "/cloudkms:v1/cloudkms.folders.getAutokeyConfig/name": name "/cloudkms:v1/cloudkms.folders.getKajPolicyConfig": get_folder_kaj_policy_config "/cloudkms:v1/cloudkms.folders.getKajPolicyConfig/name": name +"/cloudkms:v1/cloudkms.folders.showEffectiveAutokeyConfig": show_folder_effective_autokey_config +"/cloudkms:v1/cloudkms.folders.showEffectiveAutokeyConfig/parent": parent "/cloudkms:v1/cloudkms.folders.updateAutokeyConfig": update_folder_autokey_config "/cloudkms:v1/cloudkms.folders.updateAutokeyConfig/name": name "/cloudkms:v1/cloudkms.folders.updateAutokeyConfig/updateMask": update_mask @@ -88701,6 +88723,7 @@ "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.create/cryptoKeyId": crypto_key_id "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.create/parent": parent "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.create/skipInitialVersionCreation": skip_initial_version_creation +"/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.create/trustedWrappingEnabled": trusted_wrapping_enabled "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricDecrypt": asymmetric_crypto_key_version_decrypt "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricDecrypt/name": name "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricSign": asymmetric_crypto_key_version_sign @@ -88713,6 +88736,10 @@ "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.delete/name": name "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy": destroy_crypto_key_version "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy/name": name +"/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.exportTrustedKeyWrappedCryptoKeyVersion": export_project_location_key_ring_crypto_key_crypto_key_version_trusted_key_wrapped_crypto_key_version +"/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.exportTrustedKeyWrappedCryptoKeyVersion/name": name +? "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.exportTrustedKeyWrappedCryptoKeyVersion/wrappingKey" +: wrapping_key "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.get": get_project_location_key_ring_crypto_key_crypto_key_version "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.get/name": name "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.getPublicKey": get_project_location_key_ring_crypto_key_crypto_key_version_public_key @@ -88720,6 +88747,8 @@ "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.getPublicKey/publicKeyFormat": public_key_format "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.import": import_crypto_key_version "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.import/parent": parent +"/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.importTrustedKeyWrappedCryptoKeyVersion": import_trusted_key_wrapped_crypto_key_version +"/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.importTrustedKeyWrappedCryptoKeyVersion/parent": parent "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list": list_project_location_key_ring_crypto_key_crypto_key_versions "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list/filter": filter "/cloudkms:v1/cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list/orderBy": order_by diff --git a/generated/google-apis-cloudkms_v1/CHANGELOG.md b/generated/google-apis-cloudkms_v1/CHANGELOG.md index bde885872e5..86e5ab422b7 100644 --- a/generated/google-apis-cloudkms_v1/CHANGELOG.md +++ b/generated/google-apis-cloudkms_v1/CHANGELOG.md @@ -1,5 +1,9 @@ # Release history for google-apis-cloudkms_v1 +### v0.77.0 (2026-07-12) + +* Regenerated from discovery document revision 20260702 + ### v0.76.0 (2026-06-14) * Regenerated from discovery document revision 20260608 diff --git a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/classes.rb b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/classes.rb index 4b89c0efc23..266bfbecb61 100644 --- a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/classes.rb +++ b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/classes.rb @@ -916,6 +916,14 @@ class CryptoKeyVersion # @return [String] attr_accessor :generation_failure_reason + # Output only. Field indicating that the key wrapping key is trusted. This field + # is only valid for key purpose AES_256_WRAPPING, and protection level + # HSM_SINGLE_TENANT. + # Corresponds to the JSON property `hsmTrusted` + # @return [Boolean] + attr_accessor :hsm_trusted + alias_method :hsm_trusted?, :hsm_trusted + # Output only. The root cause of the most recent import failure. Only present if # state is IMPORT_FAILED. # Corresponds to the JSON property `importFailureReason` @@ -959,6 +967,16 @@ class CryptoKeyVersion # @return [String] attr_accessor :state + # Immutable. Field indicating that the key may be wrapped by a trusted key. This + # field can be set for all key purposes except ENCRYPT_DECRYPT, and is only + # valid for keys with protection level HSM_SINGLE_TENANT. This field can only be + # set at creation or import time via CreateCryptoKeyVersion, or + # ImportCryptoKeyVersion. + # Corresponds to the JSON property `trustedWrappingEnabled` + # @return [Boolean] + attr_accessor :trusted_wrapping_enabled + alias_method :trusted_wrapping_enabled?, :trusted_wrapping_enabled + def initialize(**args) update!(**args) end @@ -974,6 +992,7 @@ def update!(**args) @external_protection_level_options = args[:external_protection_level_options] if args.key?(:external_protection_level_options) @generate_time = args[:generate_time] if args.key?(:generate_time) @generation_failure_reason = args[:generation_failure_reason] if args.key?(:generation_failure_reason) + @hsm_trusted = args[:hsm_trusted] if args.key?(:hsm_trusted) @import_failure_reason = args[:import_failure_reason] if args.key?(:import_failure_reason) @import_job = args[:import_job] if args.key?(:import_job) @import_time = args[:import_time] if args.key?(:import_time) @@ -981,6 +1000,7 @@ def update!(**args) @protection_level = args[:protection_level] if args.key?(:protection_level) @reimport_eligible = args[:reimport_eligible] if args.key?(:reimport_eligible) @state = args[:state] if args.key?(:state) + @trusted_wrapping_enabled = args[:trusted_wrapping_enabled] if args.key?(:trusted_wrapping_enabled) end end @@ -1584,6 +1604,43 @@ def update!(**args) end end + # Response message for KeyManagementService. + # ExportTrustedKeyWrappedCryptoKeyVersion. + class ExportTrustedKeyWrappedCryptoKeyVersionResponse + include Google::Apis::Core::Hashable + + # The wrapped key material. + # Corresponds to the JSON property `wrappedKey` + # NOTE: Values are automatically base64 encoded/decoded in the client library. + # @return [String] + attr_accessor :wrapped_key + + # Integrity verification field. A CRC32C checksum of the returned + # ExportTrustedKeyWrappedCryptoKeyVersionResponse.wrapped_key. An integrity + # check of ExportTrustedKeyWrappedCryptoKeyVersionResponse.wrapped_key can be + # performed by computing the CRC32C checksum of + # ExportTrustedKeyWrappedCryptoKeyVersionResponse.wrapped_key and comparing your + # results to this field. Discard the response in case of non-matching checksum + # values, and perform a limited number of retries. A persistent mismatch may + # indicate an issue in your computation of the CRC32C checksum. Note: This field + # is defined as int64 for reasons of compatibility across different languages. + # However, it is a non-negative integer, which will never exceed 2^32-1, and can + # be safely downconverted to uint32 in languages that support this type. + # Corresponds to the JSON property `wrappedKeyCrc32c` + # @return [Fixnum] + attr_accessor :wrapped_key_crc32c + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @wrapped_key = args[:wrapped_key] if args.key?(:wrapped_key) + @wrapped_key_crc32c = args[:wrapped_key_crc32c] if args.key?(:wrapped_key_crc32c) + end + end + # Represents a textual expression in the Common Expression Language (CEL) syntax. # CEL is a C-like expression language. The syntax and semantics of CEL are # documented at https://github.com/google/cel-spec. Example (Comparison): title: @@ -1644,14 +1701,23 @@ def update!(**args) class ExternalProtectionLevelOptions include Google::Apis::Core::Hashable - # The path to the external key material on the EKM when using EkmConnection e.g., - # "v0/my/key". Set this field instead of external_key_uri when using an - # EkmConnection. + # Optional. The resource name of the backend environment where the key material + # of CryptoKeyVersions is associated with. Setting this field overrides the + # CryptoKeyBackend. This field may be set when CryptoKeyVersions is set to + # EXTERNAL_VPC. Format: `projects/*/locations/*/ekmConnections/*`. + # Corresponds to the JSON property `ekmConnectionBackendOverride` + # @return [String] + attr_accessor :ekm_connection_backend_override + + # Optional. The path to the external key material on the EKM when using + # EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri + # when using an EkmConnection. # Corresponds to the JSON property `ekmConnectionKeyPath` # @return [String] attr_accessor :ekm_connection_key_path - # The URI for an external resource that this CryptoKeyVersion represents. + # Optional. The URI for an external resource that this CryptoKeyVersion + # represents. # Corresponds to the JSON property `externalKeyUri` # @return [String] attr_accessor :external_key_uri @@ -1662,6 +1728,7 @@ def initialize(**args) # Update properties of this object def update!(**args) + @ekm_connection_backend_override = args[:ekm_connection_backend_override] if args.key?(:ekm_connection_backend_override) @ekm_connection_key_path = args[:ekm_connection_key_path] if args.key?(:ekm_connection_key_path) @external_key_uri = args[:external_key_uri] if args.key?(:external_key_uri) end @@ -1765,6 +1832,15 @@ class ImportCryptoKeyVersionRequest # @return [String] attr_accessor :rsa_aes_wrapped_key + # Optional. Whether trusted wrapping will be enabled on the imported [ + # CryptoKeyVersion]. This field is only supported for keys with + # CryptoKeyVersionTemplate.protection_level HSM_SINGLE_TENANT. This field is + # supported for all CryptoKeyPurposes besides ENCRYPT_DECRYPT. + # Corresponds to the JSON property `trustedWrappingEnabled` + # @return [Boolean] + attr_accessor :trusted_wrapping_enabled + alias_method :trusted_wrapping_enabled?, :trusted_wrapping_enabled + # Optional. The wrapped key material to import. Before wrapping, key material # must be formatted. If importing symmetric key material, the expected key # material format is plain bytes. If importing asymmetric key material, the @@ -1795,6 +1871,7 @@ def update!(**args) @crypto_key_version = args[:crypto_key_version] if args.key?(:crypto_key_version) @import_job = args[:import_job] if args.key?(:import_job) @rsa_aes_wrapped_key = args[:rsa_aes_wrapped_key] if args.key?(:rsa_aes_wrapped_key) + @trusted_wrapping_enabled = args[:trusted_wrapping_enabled] if args.key?(:trusted_wrapping_enabled) @wrapped_key = args[:wrapped_key] if args.key?(:wrapped_key) end end @@ -1913,6 +1990,56 @@ def update!(**args) end end + # Request message for KeyManagementService. + # ImportTrustedKeyWrappedCryptoKeyVersion. + class ImportTrustedKeyWrappedCryptoKeyVersionRequest + include Google::Apis::Core::Hashable + + # Required. Required - The algorithm of the key being imported. This does not + # need to match the version_template of the CryptoKey this version imports into. + # Corresponds to the JSON property `algorithm` + # @return [String] + attr_accessor :algorithm + + # Optional. The optional name of an existing CryptoKeyVersion to target for an + # import operation. If this field is not present, a new CryptoKeyVersion + # containing the supplied key material is created. If this field is present, the + # supplied key material is imported into the existing CryptoKeyVersion. To + # import into an existing CryptoKeyVersion, the CryptoKeyVersion must be a child + # of ImportTrustedKeyWrappedCryptoKeyVersionRequest.parent, have been previously + # created via ImportTrustedKeyWrappedCryptoKeyVersion, and be in DESTROYED or + # IMPORT_FAILED state. The key material and algorithm must match the previous + # CryptoKeyVersion exactly if the CryptoKeyVersion has ever contained key + # material + # Corresponds to the JSON property `cryptoKeyVersion` + # @return [String] + attr_accessor :crypto_key_version + + # Required. Required - the CKV of the trusted key used to import. This can be + # the name of a CryptoKeyVersion or a CryptoKey. + # Corresponds to the JSON property `importingKey` + # @return [String] + attr_accessor :importing_key + + # Required. The target key pre-wrapped on premises. + # Corresponds to the JSON property `wrappedKey` + # NOTE: Values are automatically base64 encoded/decoded in the client library. + # @return [String] + attr_accessor :wrapped_key + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @algorithm = args[:algorithm] if args.key?(:algorithm) + @crypto_key_version = args[:crypto_key_version] if args.key?(:crypto_key_version) + @importing_key = args[:importing_key] if args.key?(:importing_key) + @wrapped_key = args[:wrapped_key] if args.key?(:wrapped_key) + end + end + # Represents the configuration of a protection level for a project's Key Access # Justifications enrollment. class KeyAccessJustificationsEnrollmentConfig @@ -3737,11 +3864,21 @@ def update!(**args) class ShowEffectiveAutokeyConfigResponse include Google::Apis::Core::Hashable - # Name of the key project configured in the resource project's folder ancestry. + # Name of the key project configured in the ancestry of the project or folder. # Corresponds to the JSON property `keyProject` # @return [String] attr_accessor :key_project + # The KeyProjectResolutionMode for the AutokeyConfig. + # Corresponds to the JSON property `keyProjectResolutionMode` + # @return [String] + attr_accessor :key_project_resolution_mode + + # Source of the effective AutokeyConfig. + # Corresponds to the JSON property `source` + # @return [Google::Apis::CloudkmsV1::Source] + attr_accessor :source + def initialize(**args) update!(**args) end @@ -3749,6 +3886,8 @@ def initialize(**args) # Update properties of this object def update!(**args) @key_project = args[:key_project] if args.key?(:key_project) + @key_project_resolution_mode = args[:key_project_resolution_mode] if args.key?(:key_project_resolution_mode) + @source = args[:source] if args.key?(:source) end end @@ -3992,6 +4131,12 @@ class SingleTenantHsmInstanceProposal # @return [String] attr_accessor :ttl + # Promotes a key with the AES_WRAPPING purpose to a trusted wrapping key. The + # key must be in the ACTIVE state to perform this operation. + # Corresponds to the JSON property `upgradeKeyTrust` + # @return [Google::Apis::CloudkmsV1::UpgradeKeyTrust] + attr_accessor :upgrade_key_trust + def initialize(**args) update!(**args) end @@ -4015,6 +4160,28 @@ def update!(**args) @required_action_quorum_parameters = args[:required_action_quorum_parameters] if args.key?(:required_action_quorum_parameters) @state = args[:state] if args.key?(:state) @ttl = args[:ttl] if args.key?(:ttl) + @upgrade_key_trust = args[:upgrade_key_trust] if args.key?(:upgrade_key_trust) + end + end + + # Source of the effective AutokeyConfig. + class Source + include Google::Apis::Core::Hashable + + # Contains the resource name of the AutokeyConfig that is effective, for example, + # `folders/`FOLDER_NUMBER`` or `projects/`PROJECT_NUMBER`` or `organizations/` + # ORGANIZATION_NUMBER``. + # Corresponds to the JSON property `name` + # @return [String] + attr_accessor :name + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @name = args[:name] if args.key?(:name) end end @@ -4116,6 +4283,33 @@ def update!(**args) end end + # Promotes a key with the AES_WRAPPING purpose to a trusted wrapping key. The + # key must be in the ACTIVE state to perform this operation. + class UpgradeKeyTrust + include Google::Apis::Core::Hashable + + # Required. The name of the CryptoKeyVersion to promote. + # Corresponds to the JSON property `name` + # @return [String] + attr_accessor :name + + # Required. The public key associated with the 2FA key that will sign the login + # nonce for this operation. + # Corresponds to the JSON property `twoFactorPublicKeyPem` + # @return [String] + attr_accessor :two_factor_public_key_pem + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @name = args[:name] if args.key?(:name) + @two_factor_public_key_pem = args[:two_factor_public_key_pem] if args.key?(:two_factor_public_key_pem) + end + end + # Response message for EkmService.VerifyConnectivity. class VerifyConnectivityResponse include Google::Apis::Core::Hashable diff --git a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/gem_version.rb b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/gem_version.rb index 6fd01789887..b3c37764e48 100644 --- a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/gem_version.rb +++ b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/gem_version.rb @@ -16,13 +16,13 @@ module Google module Apis module CloudkmsV1 # Version of the google-apis-cloudkms_v1 gem - GEM_VERSION = "0.76.0" + GEM_VERSION = "0.77.0" # Version of the code generator used to generate this client GENERATOR_VERSION = "0.19.0" # Revision of the discovery document this client was generated from - REVISION = "20260608" + REVISION = "20260702" end end end diff --git a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/representations.rb b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/representations.rb index 1c08d51eff3..6d26e94ab7a 100644 --- a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/representations.rb +++ b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/representations.rb @@ -226,6 +226,12 @@ class Representation < Google::Apis::Core::JsonRepresentation; end include Google::Apis::Core::JsonObjectSupport end + class ExportTrustedKeyWrappedCryptoKeyVersionResponse + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class Expr class Representation < Google::Apis::Core::JsonRepresentation; end @@ -262,6 +268,12 @@ class Representation < Google::Apis::Core::JsonRepresentation; end include Google::Apis::Core::JsonObjectSupport end + class ImportTrustedKeyWrappedCryptoKeyVersionRequest + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class KeyAccessJustificationsEnrollmentConfig class Representation < Google::Apis::Core::JsonRepresentation; end @@ -538,6 +550,12 @@ class Representation < Google::Apis::Core::JsonRepresentation; end include Google::Apis::Core::JsonObjectSupport end + class Source + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class Status class Representation < Google::Apis::Core::JsonRepresentation; end @@ -562,6 +580,12 @@ class Representation < Google::Apis::Core::JsonRepresentation; end include Google::Apis::Core::JsonObjectSupport end + class UpgradeKeyTrust + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class VerifyConnectivityResponse class Representation < Google::Apis::Core::JsonRepresentation; end @@ -759,6 +783,7 @@ class Representation < Google::Apis::Core::JsonRepresentation property :generate_time, as: 'generateTime' property :generation_failure_reason, as: 'generationFailureReason' + property :hsm_trusted, as: 'hsmTrusted' property :import_failure_reason, as: 'importFailureReason' property :import_job, as: 'importJob' property :import_time, as: 'importTime' @@ -766,6 +791,7 @@ class Representation < Google::Apis::Core::JsonRepresentation property :protection_level, as: 'protectionLevel' property :reimport_eligible, as: 'reimportEligible' property :state, as: 'state' + property :trusted_wrapping_enabled, as: 'trustedWrappingEnabled' end end @@ -905,6 +931,14 @@ class Representation < Google::Apis::Core::JsonRepresentation end end + class ExportTrustedKeyWrappedCryptoKeyVersionResponse + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :wrapped_key, :base64 => true, as: 'wrappedKey' + property :wrapped_key_crc32c, :numeric_string => true, as: 'wrappedKeyCrc32c' + end + end + class Expr # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -918,6 +952,7 @@ class Representation < Google::Apis::Core::JsonRepresentation class ExternalProtectionLevelOptions # @private class Representation < Google::Apis::Core::JsonRepresentation + property :ekm_connection_backend_override, as: 'ekmConnectionBackendOverride' property :ekm_connection_key_path, as: 'ekmConnectionKeyPath' property :external_key_uri, as: 'externalKeyUri' end @@ -946,6 +981,7 @@ class Representation < Google::Apis::Core::JsonRepresentation property :crypto_key_version, as: 'cryptoKeyVersion' property :import_job, as: 'importJob' property :rsa_aes_wrapped_key, :base64 => true, as: 'rsaAesWrappedKey' + property :trusted_wrapping_enabled, as: 'trustedWrappingEnabled' property :wrapped_key, :base64 => true, as: 'wrappedKey' end end @@ -970,6 +1006,16 @@ class Representation < Google::Apis::Core::JsonRepresentation end end + class ImportTrustedKeyWrappedCryptoKeyVersionRequest + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :algorithm, as: 'algorithm' + property :crypto_key_version, as: 'cryptoKeyVersion' + property :importing_key, as: 'importingKey' + property :wrapped_key, :base64 => true, as: 'wrappedKey' + end + end + class KeyAccessJustificationsEnrollmentConfig # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -1382,6 +1428,9 @@ class ShowEffectiveAutokeyConfigResponse # @private class Representation < Google::Apis::Core::JsonRepresentation property :key_project, as: 'keyProject' + property :key_project_resolution_mode, as: 'keyProjectResolutionMode' + property :source, as: 'source', class: Google::Apis::CloudkmsV1::Source, decorator: Google::Apis::CloudkmsV1::Source::Representation + end end @@ -1449,6 +1498,15 @@ class Representation < Google::Apis::Core::JsonRepresentation property :state, as: 'state' property :ttl, as: 'ttl' + property :upgrade_key_trust, as: 'upgradeKeyTrust', class: Google::Apis::CloudkmsV1::UpgradeKeyTrust, decorator: Google::Apis::CloudkmsV1::UpgradeKeyTrust::Representation + + end + end + + class Source + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :name, as: 'name' end end @@ -1482,6 +1540,14 @@ class Representation < Google::Apis::Core::JsonRepresentation end end + class UpgradeKeyTrust + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :name, as: 'name' + property :two_factor_public_key_pem, as: 'twoFactorPublicKeyPem' + end + end + class VerifyConnectivityResponse # @private class Representation < Google::Apis::Core::JsonRepresentation diff --git a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/service.rb b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/service.rb index ba6a08a2c48..7a2e05a242e 100644 --- a/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/service.rb +++ b/generated/google-apis-cloudkms_v1/lib/google/apis/cloudkms_v1/service.rb @@ -115,6 +115,40 @@ def get_folder_kaj_policy_config(name, fields: nil, quota_user: nil, options: ni execute_or_queue_command(command, &block) end + # Returns the effective Cloud KMS Autokey configuration for a given project or + # folder. + # @param [String] parent + # Required. Name of the resource project or folder to show the effective Cloud + # KMS Autokey configuration for. This may be helpful for interrogating the + # effect of nested folder configurations on a given resource project. Format: * + # projects/`project` * folders/`folder` + # @param [String] fields + # Selector specifying which fields to include in a partial response. + # @param [String] quota_user + # Available to use for quota purposes for server-side applications. Can be any + # arbitrary string assigned to a user, but should not exceed 40 characters. + # @param [Google::Apis::RequestOptions] options + # Request-specific options + # + # @yield [result, err] Result & error if block supplied + # @yieldparam result [Google::Apis::CloudkmsV1::ShowEffectiveAutokeyConfigResponse] parsed result object + # @yieldparam err [StandardError] error object if request failed + # + # @return [Google::Apis::CloudkmsV1::ShowEffectiveAutokeyConfigResponse] + # + # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried + # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification + # @raise [Google::Apis::AuthorizationError] Authorization is required + def show_folder_effective_autokey_config(parent, fields: nil, quota_user: nil, options: nil, &block) + command = make_simple_command(:get, 'v1/{+parent}:showEffectiveAutokeyConfig', options) + command.response_representation = Google::Apis::CloudkmsV1::ShowEffectiveAutokeyConfigResponse::Representation + command.response_class = Google::Apis::CloudkmsV1::ShowEffectiveAutokeyConfigResponse + command.params['parent'] = parent unless parent.nil? + command.query['fields'] = fields unless fields.nil? + command.query['quotaUser'] = quota_user unless quota_user.nil? + execute_or_queue_command(command, &block) + end + # Updates the AutokeyConfig for a folder or a project. The caller must have both # `cloudkms.autokeyConfigs.update` permission on the parent folder and `cloudkms. # cryptoKeys.setIamPolicy` permission on the provided key project. A KeyHandle @@ -329,11 +363,13 @@ def get_project_kaj_policy_config(name, fields: nil, quota_user: nil, options: n execute_or_queue_command(command, &block) end - # Returns the effective Cloud KMS Autokey configuration for a given project. + # Returns the effective Cloud KMS Autokey configuration for a given project or + # folder. # @param [String] parent - # Required. Name of the resource project to the show effective Cloud KMS Autokey - # configuration for. This may be helpful for interrogating the effect of nested - # folder configurations on a given resource project. + # Required. Name of the resource project or folder to show the effective Cloud + # KMS Autokey configuration for. This may be helpful for interrogating the + # effect of nested folder configurations on a given resource project. Format: * + # projects/`project` * folders/`folder` # @param [String] fields # Selector specifying which fields to include in a partial response. # @param [String] quota_user @@ -1498,6 +1534,11 @@ def test_key_ring_iam_permissions(resource, test_iam_permissions_request_object # If set to true, the request will create a CryptoKey without any # CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or # ImportCryptoKeyVersion before you can use this CryptoKey. + # @param [Boolean] trusted_wrapping_enabled + # Optional. Whether trusted wrapping will be enabled on the first + # CryptoKeyVersions created for this CryptoKey. This field is only supported for + # keys with CryptoKeyVersionTemplate.protection_level HSM_SINGLE_TENANT. This + # field is supported for all CryptoKeyPurposes except ENCRYPT_DECRYPT. # @param [String] fields # Selector specifying which fields to include in a partial response. # @param [String] quota_user @@ -1515,7 +1556,7 @@ def test_key_ring_iam_permissions(resource, test_iam_permissions_request_object # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification # @raise [Google::Apis::AuthorizationError] Authorization is required - def create_project_location_key_ring_crypto_key(parent, crypto_key_object = nil, crypto_key_id: nil, skip_initial_version_creation: nil, fields: nil, quota_user: nil, options: nil, &block) + def create_project_location_key_ring_crypto_key(parent, crypto_key_object = nil, crypto_key_id: nil, skip_initial_version_creation: nil, trusted_wrapping_enabled: nil, fields: nil, quota_user: nil, options: nil, &block) command = make_simple_command(:post, 'v1/{+parent}/cryptoKeys', options) command.request_representation = Google::Apis::CloudkmsV1::CryptoKey::Representation command.request_object = crypto_key_object @@ -1524,6 +1565,7 @@ def create_project_location_key_ring_crypto_key(parent, crypto_key_object = nil, command.params['parent'] = parent unless parent.nil? command.query['cryptoKeyId'] = crypto_key_id unless crypto_key_id.nil? command.query['skipInitialVersionCreation'] = skip_initial_version_creation unless skip_initial_version_creation.nil? + command.query['trustedWrappingEnabled'] = trusted_wrapping_enabled unless trusted_wrapping_enabled.nil? command.query['fields'] = fields unless fields.nil? command.query['quotaUser'] = quota_user unless quota_user.nil? execute_or_queue_command(command, &block) @@ -2121,6 +2163,44 @@ def destroy_crypto_key_version(name, destroy_crypto_key_version_request_object = execute_or_queue_command(command, &block) end + # Exports a CryptoKeyVersion with a trusted key. The CryptoKeyVersion must have + # trusted_wrapping_enabled set to true. The CryptoKeyVersion of the [ + # wrapping_key] must have the AES_WRAPPING purpose. The [wrapping_key] must have + # the AES_256_KWP algorithm. + # @param [String] name + # Required. The name of the CryptoKeyVersion to export. The CryptoKeyVersion + # must have trusted_wrapping_enabled set to true. + # @param [String] wrapping_key + # Required. The name of the CryptoKeyVersion to use as a wrapping key. The + # CryptoKeyVersion must have hsm_trusted set to true. + # @param [String] fields + # Selector specifying which fields to include in a partial response. + # @param [String] quota_user + # Available to use for quota purposes for server-side applications. Can be any + # arbitrary string assigned to a user, but should not exceed 40 characters. + # @param [Google::Apis::RequestOptions] options + # Request-specific options + # + # @yield [result, err] Result & error if block supplied + # @yieldparam result [Google::Apis::CloudkmsV1::ExportTrustedKeyWrappedCryptoKeyVersionResponse] parsed result object + # @yieldparam err [StandardError] error object if request failed + # + # @return [Google::Apis::CloudkmsV1::ExportTrustedKeyWrappedCryptoKeyVersionResponse] + # + # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried + # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification + # @raise [Google::Apis::AuthorizationError] Authorization is required + def export_project_location_key_ring_crypto_key_crypto_key_version_trusted_key_wrapped_crypto_key_version(name, wrapping_key: nil, fields: nil, quota_user: nil, options: nil, &block) + command = make_simple_command(:get, 'v1/{+name}:exportTrustedKeyWrappedCryptoKeyVersion', options) + command.response_representation = Google::Apis::CloudkmsV1::ExportTrustedKeyWrappedCryptoKeyVersionResponse::Representation + command.response_class = Google::Apis::CloudkmsV1::ExportTrustedKeyWrappedCryptoKeyVersionResponse + command.params['name'] = name unless name.nil? + command.query['wrappingKey'] = wrapping_key unless wrapping_key.nil? + command.query['fields'] = fields unless fields.nil? + command.query['quotaUser'] = quota_user unless quota_user.nil? + execute_or_queue_command(command, &block) + end + # Returns metadata for a given CryptoKeyVersion. # @param [String] name # Required. The name of the CryptoKeyVersion to get. @@ -2227,6 +2307,44 @@ def import_crypto_key_version(parent, import_crypto_key_version_request_object = execute_or_queue_command(command, &block) end + # Import wrapped key material into a CryptoKeyVersion with a trusted key. All + # requests must specify a CryptoKey. If a CryptoKeyVersion is additionally + # specified in the request, key material will be reimported into that version. + # Otherwise, a new version will be created, and will be assigned the next + # sequential id within the CryptoKey. The CryptoKeyVersion will have + # trusted_wrapping_enabled set to true. + # @param [String] parent + # Required. The name of the CryptoKey to be imported into. + # @param [Google::Apis::CloudkmsV1::ImportTrustedKeyWrappedCryptoKeyVersionRequest] import_trusted_key_wrapped_crypto_key_version_request_object + # @param [String] fields + # Selector specifying which fields to include in a partial response. + # @param [String] quota_user + # Available to use for quota purposes for server-side applications. Can be any + # arbitrary string assigned to a user, but should not exceed 40 characters. + # @param [Google::Apis::RequestOptions] options + # Request-specific options + # + # @yield [result, err] Result & error if block supplied + # @yieldparam result [Google::Apis::CloudkmsV1::CryptoKeyVersion] parsed result object + # @yieldparam err [StandardError] error object if request failed + # + # @return [Google::Apis::CloudkmsV1::CryptoKeyVersion] + # + # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried + # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification + # @raise [Google::Apis::AuthorizationError] Authorization is required + def import_trusted_key_wrapped_crypto_key_version(parent, import_trusted_key_wrapped_crypto_key_version_request_object = nil, fields: nil, quota_user: nil, options: nil, &block) + command = make_simple_command(:post, 'v1/{+parent}/cryptoKeyVersions:importTrustedKeyWrappedCryptoKeyVersion', options) + command.request_representation = Google::Apis::CloudkmsV1::ImportTrustedKeyWrappedCryptoKeyVersionRequest::Representation + command.request_object = import_trusted_key_wrapped_crypto_key_version_request_object + command.response_representation = Google::Apis::CloudkmsV1::CryptoKeyVersion::Representation + command.response_class = Google::Apis::CloudkmsV1::CryptoKeyVersion + command.params['parent'] = parent unless parent.nil? + command.query['fields'] = fields unless fields.nil? + command.query['quotaUser'] = quota_user unless quota_user.nil? + execute_or_queue_command(command, &block) + end + # Lists CryptoKeyVersions. # @param [String] parent # Required. The resource name of the CryptoKey to list, in the format `projects/*