googleapis
diff --git a/‎packages/google-cloud-kms/README.md‎
Lines changed: 4 additions & 0 deletions b/‎packages/google-cloud-kms/README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/autokey.proto‎
Lines changed: 1 addition & 1 deletion b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/autokey.proto‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/autokey_admin.proto‎
Lines changed: 64 additions & 14 deletions b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/autokey_admin.proto‎
Lines changed: 64 additions & 14 deletions
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto‎
Lines changed: 1 addition & 1 deletion b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto‎
Lines changed: 62 additions & 2 deletions b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto‎
Lines changed: 62 additions & 2 deletions
@@ -88,6 +88,8 @@ Samples are in the [`samples/`][homepage_samples] directory. Each sample's `READ
 | create key ring | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.create_key_ring.js) |
 | decapsulate | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.decapsulate.js) |
 | decrypt | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.decrypt.js) |
+| delete crypto key | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.delete_crypto_key.js) |
+| delete crypto key version | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.delete_crypto_key_version.js) |
 | destroy crypto key version | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.destroy_crypto_key_version.js) |
 | encrypt | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js) |
 | generate random bytes | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.generate_random_bytes.js) |
@@ -96,11 +98,13 @@ Samples are in the [`samples/`][homepage_samples] directory. Each sample's `READ
 | get import job | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.get_import_job.js) |
 | get key ring | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.get_key_ring.js) |
 | get public key | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.get_public_key.js) |
+| get retired resource | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.get_retired_resource.js) |
 | import crypto key version | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js) |
 | list crypto key versions | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.list_crypto_key_versions.js) |
 | list crypto keys | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.list_crypto_keys.js) |
 | list import jobs | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.list_import_jobs.js) |
 | list key rings | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.list_key_rings.js) |
+| list retired resources | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.list_retired_resources.js) |
 | mac sign | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.mac_sign.js) |
 | mac verify | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.mac_verify.js) |
 | raw decrypt | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.raw_decrypt.js) |
 
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -28,21 +28,23 @@ option java_outer_classname = "AutokeyAdminProto";
 option java_package = "com.google.cloud.kms.v1";
 
 // Provides interfaces for managing [Cloud KMS
-// Autokey](https://cloud.google.com/kms/help/autokey) folder-level
-// configurations. A configuration is inherited by all descendent projects. A
-// configuration at one folder overrides any other configurations in its
-// ancestry. Setting a configuration on a folder is a prerequisite for Cloud KMS
-// Autokey, so that users working in a descendant project can request
-// provisioned [CryptoKeys][google.cloud.kms.v1.CryptoKey], ready for Customer
-// Managed Encryption Key (CMEK) use, on-demand.
+// Autokey](https://cloud.google.com/kms/help/autokey) folder-level or
+// project-level configurations. A configuration is inherited by all descendent
+// folders and projects. A configuration at a folder or project overrides any
+// other configurations in its ancestry. Setting a configuration on a folder is
+// a prerequisite for Cloud KMS Autokey, so that users working in a descendant
+// project can request provisioned [CryptoKeys][google.cloud.kms.v1.CryptoKey],
+// ready for Customer Managed Encryption Key (CMEK) use, on-demand when using
+// the dedicated key project mode. This is not required when using the delegated
+// key management mode for same-project keys.
 service AutokeyAdmin {
   option (google.api.default_host) = "cloudkms.googleapis.com";
   option (google.api.oauth_scopes) =
       "https://www.googleapis.com/auth/cloud-platform,"
       "https://www.googleapis.com/auth/cloudkms";
 
-  // Updates the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
-  // folder. The caller must have both `cloudkms.autokeyConfigs.update`
+  // Updates the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a folder
+  // or a project. The caller must have both `cloudkms.autokeyConfigs.update`
   // permission on the parent folder and `cloudkms.cryptoKeys.setIamPolicy`
   // permission on the provided key project. A
   // [KeyHandle][google.cloud.kms.v1.KeyHandle] creation in the folder's
@@ -52,15 +54,20 @@ service AutokeyAdmin {
     option (google.api.http) = {
       patch: "/v1/{autokey_config.name=folders/*/autokeyConfig}"
       body: "autokey_config"
+      additional_bindings {
+        patch: "/v1/{autokey_config.name=projects/*/autokeyConfig}"
+        body: "autokey_config"
+      }
     };
     option (google.api.method_signature) = "autokey_config,update_mask";
   }
 
-  // Returns the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
-  // folder.
+  // Returns the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a folder
+  // or project.
   rpc GetAutokeyConfig(GetAutokeyConfigRequest) returns (AutokeyConfig) {
     option (google.api.http) = {
       get: "/v1/{name=folders/*/autokeyConfig}"
+      additional_bindings { get: "/v1/{name=projects/*/autokeyConfig}" }
     };
     option (google.api.method_signature) = "name";
   }
@@ -93,7 +100,8 @@ message UpdateAutokeyConfigRequest {
 // [GetAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.GetAutokeyConfig].
 message GetAutokeyConfigRequest {
   // Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
-  // resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+  // resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig` or
+  // `projects/{PROJECT_NUMBER}/autokeyConfig`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -107,6 +115,7 @@ message AutokeyConfig {
   option (google.api.resource) = {
     type: "cloudkms.googleapis.com/AutokeyConfig"
     pattern: "folders/{folder}/autokeyConfig"
+    pattern: "projects/{project}/autokeyConfig"
     plural: "autokeyConfigs"
     singular: "autokeyConfig"
   };
@@ -126,10 +135,45 @@ message AutokeyConfig {
     // The AutokeyConfig is not yet initialized or has been reset to its default
     // uninitialized state.
     UNINITIALIZED = 3;
+
+    // The service account lacks the necessary permissions in the key project to
+    // configure Autokey.
+    KEY_PROJECT_PERMISSION_DENIED = 4;
+  }
+
+  // Defines the resolution mode enum for the key project.
+  // The
+  // [KeyProjectResolutionMode][google.cloud.kms.v1.AutokeyConfig.KeyProjectResolutionMode]
+  // determines the mechanism by which
+  // [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] identifies a
+  // [key_project][google.cloud.kms.v1.AutokeyConfig.key_project] at its
+  // specific configuration node. This parameter also determines if Autokey can
+  // be used within this project or folder.
+  enum KeyProjectResolutionMode {
+    // Default value. KeyProjectResolutionMode when not specified will act as
+    // `DEDICATED_KEY_PROJECT`.
+    KEY_PROJECT_RESOLUTION_MODE_UNSPECIFIED = 0;
+
+    // Keys are created in a dedicated project specified by `key_project`.
+    DEDICATED_KEY_PROJECT = 1;
+
+    // Keys are created in the same project as the resource requesting the key.
+    // The `key_project` must not be set when this mode is used.
+    RESOURCE_PROJECT = 2;
+
+    // Disables the AutokeyConfig. When this mode is set, any AutokeyConfig
+    // from higher levels in the resource hierarchy are ignored for this
+    // resource and its descendants. This setting can be overridden
+    // by a more specific configuration at a lower level. For example,
+    // if Autokey is disabled on a folder, it can be re-enabled on a sub-folder
+    // or project within that folder by setting a different mode (e.g.,
+    // DEDICATED_KEY_PROJECT or RESOURCE_PROJECT).
+    DISABLED = 3;
   }
 
   // Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
-  // resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+  // resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig` or
+  // `projects/{PROJECT_NUMBER}/autokeyConfig`.
   string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
@@ -153,6 +197,12 @@ message AutokeyConfig {
   // an up-to-date value before proceeding. The request will be rejected with an
   // ABORTED error on a mismatched etag.
   string etag = 6 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. KeyProjectResolutionMode for the AutokeyConfig.
+  // Valid values are `DEDICATED_KEY_PROJECT`, `RESOURCE_PROJECT`, or
+  // `DISABLED`.
+  KeyProjectResolutionMode key_project_resolution_mode = 8
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Request message for
 
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 
@@ -490,13 +490,40 @@ message CryptoKeyVersion {
     // datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/.
     KEM_XWING = 63;
 
+    // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
+    // security level 1. Randomized version.
+    PQ_SIGN_ML_DSA_44 = 68;
+
     // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
     // security level 3. Randomized version.
     PQ_SIGN_ML_DSA_65 = 56;
 
+    // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
+    // security level 5. Randomized version.
+    PQ_SIGN_ML_DSA_87 = 69;
+
     // The post-quantum stateless hash-based digital signature algorithm, at
     // security level 1. Randomized version.
     PQ_SIGN_SLH_DSA_SHA2_128S = 57;
+
+    // The post-quantum stateless hash-based digital signature algorithm, at
+    // security level 1. Randomized pre-hash version supporting SHA256 digests.
+    PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256 = 60;
+
+    // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
+    // security level 1. Randomized version supporting externally-computed
+    // message representatives.
+    PQ_SIGN_ML_DSA_44_EXTERNAL_MU = 70;
+
+    // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
+    // security level 3. Randomized version supporting externally-computed
+    // message representatives.
+    PQ_SIGN_ML_DSA_65_EXTERNAL_MU = 67;
+
+    // The post-quantum Module-Lattice-Based Digital Signature Algorithm, at
+    // security level 5. Randomized version supporting externally-computed
+    // message representatives.
+    PQ_SIGN_ML_DSA_87_EXTERNAL_MU = 71;
   }
 
   // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion],
@@ -999,8 +1026,7 @@ message ImportJob {
   // operations are performed. Currently, this field is only populated for keys
   // stored in HSM_SINGLE_TENANT. Note, this list is non-exhaustive and may
   // apply to additional [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel]
-  // in the future.
-  // Supported resources:
+  // in the future. Supported resources:
   // * `"projects/*/locations/*/singleTenantHsmInstances/*"`
   string crypto_key_backend = 11 [
     (google.api.field_behavior) = IMMUTABLE,
@@ -1040,6 +1066,40 @@ message KeyAccessJustificationsPolicy {
   repeated AccessReason allowed_access_reasons = 1;
 }
 
+// A RetiredResource resource represents the record of a deleted
+// [CryptoKey][google.cloud.kms.v1.CryptoKey]. Its purpose is to provide
+// visibility into retained user data and to prevent reuse of these names for
+// new [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+message RetiredResource {
+  option (google.api.resource) = {
+    type: "cloudkms.googleapis.com/RetiredResource"
+    pattern: "projects/{project}/locations/{location}/retiredResources/{retired_resource}"
+    plural: "retiredResources"
+    singular: "retiredResource"
+  };
+
+  // Output only. Identifier. The resource name for this
+  // [RetiredResource][google.cloud.kms.v1.RetiredResource] in the format
+  // `projects/*/locations/*/retiredResources/*`.
+  string name = 1 [
+    (google.api.field_behavior) = OUTPUT_ONLY,
+    (google.api.field_behavior) = IDENTIFIER
+  ];
+
+  // Output only. The full resource name of the original
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey] that was deleted in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+  string original_resource = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The resource type of the original deleted resource.
+  string resource_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time at which the original resource was deleted and this
+  // RetiredResource record was created.
+  google.protobuf.Timestamp delete_time = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how
 // cryptographic operations are performed. For more information, see [Protection
 // levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright 2025 Google LLC`
	`1`	`+// Copyright 2026 Google LLC`
`2`	`2`	`//`
`3`	`3`	`// Licensed under the Apache License, Version 2.0 (the "License");`
`4`	`4`	`// you may not use this file except in compliance with the License.`