@@ -202,6 +202,17 @@ message CryptoKey {
202202 (google.api.field_behavior ) = IMMUTABLE ,
203203 (google.api.resource_reference ) = { type : "*" }
204204 ];
205+
206+ // Optional. The policy used for Key Access Justifications Policy Enforcement.
207+ // If this field is present and this key is enrolled in Key Access
208+ // Justifications Policy Enforcement, the policy will be evaluated in encrypt,
209+ // decrypt, and sign operations, and the operation will fail if rejected by
210+ // the policy. The policy is defined by specifying zero or more allowed
211+ // justification codes.
212+ // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
213+ // By default, this field is absent, and all justification codes are allowed.
214+ KeyAccessJustificationsPolicy key_access_justifications_policy = 17
215+ [(google.api.field_behavior ) = OPTIONAL ];
205216}
206217
207218// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate]
@@ -921,3 +932,84 @@ enum ProtectionLevel {
921932 // Crypto operations are performed in an EKM-over-VPC backend.
922933 EXTERNAL_VPC = 4 ;
923934}
935+
936+ // Describes the reason for a data access. Please refer to
937+ // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
938+ // for the detailed semantic meaning of justification reason codes.
939+ enum AccessReason {
940+ // Unspecified access reason.
941+ REASON_UNSPECIFIED = 0 ;
942+
943+ // Customer-initiated support.
944+ CUSTOMER_INITIATED_SUPPORT = 1 ;
945+
946+ // Google-initiated access for system management and troubleshooting.
947+ GOOGLE_INITIATED_SERVICE = 2 ;
948+
949+ // Google-initiated access in response to a legal request or legal process.
950+ THIRD_PARTY_DATA_REQUEST = 3 ;
951+
952+ // Google-initiated access for security, fraud, abuse, or compliance purposes.
953+ GOOGLE_INITIATED_REVIEW = 4 ;
954+
955+ // Customer uses their account to perform any access to their own data which
956+ // their IAM policy authorizes.
957+ CUSTOMER_INITIATED_ACCESS = 5 ;
958+
959+ // Google systems access customer data to help optimize the structure of the
960+ // data or quality for future uses by the customer.
961+ GOOGLE_INITIATED_SYSTEM_OPERATION = 6 ;
962+
963+ // No reason is expected for this key request.
964+ REASON_NOT_EXPECTED = 7 ;
965+
966+ // Customer uses their account to perform any access to their own data which
967+ // their IAM policy authorizes, and one of the following is true:
968+ //
969+ // * A Google administrator has reset the root-access account associated with
970+ // the user's organization within the past 7 days.
971+ // * A Google-initiated emergency access operation has interacted with a
972+ // resource in the same project or folder as the currently accessed resource
973+ // within the past 7 days.
974+ MODIFIED_CUSTOMER_INITIATED_ACCESS = 8 ;
975+
976+ // Google systems access customer data to help optimize the structure of the
977+ // data or quality for future uses by the customer, and one of the following
978+ // is true:
979+ //
980+ // * A Google administrator has reset the root-access account associated with
981+ // the user's organization within the past 7 days.
982+ // * A Google-initiated emergency access operation has interacted with a
983+ // resource in the same project or folder as the currently accessed resource
984+ // within the past 7 days.
985+ MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION = 9 ;
986+
987+ // Google-initiated access to maintain system reliability.
988+ GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 10 ;
989+
990+ // One of the following operations is being executed while simultaneously
991+ // encountering an internal technical issue which prevented a more precise
992+ // justification code from being generated:
993+ //
994+ // * Your account has been used to perform any access to your own data which
995+ // your IAM policy authorizes.
996+ // * An automated Google system operates on encrypted customer data which your
997+ // IAM policy authorizes.
998+ // * Customer-initiated Google support access.
999+ // * Google-initiated support access to protect system reliability.
1000+ CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING = 11 ;
1001+ }
1002+
1003+ // A
1004+ // [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
1005+ // specifies zero or more allowed
1006+ // [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
1007+ // and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
1008+ message KeyAccessJustificationsPolicy {
1009+ // The list of allowed reasons for access to a
1010+ // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
1011+ // means all encrypt, decrypt, and sign operations for the
1012+ // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
1013+ // fail.
1014+ repeated AccessReason allowed_access_reasons = 1 ;
1015+ }
![gcf-owl-bot[bot]](https://avatars.githubusercontent.com/in/99011?v=4&size=40){kind=avatar}
0 commit comments