googleapis
diff --git a/‎packages/google-cloud-kms/README.md‎
Lines changed: 9 additions & 0 deletions b/‎packages/google-cloud-kms/README.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto‎
Lines changed: 1015 additions & 0 deletions b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto‎
Lines changed: 1015 additions & 0 deletions
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto‎
Lines changed: 35 additions & 10 deletions b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto‎
Lines changed: 35 additions & 10 deletions
diff --git a/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto‎
Lines changed: 7 additions & 1 deletion b/‎packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto‎
Lines changed: 7 additions & 1 deletion
@@ -71,6 +71,15 @@ Samples are in the [`samples/`][homepage_samples] directory. Each sample's `READ
 | update ekm config | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/ekm_service.update_ekm_config.js) |
 | update ekm connection | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/ekm_service.update_ekm_connection.js) |
 | verify connectivity | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/ekm_service.verify_connectivity.js) |
+| approve single tenant hsm instance proposal | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.approve_single_tenant_hsm_instance_proposal.js) |
+| create single tenant hsm instance | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.create_single_tenant_hsm_instance.js) |
+| create single tenant hsm instance proposal | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.create_single_tenant_hsm_instance_proposal.js) |
+| delete single tenant hsm instance proposal | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.delete_single_tenant_hsm_instance_proposal.js) |
+| execute single tenant hsm instance proposal | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.execute_single_tenant_hsm_instance_proposal.js) |
+| get single tenant hsm instance | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.get_single_tenant_hsm_instance.js) |
+| get single tenant hsm instance proposal | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.get_single_tenant_hsm_instance_proposal.js) |
+| list single tenant hsm instance proposals | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.list_single_tenant_hsm_instance_proposals.js) |
+| list single tenant hsm instances | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/hsm_management.list_single_tenant_hsm_instances.js) |
 | asymmetric decrypt | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.asymmetric_decrypt.js) |
 | asymmetric sign | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.asymmetric_sign.js) |
 | create crypto key | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-kms/samples/generated/v1/key_management_service.create_crypto_key.js) |
 
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -29,6 +29,8 @@ option java_outer_classname = "KmsResourcesProto";
 option java_package = "com.google.cloud.kms.v1";
 option php_namespace = "Google\\Cloud\\Kms\\V1";
 
+// LINT: LEGACY_NAMES
+
 // A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of
 // [CryptoKeys][google.cloud.kms.v1.CryptoKey].
 message KeyRing {
@@ -200,7 +202,12 @@ message CryptoKey {
   // if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a
   // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
   // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC], with the
-  // resource name in the format `projects/*/locations/*/ekmConnections/*`.
+  // resource name in the format `projects/*/locations/*/ekmConnections/*`. Only
+  // applicable if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+  // have a [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+  // [HSM_SINGLE_TENANT][google.cloud.kms.v1.ProtectionLevel.HSM_SINGLE_TENANT],
+  // with the resource name in the format
+  // `projects/*/locations/*/singleTenantHsmInstances/*`.
   // Note, this list is non-exhaustive and may apply to additional
   // [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future.
   string crypto_key_backend = 15 [
@@ -986,6 +993,19 @@ message ImportJob {
   // protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
   KeyOperationAttestation attestation = 8
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Immutable. The resource name of the backend environment where the key
+  // material for the wrapping key resides and where all related cryptographic
+  // operations are performed. Currently, this field is only populated for keys
+  // stored in HSM_SINGLE_TENANT. Note, this list is non-exhaustive and may
+  // apply to additional [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel]
+  // in the future.
+  // Supported resources:
+  // * `"projects/*/locations/*/singleTenantHsmInstances/*"`
+  string crypto_key_backend = 11 [
+    (google.api.field_behavior) = IMMUTABLE,
+    (google.api.resource_reference) = { type: "*" }
+  ];
 }
 
 // ExternalProtectionLevelOptions stores a group of additional fields for
@@ -1038,6 +1058,9 @@ enum ProtectionLevel {
 
   // Crypto operations are performed in an EKM-over-VPC backend.
   EXTERNAL_VPC = 4;
+
+  // Crypto operations are performed in a single-tenant HSM.
+  HSM_SINGLE_TENANT = 5;
 }
 
 // Describes the reason for a data access. Please refer to
@@ -1070,10 +1093,11 @@ enum AccessReason {
   // No reason is expected for this key request.
   REASON_NOT_EXPECTED = 7;
 
-  // Deprecated: This code is no longer generated by Google Cloud. The
-  // GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes available in both
-  // Key Access Justifications and Access Transparency logs provide
-  // customer-visible signals of emergency access in more precise contexts.
+  // Deprecated: This code is no longer generated by
+  // Google Cloud. The GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes
+  // available in both Key Access Justifications and Access Transparency logs
+  // provide customer-visible signals of emergency access in more precise
+  // contexts.
   //
   // Customer uses their account to perform any access to their own data which
   // their IAM policy authorizes, and one of the following is true:
@@ -1085,10 +1109,11 @@ enum AccessReason {
   //   within the past 7 days.
   MODIFIED_CUSTOMER_INITIATED_ACCESS = 8 [deprecated = true];
 
-  // Deprecated: This code is no longer generated by Google Cloud. The
-  // GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes available in both
-  // Key Access Justifications and Access Transparency logs provide
-  // customer-visible signals of emergency access in more precise contexts.
+  // Deprecated: This code is no longer generated by
+  // Google Cloud. The GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes
+  // available in both Key Access Justifications and Access Transparency logs
+  // provide customer-visible signals of emergency access in more precise
+  // contexts.
   //
   // Google systems access customer data to help optimize the structure of the
   // data or quality for future uses by the customer, and one of the following
 
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -2205,4 +2205,10 @@ message LocationMetadata {
   // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
   // this location.
   bool ekm_available = 2;
+
+  // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+  // [HSM_SINGLE_TENANT][google.cloud.kms.v1.ProtectionLevel.HSM_SINGLE_TENANT]
+  // can be created in this location.
+  bool hsm_single_tenant_available = 3;
 }