Skip to content

Commit 1133adb

Browse files
Google APIscopybara-github
authored andcommitted
feat: Add support for project level key usage tracking
docs: Add support for project level key usage tracking PiperOrigin-RevId: 871667322
1 parent 1937a15 commit 1133adb

File tree

2 files changed

+89
-13
lines changed

2 files changed

+89
-13
lines changed

google/cloud/kms/inventory/v1/key_dashboard_service.proto

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright 2025 Google LLC
1+
// Copyright 2026 Google LLC
22
//
33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -22,7 +22,6 @@ import "google/api/field_behavior.proto";
2222
import "google/api/resource.proto";
2323
import "google/cloud/kms/v1/resources.proto";
2424

25-
option cc_enable_arenas = true;
2625
option csharp_namespace = "Google.Cloud.Kms.Inventory.V1";
2726
option go_package = "cloud.google.com/go/kms/inventory/apiv1/inventorypb;inventorypb";
2827
option java_multiple_files = true;

google/cloud/kms/inventory/v1/key_tracking_service.proto

Lines changed: 88 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright 2025 Google LLC
1+
// Copyright 2026 Google LLC
22
//
33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -22,13 +22,17 @@ import "google/api/field_behavior.proto";
2222
import "google/api/resource.proto";
2323
import "google/protobuf/timestamp.proto";
2424

25-
option cc_enable_arenas = true;
2625
option csharp_namespace = "Google.Cloud.Kms.Inventory.V1";
2726
option go_package = "cloud.google.com/go/kms/inventory/apiv1/inventorypb;inventorypb";
2827
option java_multiple_files = true;
2928
option java_outer_classname = "KeyTrackingServiceProto";
3029
option java_package = "com.google.cloud.kms.inventory.v1";
3130
option php_namespace = "Google\\Cloud\\Kms\\Inventory\\V1";
31+
option (google.api.resource_definition) = {
32+
type: "kmsinventory.googleapis.com/ProtectedResourceScope"
33+
pattern: "organizations/{organization}/protectedResourceScope"
34+
pattern: "projects/{project}/protectedResourceScope"
35+
};
3236

3337
// Returns information about the resources in an org that are protected by a
3438
// given Cloud KMS key via CMEK.
@@ -38,10 +42,16 @@ service KeyTrackingService {
3842
"https://www.googleapis.com/auth/cloud-platform";
3943

4044
// Returns aggregate information about the resources protected by the given
41-
// Cloud KMS [CryptoKey][google.cloud.kms.v1.CryptoKey]. Only resources within
42-
// the same Cloud organization as the key will be returned. The project that
43-
// holds the key must be part of an organization in order for this call to
44-
// succeed.
45+
// Cloud KMS [CryptoKey][google.cloud.kms.v1.CryptoKey]. By default,
46+
// summary of resources within the same Cloud organization as the key will be
47+
// returned, which requires the KMS organization service account to be
48+
// configured(refer
49+
// https://docs.cloud.google.com/kms/docs/view-key-usage#required-roles).
50+
// If the KMS organization service account is not configured or key's project
51+
// is not part of an organization, set
52+
// [fallback_scope][google.cloud.kms.inventory.v1.GetProtectedResourcesSummaryRequest.fallback_scope]
53+
// to `FALLBACK_SCOPE_PROJECT` to retrieve a summary of protected resources
54+
// within the key's project.
4555
rpc GetProtectedResourcesSummary(GetProtectedResourcesSummaryRequest)
4656
returns (ProtectedResourcesSummary) {
4757
option (google.api.http) = {
@@ -51,11 +61,15 @@ service KeyTrackingService {
5161
}
5262

5363
// Returns metadata about the resources protected by the given Cloud KMS
54-
// [CryptoKey][google.cloud.kms.v1.CryptoKey] in the given Cloud organization.
64+
// [CryptoKey][google.cloud.kms.v1.CryptoKey] in the given Cloud
65+
// organization/project.
5566
rpc SearchProtectedResources(SearchProtectedResourcesRequest)
5667
returns (SearchProtectedResourcesResponse) {
5768
option (google.api.http) = {
5869
get: "/v1/{scope=organizations/*}/protectedResources:search"
70+
additional_bindings {
71+
get: "/v1/{scope=projects/*}/protectedResources:search"
72+
}
5973
};
6074
option (google.api.method_signature) = "scope, crypto_key";
6175
}
@@ -72,10 +86,14 @@ message GetProtectedResourcesSummaryRequest {
7286
type: "kmsinventory.googleapis.com/ProtectedResourcesSummary"
7387
}
7488
];
89+
90+
// Optional. The scope to use if the kms organization service account is not
91+
// configured.
92+
FallbackScope fallback_scope = 2 [(google.api.field_behavior) = OPTIONAL];
7593
}
7694

7795
// Aggregate information about the resources protected by a Cloud KMS key in the
78-
// same Cloud organization as the key.
96+
// same Cloud organization/project as the key.
7997
message ProtectedResourcesSummary {
8098
option (google.api.resource) = {
8199
type: "kmsinventory.googleapis.com/ProtectedResourcesSummary"
@@ -104,17 +122,29 @@ message ProtectedResourcesSummary {
104122

105123
// The number of resources protected by the key grouped by region.
106124
map<string, int64> locations = 4;
125+
126+
// Warning messages for the state of response
127+
// [ProtectedResourcesSummary][google.cloud.kms.inventory.v1.ProtectedResourcesSummary]
128+
// For example, if the organization service account is not configured,
129+
// INSUFFICIENT_PERMISSIONS_PARTIAL_DATA warning will be returned.
130+
repeated Warning warnings = 7;
107131
}
108132

109133
// Request message for
110134
// [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources].
111135
message SearchProtectedResourcesRequest {
112-
// Required. Resource name of the organization.
113-
// Example: organizations/123
136+
// Required. A scope can be an organization or a project. Resources protected
137+
// by the crypto key in provided scope will be returned.
138+
//
139+
// The following values are allowed:
140+
//
141+
// * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/12345678")
142+
// * projects/{PROJECT_ID} (e.g., "projects/foo-bar")
143+
// * projects/{PROJECT_NUMBER} (e.g., "projects/12345678")
114144
string scope = 2 [
115145
(google.api.field_behavior) = REQUIRED,
116146
(google.api.resource_reference) = {
117-
type: "cloudresourcemanager.googleapis.com/Organization"
147+
child_type: "kmsinventory.googleapis.com/ProtectedResourceScope"
118148
}
119149
];
120150

@@ -226,3 +256,50 @@ message ProtectedResource {
226256
google.protobuf.Timestamp create_time = 7
227257
[(google.api.field_behavior) = OUTPUT_ONLY];
228258
}
259+
260+
// A warning message that indicates potential problems with the response data.
261+
message Warning {
262+
// Different types of warnings that can be returned to the user.
263+
// The display_message contains detailed information regarding the
264+
// warning_code.
265+
enum WarningCode {
266+
// Default value. This value is unused.
267+
WARNING_CODE_UNSPECIFIED = 0;
268+
269+
// Indicates that the caller or service agent lacks necessary permissions
270+
// to view some of the requested data. The response may be partial.
271+
// Example:
272+
// - KMS organization service agent {service_agent_name} lacks the
273+
// `cloudasset.assets.searchAllResources` permission on the scope.
274+
INSUFFICIENT_PERMISSIONS_PARTIAL_DATA = 1;
275+
276+
// Indicates that a resource limit has been exceeded, resulting in partial
277+
// data. Example:
278+
// - The project has more than 10,000 assets (resources,
279+
// crypto keys, key handles, IAM policies, etc).
280+
RESOURCE_LIMIT_EXCEEDED_PARTIAL_DATA = 2;
281+
282+
// Indicates that the project exists outside of an organization resource.
283+
// Thus the analysis is only done for the project level data and results
284+
// might be partial.
285+
ORG_LESS_PROJECT_PARTIAL_DATA = 3;
286+
}
287+
288+
// The specific warning code for the displayed message.
289+
WarningCode warning_code = 1;
290+
291+
// The literal message providing context and details about the warnings.
292+
string display_message = 2;
293+
}
294+
295+
// Specifies the scope to use if the organization service agent is not
296+
// configured.
297+
enum FallbackScope {
298+
// Unspecified scope type.
299+
FALLBACK_SCOPE_UNSPECIFIED = 0;
300+
301+
// If set to `FALLBACK_SCOPE_PROJECT`, the API will fall back to using key's
302+
// project as request scope if the kms organization service account is not
303+
// configured.
304+
FALLBACK_SCOPE_PROJECT = 1;
305+
}

0 commit comments

Comments
 (0)