1- // Copyright 2025 Google LLC
1+ // Copyright 2026 Google LLC
22//
33// Licensed under the Apache License, Version 2.0 (the "License");
44// you may not use this file except in compliance with the License.
@@ -22,13 +22,17 @@ import "google/api/field_behavior.proto";
2222import "google/api/resource.proto" ;
2323import "google/protobuf/timestamp.proto" ;
2424
25- option cc_enable_arenas = true ;
2625option csharp_namespace = "Google.Cloud.Kms.Inventory.V1" ;
2726option go_package = "cloud.google.com/go/kms/inventory/apiv1/inventorypb;inventorypb" ;
2827option java_multiple_files = true ;
2928option java_outer_classname = "KeyTrackingServiceProto" ;
3029option java_package = "com.google.cloud.kms.inventory.v1" ;
3130option php_namespace = "Google\\Cloud\\Kms\\Inventory\\V1" ;
31+ option (google.api.resource_definition ) = {
32+ type : "kmsinventory.googleapis.com/ProtectedResourceScope"
33+ pattern : "organizations/{organization}/protectedResourceScope"
34+ pattern : "projects/{project}/protectedResourceScope"
35+ };
3236
3337// Returns information about the resources in an org that are protected by a
3438// given Cloud KMS key via CMEK.
@@ -38,10 +42,16 @@ service KeyTrackingService {
3842 "https://www.googleapis.com/auth/cloud-platform" ;
3943
4044 // Returns aggregate information about the resources protected by the given
41- // Cloud KMS [CryptoKey][google.cloud.kms.v1.CryptoKey]. Only resources within
42- // the same Cloud organization as the key will be returned. The project that
43- // holds the key must be part of an organization in order for this call to
44- // succeed.
45+ // Cloud KMS [CryptoKey][google.cloud.kms.v1.CryptoKey]. By default,
46+ // summary of resources within the same Cloud organization as the key will be
47+ // returned, which requires the KMS organization service account to be
48+ // configured(refer
49+ // https://docs.cloud.google.com/kms/docs/view-key-usage#required-roles).
50+ // If the KMS organization service account is not configured or key's project
51+ // is not part of an organization, set
52+ // [fallback_scope][google.cloud.kms.inventory.v1.GetProtectedResourcesSummaryRequest.fallback_scope]
53+ // to `FALLBACK_SCOPE_PROJECT` to retrieve a summary of protected resources
54+ // within the key's project.
4555 rpc GetProtectedResourcesSummary (GetProtectedResourcesSummaryRequest )
4656 returns (ProtectedResourcesSummary ) {
4757 option (google.api.http ) = {
@@ -51,11 +61,15 @@ service KeyTrackingService {
5161 }
5262
5363 // Returns metadata about the resources protected by the given Cloud KMS
54- // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the given Cloud organization.
64+ // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the given Cloud
65+ // organization/project.
5566 rpc SearchProtectedResources (SearchProtectedResourcesRequest )
5667 returns (SearchProtectedResourcesResponse ) {
5768 option (google.api.http ) = {
5869 get : "/v1/{scope=organizations/*}/protectedResources:search"
70+ additional_bindings {
71+ get : "/v1/{scope=projects/*}/protectedResources:search"
72+ }
5973 };
6074 option (google.api.method_signature ) = "scope, crypto_key" ;
6175 }
@@ -72,10 +86,14 @@ message GetProtectedResourcesSummaryRequest {
7286 type : "kmsinventory.googleapis.com/ProtectedResourcesSummary"
7387 }
7488 ];
89+
90+ // Optional. The scope to use if the kms organization service account is not
91+ // configured.
92+ FallbackScope fallback_scope = 2 [(google.api.field_behavior ) = OPTIONAL ];
7593}
7694
7795// Aggregate information about the resources protected by a Cloud KMS key in the
78- // same Cloud organization as the key.
96+ // same Cloud organization/project as the key.
7997message ProtectedResourcesSummary {
8098 option (google.api.resource ) = {
8199 type : "kmsinventory.googleapis.com/ProtectedResourcesSummary"
@@ -104,17 +122,29 @@ message ProtectedResourcesSummary {
104122
105123 // The number of resources protected by the key grouped by region.
106124 map <string , int64 > locations = 4 ;
125+
126+ // Warning messages for the state of response
127+ // [ProtectedResourcesSummary][google.cloud.kms.inventory.v1.ProtectedResourcesSummary]
128+ // For example, if the organization service account is not configured,
129+ // INSUFFICIENT_PERMISSIONS_PARTIAL_DATA warning will be returned.
130+ repeated Warning warnings = 7 ;
107131}
108132
109133// Request message for
110134// [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources].
111135message SearchProtectedResourcesRequest {
112- // Required. Resource name of the organization.
113- // Example: organizations/123
136+ // Required. A scope can be an organization or a project. Resources protected
137+ // by the crypto key in provided scope will be returned.
138+ //
139+ // The following values are allowed:
140+ //
141+ // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/12345678")
142+ // * projects/{PROJECT_ID} (e.g., "projects/foo-bar")
143+ // * projects/{PROJECT_NUMBER} (e.g., "projects/12345678")
114144 string scope = 2 [
115145 (google.api.field_behavior ) = REQUIRED ,
116146 (google.api.resource_reference ) = {
117- type : "cloudresourcemanager .googleapis.com/Organization "
147+ child_type : "kmsinventory .googleapis.com/ProtectedResourceScope "
118148 }
119149 ];
120150
@@ -226,3 +256,50 @@ message ProtectedResource {
226256 google.protobuf.Timestamp create_time = 7
227257 [(google.api.field_behavior ) = OUTPUT_ONLY ];
228258}
259+
260+ // A warning message that indicates potential problems with the response data.
261+ message Warning {
262+ // Different types of warnings that can be returned to the user.
263+ // The display_message contains detailed information regarding the
264+ // warning_code.
265+ enum WarningCode {
266+ // Default value. This value is unused.
267+ WARNING_CODE_UNSPECIFIED = 0 ;
268+
269+ // Indicates that the caller or service agent lacks necessary permissions
270+ // to view some of the requested data. The response may be partial.
271+ // Example:
272+ // - KMS organization service agent {service_agent_name} lacks the
273+ // `cloudasset.assets.searchAllResources` permission on the scope.
274+ INSUFFICIENT_PERMISSIONS_PARTIAL_DATA = 1 ;
275+
276+ // Indicates that a resource limit has been exceeded, resulting in partial
277+ // data. Example:
278+ // - The project has more than 10,000 assets (resources,
279+ // crypto keys, key handles, IAM policies, etc).
280+ RESOURCE_LIMIT_EXCEEDED_PARTIAL_DATA = 2 ;
281+
282+ // Indicates that the project exists outside of an organization resource.
283+ // Thus the analysis is only done for the project level data and results
284+ // might be partial.
285+ ORG_LESS_PROJECT_PARTIAL_DATA = 3 ;
286+ }
287+
288+ // The specific warning code for the displayed message.
289+ WarningCode warning_code = 1 ;
290+
291+ // The literal message providing context and details about the warnings.
292+ string display_message = 2 ;
293+ }
294+
295+ // Specifies the scope to use if the organization service agent is not
296+ // configured.
297+ enum FallbackScope {
298+ // Unspecified scope type.
299+ FALLBACK_SCOPE_UNSPECIFIED = 0 ;
300+
301+ // If set to `FALLBACK_SCOPE_PROJECT`, the API will fall back to using key's
302+ // project as request scope if the kms organization service account is not
303+ // configured.
304+ FALLBACK_SCOPE_PROJECT = 1 ;
305+ }
0 commit comments