@@ -21,7 +21,6 @@ import "google/api/client.proto";
2121import "google/api/field_behavior.proto" ;
2222import "google/api/resource.proto" ;
2323import "google/longrunning/operations.proto" ;
24- import "google/protobuf/duration.proto" ;
2524import "google/protobuf/empty.proto" ;
2625import "google/protobuf/field_mask.proto" ;
2726import "google/protobuf/timestamp.proto" ;
@@ -34,7 +33,6 @@ option java_outer_classname = "LoggingConfigProto";
3433option java_package = "com.google.logging.v2" ;
3534option php_namespace = "Google\\Cloud\\Logging\\V2" ;
3635option ruby_package = "Google::Cloud::Logging::V2" ;
37-
3836option (google.api.resource_definition ) = {
3937 type : "logging.googleapis.com/OrganizationLocation"
4038 pattern : "organizations/{organization}/locations/{location}"
@@ -47,6 +45,7 @@ option (google.api.resource_definition) = {
4745 type : "logging.googleapis.com/BillingAccountLocation"
4846 pattern : "billingAccounts/{billing_account}/locations/{location}"
4947};
48+
5049// Service for configuring sinks used to route log entries.
5150service ConfigServiceV2 {
5251 option (google.api.default_host ) = "logging.googleapis.com" ;
@@ -1807,6 +1806,49 @@ message Settings {
18071806 // Output only. The resource name of the settings.
18081807 string name = 1 [(google.api.field_behavior ) = OUTPUT_ONLY ];
18091808
1809+ // Optional. The resource name for the configured Cloud KMS key.
1810+ //
1811+ // KMS key name format:
1812+ //
1813+ // "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
1814+ //
1815+ // For example:
1816+ //
1817+ // `"projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key"`
1818+ //
1819+ //
1820+ //
1821+ // To enable CMEK for the Log Router, set this field to a valid
1822+ // `kms_key_name` for which the associated service account has the required
1823+ // `roles/cloudkms.cryptoKeyEncrypterDecrypter` role assigned for the key.
1824+ //
1825+ // The Cloud KMS key used by the Log Router can be updated by changing the
1826+ // `kms_key_name` to a new valid key name. Encryption operations that are in
1827+ // progress will be completed with the key that was in use when they started.
1828+ // Decryption operations will be completed using the key that was used at the
1829+ // time of encryption unless access to that key has been revoked.
1830+ //
1831+ // To disable CMEK for the Log Router, set this field to an empty string.
1832+ //
1833+ // See [Enabling CMEK for Log
1834+ // Router](https://cloud.google.com/logging/docs/routing/managed-encryption)
1835+ // for more information.
1836+ string kms_key_name = 2 [(google.api.field_behavior ) = OPTIONAL ];
1837+
1838+ // Output only. The service account that will be used by the Log Router to access your
1839+ // Cloud KMS key.
1840+ //
1841+ // Before enabling CMEK for Log Router, you must first assign the role
1842+ // `roles/cloudkms.cryptoKeyEncrypterDecrypter` to the service account that
1843+ // the Log Router will use to access your Cloud KMS key. Use
1844+ // [GetSettings][google.logging.v2.ConfigServiceV2.GetSettings] to
1845+ // obtain the service account ID.
1846+ //
1847+ // See [Enabling CMEK for Log
1848+ // Router](https://cloud.google.com/logging/docs/routing/managed-encryption)
1849+ // for more information.
1850+ string kms_service_account_id = 3 [(google.api.field_behavior ) = OUTPUT_ONLY ];
1851+
18101852 // Optional. The Cloud region that will be used for _Default and _Required log buckets
18111853 // for newly created projects and folders. For example `europe-west1`.
18121854 // This setting does not affect the location of custom log buckets.
0 commit comments