@@ -204,6 +204,13 @@ message Parameter {
204204 // resource.
205205 google.iam.v1.ResourcePolicyMember policy_member = 6
206206 [(google.api.field_behavior ) = OUTPUT_ONLY ];
207+
208+ // Optional. Customer managed encryption key (CMEK) to use for encrypting the
209+ // Parameter Versions. If not set, the default Google-managed encryption key
210+ // will be used. Cloud KMS CryptoKeys must reside in the same location as the
211+ // Parameter. The expected format is
212+ // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
213+ optional string kms_key = 7 [(google.api.field_behavior ) = OPTIONAL ];
207214}
208215
209216// Message for requesting list of Parameters
@@ -390,6 +397,15 @@ message ParameterVersion {
390397 (google.api.field_behavior ) = REQUIRED ,
391398 (google.api.field_behavior ) = IMMUTABLE
392399 ];
400+
401+ // Optional. Output only. [Output only] The resource name of the KMS key
402+ // version used to encrypt the ParameterVersion payload. This field is
403+ // populated only if the Parameter resource has customer managed encryption
404+ // key (CMEK) configured.
405+ optional string kms_key_version = 6 [
406+ (google.api.field_behavior ) = OUTPUT_ONLY ,
407+ (google.api.field_behavior ) = OPTIONAL
408+ ];
393409}
394410
395411// Message for storing a ParameterVersion resource's payload data
@@ -480,7 +496,7 @@ message RenderParameterVersionResponse {
480496
481497 // Output only. Server generated rendered version of the user provided payload
482498 // data (ParameterVersionPayload) which has substitutions of all (if any)
483- // references to a SecretManager SecretVersion resources. This substituion
499+ // references to a SecretManager SecretVersion resources. This substitution
484500 // only works for a Parameter which is in JSON or YAML format.
485501 bytes rendered_payload = 3 [(google.api.field_behavior ) = OUTPUT_ONLY ];
486502}
0 commit comments