Skip to content

Commit e5b8ffa

Browse files
Google APIscopybara-github
Google APIs
authored and
copybara-github
committed
feat: add client library for KMS Autokey service, which enables automated KMS key provision and management
PiperOrigin-RevId: 631565226
1 parent f059e8f commit e5b8ffa

5 files changed

Lines changed: 387 additions & 0 deletions

File tree

google/cloud/kms/v1/BUILD.bazel

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ load("@rules_proto//proto:defs.bzl", "proto_library")
2424
proto_library(
2525
name = "kms_proto",
2626
srcs = [
27+
"autokey.proto",
28+
"autokey_admin.proto",
2729
"ekm_service.proto",
2830
"resources.proto",
2931
"service.proto",
@@ -99,6 +101,10 @@ java_gapic_library(
99101
java_gapic_test(
100102
name = "kms_java_gapic_test_suite",
101103
test_classes = [
104+
"com.google.cloud.kms.v1.AutokeyAdminClientHttpJsonTest",
105+
"com.google.cloud.kms.v1.AutokeyAdminClientTest",
106+
"com.google.cloud.kms.v1.AutokeyClientHttpJsonTest",
107+
"com.google.cloud.kms.v1.AutokeyClientTest",
102108
"com.google.cloud.kms.v1.EkmServiceClientHttpJsonTest",
103109
"com.google.cloud.kms.v1.EkmServiceClientTest",
104110
"com.google.cloud.kms.v1.KeyManagementServiceClientHttpJsonTest",

google/cloud/kms/v1/autokey.proto

Lines changed: 194 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,194 @@
1+
// Copyright 2024 Google LLC
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
syntax = "proto3";
16+
17+
package google.cloud.kms.v1;
18+
19+
import "google/api/annotations.proto";
20+
import "google/api/client.proto";
21+
import "google/api/field_behavior.proto";
22+
import "google/api/resource.proto";
23+
import "google/longrunning/operations.proto";
24+
25+
option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb";
26+
option java_multiple_files = true;
27+
option java_outer_classname = "AutokeyProto";
28+
option java_package = "com.google.cloud.kms.v1";
29+
30+
// Provides interfaces for using Cloud KMS Autokey to provision new
31+
// [CryptoKeys][google.cloud.kms.v1.CryptoKey], ready for Customer Managed
32+
// Encryption Key (CMEK) use, on-demand. To support certain client tooling, this
33+
// feature is modeled around a [KeyHandle][google.cloud.kms.v1.KeyHandle]
34+
// resource: creating a [KeyHandle][google.cloud.kms.v1.KeyHandle] in a resource
35+
// project and given location triggers Cloud KMS Autokey to provision a
36+
// [CryptoKey][google.cloud.kms.v1.CryptoKey] in the configured key project and
37+
// the same location.
38+
//
39+
// Prior to use in a given resource project,
40+
// [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig]
41+
// should have been called on an ancestor folder, setting the key project where
42+
// Cloud KMS Autokey should create new
43+
// [CryptoKeys][google.cloud.kms.v1.CryptoKey]. See documentation for additional
44+
// prerequisites. To check what key project, if any, is currently configured on
45+
// a resource project's ancestor folder, see
46+
// [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
47+
service Autokey {
48+
option (google.api.default_host) = "cloudkms.googleapis.com";
49+
option (google.api.oauth_scopes) =
50+
"https://www.googleapis.com/auth/cloud-platform,"
51+
"https://www.googleapis.com/auth/cloudkms";
52+
53+
// Creates a new [KeyHandle][google.cloud.kms.v1.KeyHandle], triggering the
54+
// provisioning of a new [CryptoKey][google.cloud.kms.v1.CryptoKey] for CMEK
55+
// use with the given resource type in the configured key project and the same
56+
// location. [GetOperation][Operations.GetOperation] should be used to resolve
57+
// the resulting long-running operation and get the resulting
58+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] and
59+
// [CryptoKey][google.cloud.kms.v1.CryptoKey].
60+
rpc CreateKeyHandle(CreateKeyHandleRequest)
61+
returns (google.longrunning.Operation) {
62+
option (google.api.http) = {
63+
post: "/v1/{parent=projects/*/locations/*}/keyHandles"
64+
body: "key_handle"
65+
};
66+
option (google.api.method_signature) = "parent,key_handle,key_handle_id";
67+
option (google.longrunning.operation_info) = {
68+
response_type: "KeyHandle"
69+
metadata_type: "CreateKeyHandleMetadata"
70+
};
71+
}
72+
73+
// Returns the [KeyHandle][google.cloud.kms.v1.KeyHandle].
74+
rpc GetKeyHandle(GetKeyHandleRequest) returns (KeyHandle) {
75+
option (google.api.http) = {
76+
get: "/v1/{name=projects/*/locations/*/keyHandles/*}"
77+
};
78+
option (google.api.method_signature) = "name";
79+
}
80+
81+
// Lists [KeyHandles][google.cloud.kms.v1.KeyHandle].
82+
rpc ListKeyHandles(ListKeyHandlesRequest) returns (ListKeyHandlesResponse) {
83+
option (google.api.http) = {
84+
get: "/v1/{parent=projects/*/locations/*}/keyHandles"
85+
};
86+
option (google.api.method_signature) = "parent";
87+
}
88+
}
89+
90+
// Request message for
91+
// [Autokey.CreateKeyHandle][google.cloud.kms.v1.Autokey.CreateKeyHandle].
92+
message CreateKeyHandleRequest {
93+
// Required. Name of the resource project and location to create the
94+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
95+
// `projects/{PROJECT_ID}/locations/{LOCATION}`.
96+
string parent = 1 [
97+
(google.api.field_behavior) = REQUIRED,
98+
(google.api.resource_reference) = {
99+
type: "locations.googleapis.com/Location"
100+
}
101+
];
102+
103+
// Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
104+
// unique to the resource project and location. If not provided by the caller,
105+
// a new UUID is used.
106+
string key_handle_id = 2 [(google.api.field_behavior) = OPTIONAL];
107+
108+
// Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
109+
KeyHandle key_handle = 3 [(google.api.field_behavior) = REQUIRED];
110+
}
111+
112+
// Request message for [GetKeyHandle][google.cloud.kms.v1.Autokey.GetKeyHandle].
113+
message GetKeyHandleRequest {
114+
// Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
115+
// e.g.
116+
// `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
117+
string name = 1 [
118+
(google.api.field_behavior) = REQUIRED,
119+
(google.api.resource_reference) = {
120+
type: "cloudkms.googleapis.com/KeyHandle"
121+
}
122+
];
123+
}
124+
125+
// Resource-oriented representation of a request to Cloud KMS Autokey and the
126+
// resulting provisioning of a [CryptoKey][google.cloud.kms.v1.CryptoKey].
127+
message KeyHandle {
128+
option (google.api.resource) = {
129+
type: "cloudkms.googleapis.com/KeyHandle"
130+
pattern: "projects/{project}/locations/{location}/keyHandles/{key_handle}"
131+
plural: "keyHandles"
132+
singular: "keyHandle"
133+
};
134+
135+
// Identifier. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle]
136+
// resource, e.g.
137+
// `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
138+
string name = 1 [(google.api.field_behavior) = IDENTIFIER];
139+
140+
// Output only. Name of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that has
141+
// been provisioned for Customer Managed Encryption Key (CMEK) use in the
142+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] project and location for the
143+
// requested resource type. The [CryptoKey][google.cloud.kms.v1.CryptoKey]
144+
// project will reflect the value configured in the
145+
// [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] on the resource
146+
// project's ancestor folder at the time of the
147+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] creation. If more than one
148+
// ancestor folder has a configured
149+
// [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig], the nearest of these
150+
// configurations is used.
151+
string kms_key = 3 [
152+
(google.api.field_behavior) = OUTPUT_ONLY,
153+
(google.api.resource_reference) = {
154+
type: "cloudkms.googleapis.com/CryptoKey"
155+
}
156+
];
157+
158+
// Required. Indicates the resource type that the resulting
159+
// [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
160+
// `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
161+
// types.
162+
string resource_type_selector = 4 [(google.api.field_behavior) = REQUIRED];
163+
}
164+
165+
// Metadata message for
166+
// [CreateKeyHandle][google.cloud.kms.v1.Autokey.CreateKeyHandle] long-running
167+
// operation response.
168+
message CreateKeyHandleMetadata {}
169+
170+
// Request message for
171+
// [Autokey.ListKeyHandles][google.cloud.kms.v1.Autokey.ListKeyHandles].
172+
message ListKeyHandlesRequest {
173+
// Required. Name of the resource project and location from which to list
174+
// [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
175+
// `projects/{PROJECT_ID}/locations/{LOCATION}`.
176+
string parent = 1 [
177+
(google.api.field_behavior) = REQUIRED,
178+
(google.api.resource_reference) = {
179+
type: "locations.googleapis.com/Location"
180+
}
181+
];
182+
183+
// Optional. Filter to apply when listing
184+
// [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
185+
// `resource_type_selector="{SERVICE}.googleapis.com/{TYPE}"`.
186+
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
187+
}
188+
189+
// Response message for
190+
// [Autokey.ListKeyHandles][google.cloud.kms.v1.Autokey.ListKeyHandles].
191+
message ListKeyHandlesResponse {
192+
// Resulting [KeyHandles][google.cloud.kms.v1.KeyHandle].
193+
repeated KeyHandle key_handles = 1;
194+
}

google/cloud/kms/v1/autokey_admin.proto

Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
// Copyright 2024 Google LLC
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
syntax = "proto3";
16+
17+
package google.cloud.kms.v1;
18+
19+
import "google/api/annotations.proto";
20+
import "google/api/client.proto";
21+
import "google/api/field_behavior.proto";
22+
import "google/api/resource.proto";
23+
import "google/protobuf/field_mask.proto";
24+
25+
option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb";
26+
option java_multiple_files = true;
27+
option java_outer_classname = "AutokeyAdminProto";
28+
option java_package = "com.google.cloud.kms.v1";
29+
30+
// Provides interfaces for managing Cloud KMS Autokey folder-level
31+
// configurations. A configuration is inherited by all descendent projects. A
32+
// configuration at one folder overrides any other configurations in its
33+
// ancestry. Setting a configuration on a folder is a prerequisite for Cloud KMS
34+
// Autokey, so that users working in a descendant project can request
35+
// provisioned [CryptoKeys][google.cloud.kms.v1.CryptoKey], ready for Customer
36+
// Managed Encryption Key (CMEK) use, on-demand.
37+
service AutokeyAdmin {
38+
option (google.api.default_host) = "cloudkms.googleapis.com";
39+
option (google.api.oauth_scopes) =
40+
"https://www.googleapis.com/auth/cloud-platform,"
41+
"https://www.googleapis.com/auth/cloudkms";
42+
43+
// Updates the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
44+
// folder. The caller must have both `cloudkms.autokeyConfigs.update`
45+
// permission on the parent folder and `cloudkms.cryptoKeys.setIamPolicy`
46+
// permission on the provided key project. A
47+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] creation in the folder's
48+
// descendant projects will use this configuration to determine where to
49+
// create the resulting [CryptoKey][google.cloud.kms.v1.CryptoKey].
50+
rpc UpdateAutokeyConfig(UpdateAutokeyConfigRequest) returns (AutokeyConfig) {
51+
option (google.api.http) = {
52+
patch: "/v1/{autokey_config.name=folders/*/autokeyConfig}"
53+
body: "autokey_config"
54+
};
55+
option (google.api.method_signature) = "autokey_config,update_mask";
56+
}
57+
58+
// Returns the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
59+
// folder.
60+
rpc GetAutokeyConfig(GetAutokeyConfigRequest) returns (AutokeyConfig) {
61+
option (google.api.http) = {
62+
get: "/v1/{name=folders/*/autokeyConfig}"
63+
};
64+
option (google.api.method_signature) = "name";
65+
}
66+
67+
// Returns the effective Cloud KMS Autokey configuration for a given project.
68+
rpc ShowEffectiveAutokeyConfig(ShowEffectiveAutokeyConfigRequest)
69+
returns (ShowEffectiveAutokeyConfigResponse) {
70+
option (google.api.http) = {
71+
get: "/v1/{parent=projects/*}:showEffectiveAutokeyConfig"
72+
};
73+
option (google.api.method_signature) = "parent";
74+
}
75+
}
76+
77+
// Request message for
78+
// [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig].
79+
message UpdateAutokeyConfigRequest {
80+
// Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
81+
// update.
82+
AutokeyConfig autokey_config = 1 [(google.api.field_behavior) = REQUIRED];
83+
84+
// Required. Masks which fields of the
85+
// [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
86+
// `keyProject`.
87+
google.protobuf.FieldMask update_mask = 2
88+
[(google.api.field_behavior) = REQUIRED];
89+
}
90+
91+
// Request message for
92+
// [GetAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.GetAutokeyConfig].
93+
message GetAutokeyConfigRequest {
94+
// Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
95+
// resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
96+
string name = 1 [
97+
(google.api.field_behavior) = REQUIRED,
98+
(google.api.resource_reference) = {
99+
type: "cloudkms.googleapis.com/AutokeyConfig"
100+
}
101+
];
102+
}
103+
104+
// Cloud KMS Autokey configuration for a folder.
105+
message AutokeyConfig {
106+
option (google.api.resource) = {
107+
type: "cloudkms.googleapis.com/AutokeyConfig"
108+
pattern: "folders/{folder}/autokeyConfig"
109+
plural: "autokeyConfigs"
110+
singular: "autokeyConfig"
111+
};
112+
113+
// Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
114+
// resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
115+
string name = 1 [(google.api.field_behavior) = IDENTIFIER];
116+
117+
// Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
118+
// `projects/{PROJECT_NUMBER}`, where Cloud KMS Autokey will provision a new
119+
// [CryptoKey][google.cloud.kms.v1.CryptoKey] when a
120+
// [KeyHandle][google.cloud.kms.v1.KeyHandle] is created. On
121+
// [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig],
122+
// the caller will require `cloudkms.cryptoKeys.setIamPolicy` permission on
123+
// this key project. Once configured, for Cloud KMS Autokey to function
124+
// properly, this key project must have the Cloud KMS API activated and the
125+
// Cloud KMS Service Agent for this key project must be granted the
126+
// `cloudkms.admin` role (or pertinent permissions). A request with an empty
127+
// key project field will clear the configuration.
128+
string key_project = 2 [(google.api.field_behavior) = OPTIONAL];
129+
}
130+
131+
// Request message for
132+
// [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
133+
message ShowEffectiveAutokeyConfigRequest {
134+
// Required. Name of the resource project to the show effective Cloud KMS
135+
// Autokey configuration for. This may be helpful for interrogating the effect
136+
// of nested folder configurations on a given resource project.
137+
string parent = 1 [
138+
(google.api.field_behavior) = REQUIRED,
139+
(google.api.resource_reference) = {
140+
type: "cloudresourcemanager.googleapis.com/Project"
141+
}
142+
];
143+
}
144+
145+
// Response message for
146+
// [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
147+
message ShowEffectiveAutokeyConfigResponse {
148+
// Name of the key project configured in the resource project's folder
149+
// ancestry.
150+
string key_project = 1;
151+
}

0 commit comments

Comments
 (0)