1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. kms
  5. getKMSCryptoKey
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi

gcp.kms.getKMSCryptoKey

Explore with Pulumi AI

Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi

Provides access to a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.

A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myKeyRing = gcp.kms.getKMSKeyRing({
    name: "my-key-ring",
    location: "us-central1",
});
const myCryptoKey = myKeyRing.then(myKeyRing => gcp.kms.getKMSCryptoKey({
    name: "my-crypto-key",
    keyRing: myKeyRing.id,
}));
Copy
import pulumi
import pulumi_gcp as gcp

my_key_ring = gcp.kms.get_kms_key_ring(name="my-key-ring",
    location="us-central1")
my_crypto_key = gcp.kms.get_kms_crypto_key(name="my-crypto-key",
    key_ring=my_key_ring.id)
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myKeyRing, err := kms.GetKMSKeyRing(ctx, &kms.GetKMSKeyRingArgs{
			Name:     "my-key-ring",
			Location: "us-central1",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.GetKMSCryptoKey(ctx, &kms.GetKMSCryptoKeyArgs{
			Name:    "my-crypto-key",
			KeyRing: myKeyRing.Id,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var myKeyRing = Gcp.Kms.GetKMSKeyRing.Invoke(new()
    {
        Name = "my-key-ring",
        Location = "us-central1",
    });

    var myCryptoKey = Gcp.Kms.GetKMSCryptoKey.Invoke(new()
    {
        Name = "my-crypto-key",
        KeyRing = myKeyRing.Apply(getKMSKeyRingResult => getKMSKeyRingResult.Id),
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KmsFunctions;
import com.pulumi.gcp.kms.inputs.GetKMSKeyRingArgs;
import com.pulumi.gcp.kms.inputs.GetKMSCryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var myKeyRing = KmsFunctions.getKMSKeyRing(GetKMSKeyRingArgs.builder()
            .name("my-key-ring")
            .location("us-central1")
            .build());

        final var myCryptoKey = KmsFunctions.getKMSCryptoKey(GetKMSCryptoKeyArgs.builder()
            .name("my-crypto-key")
            .keyRing(myKeyRing.applyValue(getKMSKeyRingResult -> getKMSKeyRingResult.id()))
            .build());

    }
}
Copy
variables:
  myKeyRing:
    fn::invoke:
      function: gcp:kms:getKMSKeyRing
      arguments:
        name: my-key-ring
        location: us-central1
  myCryptoKey:
    fn::invoke:
      function: gcp:kms:getKMSCryptoKey
      arguments:
        name: my-crypto-key
        keyRing: ${myKeyRing.id}
Copy

Using getKMSCryptoKey

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getKMSCryptoKey(args: GetKMSCryptoKeyArgs, opts?: InvokeOptions): Promise<GetKMSCryptoKeyResult>
function getKMSCryptoKeyOutput(args: GetKMSCryptoKeyOutputArgs, opts?: InvokeOptions): Output<GetKMSCryptoKeyResult>
Copy
def get_kms_crypto_key(key_ring: Optional[str] = None,
                       name: Optional[str] = None,
                       opts: Optional[InvokeOptions] = None) -> GetKMSCryptoKeyResult
def get_kms_crypto_key_output(key_ring: Optional[pulumi.Input[str]] = None,
                       name: Optional[pulumi.Input[str]] = None,
                       opts: Optional[InvokeOptions] = None) -> Output[GetKMSCryptoKeyResult]
Copy
func GetKMSCryptoKey(ctx *Context, args *GetKMSCryptoKeyArgs, opts ...InvokeOption) (*GetKMSCryptoKeyResult, error)
func GetKMSCryptoKeyOutput(ctx *Context, args *GetKMSCryptoKeyOutputArgs, opts ...InvokeOption) GetKMSCryptoKeyResultOutput
Copy

> Note: This function is named GetKMSCryptoKey in the Go SDK.

public static class GetKMSCryptoKey 
{
    public static Task<GetKMSCryptoKeyResult> InvokeAsync(GetKMSCryptoKeyArgs args, InvokeOptions? opts = null)
    public static Output<GetKMSCryptoKeyResult> Invoke(GetKMSCryptoKeyInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)
public static Output<GetKMSCryptoKeyResult> getKMSCryptoKey(GetKMSCryptoKeyArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: gcp:kms/getKMSCryptoKey:getKMSCryptoKey
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

KeyRing This property is required. string
The id of the Google Cloud Platform KeyRing to which the key belongs.
Name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
KeyRing This property is required. string
The id of the Google Cloud Platform KeyRing to which the key belongs.
Name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
keyRing This property is required. String
The id of the Google Cloud Platform KeyRing to which the key belongs.
name This property is required. String
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
keyRing This property is required. string
The id of the Google Cloud Platform KeyRing to which the key belongs.
name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
key_ring This property is required. str
The id of the Google Cloud Platform KeyRing to which the key belongs.
name This property is required. str
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
keyRing This property is required. String
The id of the Google Cloud Platform KeyRing to which the key belongs.
name This property is required. String
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

getKMSCryptoKey Result

The following output properties are available:

CryptoKeyBackend string
DestroyScheduledDuration string
EffectiveLabels Dictionary<string, string>
Id string
The provider-assigned unique ID for this managed resource.
ImportOnly bool
KeyAccessJustificationsPolicies List<GetKMSCryptoKeyKeyAccessJustificationsPolicy>
KeyRing string
Labels Dictionary<string, string>
Name string
Primaries List<GetKMSCryptoKeyPrimary>
PulumiLabels Dictionary<string, string>
Purpose string
Defines the cryptographic capabilities of the key.
RotationPeriod string
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
SkipInitialVersionCreation bool
VersionTemplates List<GetKMSCryptoKeyVersionTemplate>
CryptoKeyBackend string
DestroyScheduledDuration string
EffectiveLabels map[string]string
Id string
The provider-assigned unique ID for this managed resource.
ImportOnly bool
KeyAccessJustificationsPolicies []GetKMSCryptoKeyKeyAccessJustificationsPolicy
KeyRing string
Labels map[string]string
Name string
Primaries []GetKMSCryptoKeyPrimary
PulumiLabels map[string]string
Purpose string
Defines the cryptographic capabilities of the key.
RotationPeriod string
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
SkipInitialVersionCreation bool
VersionTemplates []GetKMSCryptoKeyVersionTemplate
cryptoKeyBackend String
destroyScheduledDuration String
effectiveLabels Map<String,String>
id String
The provider-assigned unique ID for this managed resource.
importOnly Boolean
keyAccessJustificationsPolicies List<GetKMSCryptoKeyKeyAccessJustificationsPolicy>
keyRing String
labels Map<String,String>
name String
primaries List<GetKMSCryptoKeyPrimary>
pulumiLabels Map<String,String>
purpose String
Defines the cryptographic capabilities of the key.
rotationPeriod String
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation Boolean
versionTemplates List<GetKMSCryptoKeyVersionTemplate>
cryptoKeyBackend string
destroyScheduledDuration string
effectiveLabels {[key: string]: string}
id string
The provider-assigned unique ID for this managed resource.
importOnly boolean
keyAccessJustificationsPolicies GetKMSCryptoKeyKeyAccessJustificationsPolicy[]
keyRing string
labels {[key: string]: string}
name string
primaries GetKMSCryptoKeyPrimary[]
pulumiLabels {[key: string]: string}
purpose string
Defines the cryptographic capabilities of the key.
rotationPeriod string
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation boolean
versionTemplates GetKMSCryptoKeyVersionTemplate[]
crypto_key_backend str
destroy_scheduled_duration str
effective_labels Mapping[str, str]
id str
The provider-assigned unique ID for this managed resource.
import_only bool
key_access_justifications_policies Sequence[GetKMSCryptoKeyKeyAccessJustificationsPolicy]
key_ring str
labels Mapping[str, str]
name str
primaries Sequence[GetKMSCryptoKeyPrimary]
pulumi_labels Mapping[str, str]
purpose str
Defines the cryptographic capabilities of the key.
rotation_period str
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skip_initial_version_creation bool
version_templates Sequence[GetKMSCryptoKeyVersionTemplate]
cryptoKeyBackend String
destroyScheduledDuration String
effectiveLabels Map<String>
id String
The provider-assigned unique ID for this managed resource.
importOnly Boolean
keyAccessJustificationsPolicies List<Property Map>
keyRing String
labels Map<String>
name String
primaries List<Property Map>
pulumiLabels Map<String>
purpose String
Defines the cryptographic capabilities of the key.
rotationPeriod String
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).
skipInitialVersionCreation Boolean
versionTemplates List<Property Map>

Supporting Types

GetKMSCryptoKeyKeyAccessJustificationsPolicy

AllowedAccessReasons This property is required. List<string>
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
AllowedAccessReasons This property is required. []string
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
allowedAccessReasons This property is required. List<String>
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
allowedAccessReasons This property is required. string[]
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
allowed_access_reasons This property is required. Sequence[str]
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.
allowedAccessReasons This property is required. List<String>
The list of allowed reasons for access to this CryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for this CryptoKey will fail.

GetKMSCryptoKeyPrimary

Name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
State This property is required. string
The current state of the CryptoKeyVersion.
Name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
State This property is required. string
The current state of the CryptoKeyVersion.
name This property is required. String
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state This property is required. String
The current state of the CryptoKeyVersion.
name This property is required. string
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state This property is required. string
The current state of the CryptoKeyVersion.
name This property is required. str
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state This property is required. str
The current state of the CryptoKeyVersion.
name This property is required. String
The CryptoKey's name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
state This property is required. String
The current state of the CryptoKeyVersion.

GetKMSCryptoKeyVersionTemplate

Algorithm This property is required. string
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel This property is required. string
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
Algorithm This property is required. string
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
ProtectionLevel This property is required. string
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
algorithm This property is required. String
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel This property is required. String
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
algorithm This property is required. string
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel This property is required. string
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
algorithm This property is required. str
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protection_level This property is required. str
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
algorithm This property is required. String
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel This property is required. String
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi