0
# Key Management Service
1
2
The KeyManagementServiceClient provides comprehensive cryptographic key management capabilities including key creation, lifecycle management, and cryptographic operations. This is the primary interface for most Google Cloud KMS operations.
3
4
## Capabilities
5
6
### Key Ring Management
7
8
Key rings are top-level containers that group related cryptographic keys within a specific location.
9
10
```python { .api }
11
def list_key_rings(self, request: ListKeyRingsRequest) -> ListKeyRingsResponse:
12
"""
13
Lists KeyRings in a location.
14
15
Parameters:
16
- request.parent: Required. Location path (projects/{project}/locations/{location})
17
- request.page_size: Optional. Maximum number of results per page
18
- request.page_token: Optional. Token for pagination
19
- request.filter: Optional. Filter expression
20
- request.order_by: Optional. Sorting order
21
22
Returns:
23
List of KeyRing objects with pagination support
24
"""
25
26
def get_key_ring(self, request: GetKeyRingRequest) -> KeyRing:
27
"""
28
Returns metadata for a given KeyRing.
29
30
Parameters:
31
- request.name: Required. KeyRing resource name
32
33
Returns:
34
KeyRing object with metadata
35
"""
36
37
def create_key_ring(self, request: CreateKeyRingRequest) -> KeyRing:
38
"""
39
Creates a new KeyRing in a given Project and Location.
40
41
Parameters:
42
- request.parent: Required. Location path
43
- request.key_ring_id: Required. Unique ID for the KeyRing
44
- request.key_ring: Required. KeyRing object to create
45
46
Returns:
47
Created KeyRing object
48
"""
49
```
50
51
### Crypto Key Management
52
53
Crypto keys define the cryptographic material and configuration for encryption operations.
54
55
```python { .api }
56
def list_crypto_keys(self, request: ListCryptoKeysRequest) -> ListCryptoKeysResponse:
57
"""
58
Lists CryptoKeys in a KeyRing.
59
60
Parameters:
61
- request.parent: Required. KeyRing path
62
- request.page_size: Optional. Maximum results per page
63
- request.page_token: Optional. Pagination token
64
- request.filter: Optional. Filter expression
65
- request.order_by: Optional. Sorting order
66
- request.version_view: Optional. CryptoKeyVersionView level
67
68
Returns:
69
List of CryptoKey objects with pagination
70
"""
71
72
def get_crypto_key(self, request: GetCryptoKeyRequest) -> CryptoKey:
73
"""
74
Returns metadata for a given CryptoKey and its primary CryptoKeyVersion.
75
76
Parameters:
77
- request.name: Required. CryptoKey resource name
78
- request.version_view: Optional. Version view level
79
80
Returns:
81
CryptoKey object with metadata
82
"""
83
84
def create_crypto_key(self, request: CreateCryptoKeyRequest) -> CryptoKey:
85
"""
86
Creates a new CryptoKey within a KeyRing.
87
88
Parameters:
89
- request.parent: Required. KeyRing path
90
- request.crypto_key_id: Required. Unique ID for the CryptoKey
91
- request.crypto_key: Required. CryptoKey object to create
92
- request.skip_initial_version_creation: Optional. Skip creating initial version
93
94
Returns:
95
Created CryptoKey object
96
"""
97
98
def update_crypto_key(self, request: UpdateCryptoKeyRequest) -> CryptoKey:
99
"""
100
Updates a CryptoKey.
101
102
Parameters:
103
- request.crypto_key: Required. Updated CryptoKey object
104
- request.update_mask: Required. Fields to update
105
106
Returns:
107
Updated CryptoKey object
108
"""
109
110
def update_crypto_key_primary_version(self, request: UpdateCryptoKeyPrimaryVersionRequest) -> CryptoKey:
111
"""
112
Updates the version of a CryptoKey used in Encrypt operations.
113
114
Parameters:
115
- request.name: Required. CryptoKey resource name
116
- request.crypto_key_version_id: Required. Version ID to set as primary
117
118
Returns:
119
Updated CryptoKey object
120
"""
121
```
122
123
### Crypto Key Version Management
124
125
Crypto key versions contain the actual cryptographic material and can be managed independently.
126
127
```python { .api }
128
def list_crypto_key_versions(self, request: ListCryptoKeyVersionsRequest) -> ListCryptoKeyVersionsResponse:
129
"""
130
Lists CryptoKeyVersions for a CryptoKey.
131
132
Parameters:
133
- request.parent: Required. CryptoKey path
134
- request.page_size: Optional. Maximum results per page
135
- request.page_token: Optional. Pagination token
136
- request.filter: Optional. Filter expression
137
- request.order_by: Optional. Sorting order
138
- request.view: Optional. CryptoKeyVersionView level
139
140
Returns:
141
List of CryptoKeyVersion objects with pagination
142
"""
143
144
def get_crypto_key_version(self, request: GetCryptoKeyVersionRequest) -> CryptoKeyVersion:
145
"""
146
Returns metadata for a given CryptoKeyVersion.
147
148
Parameters:
149
- request.name: Required. CryptoKeyVersion resource name
150
- request.view: Optional. Version view level
151
152
Returns:
153
CryptoKeyVersion object with metadata
154
"""
155
156
def create_crypto_key_version(self, request: CreateCryptoKeyVersionRequest) -> CryptoKeyVersion:
157
"""
158
Creates a new CryptoKeyVersion in a CryptoKey.
159
160
Parameters:
161
- request.parent: Required. CryptoKey path
162
- request.crypto_key_version: Required. CryptoKeyVersion to create
163
164
Returns:
165
Created CryptoKeyVersion object
166
"""
167
168
def update_crypto_key_version(self, request: UpdateCryptoKeyVersionRequest) -> CryptoKeyVersion:
169
"""
170
Updates a CryptoKeyVersion's metadata.
171
172
Parameters:
173
- request.crypto_key_version: Required. Updated CryptoKeyVersion
174
- request.update_mask: Required. Fields to update
175
176
Returns:
177
Updated CryptoKeyVersion object
178
"""
179
180
def destroy_crypto_key_version(self, request: DestroyCryptoKeyVersionRequest) -> CryptoKeyVersion:
181
"""
182
Schedules a CryptoKeyVersion for destruction.
183
184
Parameters:
185
- request.name: Required. CryptoKeyVersion resource name
186
187
Returns:
188
Updated CryptoKeyVersion with DESTROY_SCHEDULED state
189
"""
190
191
def restore_crypto_key_version(self, request: RestoreCryptoKeyVersionRequest) -> CryptoKeyVersion:
192
"""
193
Restores a CryptoKeyVersion in DESTROY_SCHEDULED state.
194
195
Parameters:
196
- request.name: Required. CryptoKeyVersion resource name
197
198
Returns:
199
Restored CryptoKeyVersion with DISABLED state
200
"""
201
```
202
203
### Symmetric Encryption Operations
204
205
Standard encrypt and decrypt operations using symmetric keys.
206
207
```python { .api }
208
def encrypt(self, request: EncryptRequest) -> EncryptResponse:
209
"""
210
Encrypts data using a CryptoKey or CryptoKeyVersion.
211
212
Parameters:
213
- request.name: Required. CryptoKey or CryptoKeyVersion resource name
214
- request.plaintext: Required. Data to encrypt (max 64KiB)
215
- request.additional_authenticated_data: Optional. AAD for authenticated encryption
216
- request.plaintext_crc32c: Optional. CRC32C checksum of plaintext
217
- request.additional_authenticated_data_crc32c: Optional. CRC32C checksum of AAD
218
219
Returns:
220
EncryptResponse with ciphertext and metadata
221
"""
222
223
def decrypt(self, request: DecryptRequest) -> DecryptResponse:
224
"""
225
Decrypts data that was protected by Encrypt.
226
227
Parameters:
228
- request.name: Required. CryptoKey resource name
229
- request.ciphertext: Required. Encrypted data
230
- request.additional_authenticated_data: Optional. AAD used during encryption
231
- request.ciphertext_crc32c: Optional. CRC32C checksum of ciphertext
232
- request.additional_authenticated_data_crc32c: Optional. CRC32C checksum of AAD
233
234
Returns:
235
DecryptResponse with plaintext and metadata
236
"""
237
```
238
239
### Raw Cryptographic Operations
240
241
Low-level cryptographic operations using portable primitives.
242
243
```python { .api }
244
def raw_encrypt(self, request: RawEncryptRequest) -> RawEncryptResponse:
245
"""
246
Encrypts data using portable cryptographic primitives.
247
248
Parameters:
249
- request.name: Required. CryptoKeyVersion resource name
250
- request.plaintext: Required. Data to encrypt
251
- request.additional_authenticated_data: Optional. AAD for authenticated encryption
252
- request.plaintext_crc32c: Optional. CRC32C checksum
253
- request.additional_authenticated_data_crc32c: Optional. CRC32C checksum
254
- request.initialization_vector: Optional. Initialization vector (AES-GCM, AES-CBC, AES-CTR)
255
256
Returns:
257
RawEncryptResponse with ciphertext and metadata
258
"""
259
260
def raw_decrypt(self, request: RawDecryptRequest) -> RawDecryptResponse:
261
"""
262
Decrypts data using raw cryptographic mechanisms.
263
264
Parameters:
265
- request.name: Required. CryptoKeyVersion resource name
266
- request.ciphertext: Required. Encrypted data
267
- request.additional_authenticated_data: Optional. AAD used during encryption
268
- request.initialization_vector: Required. IV used during encryption
269
- request.tag_length: Required. Authentication tag length (AES-GCM)
270
- request.ciphertext_crc32c: Optional. CRC32C checksum
271
- request.additional_authenticated_data_crc32c: Optional. CRC32C checksum
272
- request.initialization_vector_crc32c: Optional. CRC32C checksum
273
274
Returns:
275
RawDecryptResponse with plaintext and metadata
276
"""
277
```
278
279
### Asymmetric Cryptographic Operations
280
281
Digital signing and asymmetric decryption using asymmetric keys.
282
283
```python { .api }
284
def asymmetric_sign(self, request: AsymmetricSignRequest) -> AsymmetricSignResponse:
285
"""
286
Signs data using a CryptoKeyVersion with ASYMMETRIC_SIGN purpose.
287
288
Parameters:
289
- request.name: Required. CryptoKeyVersion resource name
290
- request.digest: Optional. Pre-computed digest to sign
291
- request.digest_crc32c: Optional. CRC32C checksum of digest
292
- request.data: Optional. Raw data to sign (alternative to digest)
293
- request.data_crc32c: Optional. CRC32C checksum of data
294
295
Returns:
296
AsymmetricSignResponse with signature and metadata
297
"""
298
299
def asymmetric_decrypt(self, request: AsymmetricDecryptRequest) -> AsymmetricDecryptResponse:
300
"""
301
Decrypts data using asymmetric keys.
302
303
Parameters:
304
- request.name: Required. CryptoKeyVersion resource name
305
- request.ciphertext: Required. Data encrypted with public key
306
- request.ciphertext_crc32c: Optional. CRC32C checksum of ciphertext
307
308
Returns:
309
AsymmetricDecryptResponse with plaintext and metadata
310
"""
311
312
def get_public_key(self, request: GetPublicKeyRequest) -> PublicKey:
313
"""
314
Returns the public key for asymmetric CryptoKeyVersions.
315
316
Parameters:
317
- request.name: Required. CryptoKeyVersion resource name
318
319
Returns:
320
PublicKey object with key data and metadata
321
"""
322
```
323
324
### MAC Operations
325
326
Message Authentication Code signing and verification.
327
328
```python { .api }
329
def mac_sign(self, request: MacSignRequest) -> MacSignResponse:
330
"""
331
Signs data using a CryptoKeyVersion with MAC purpose.
332
333
Parameters:
334
- request.name: Required. CryptoKeyVersion resource name
335
- request.data: Required. Data to sign
336
- request.data_crc32c: Optional. CRC32C checksum of data
337
338
Returns:
339
MacSignResponse with MAC tag
340
"""
341
342
def mac_verify(self, request: MacVerifyRequest) -> MacVerifyResponse:
343
"""
344
Verifies MAC tag using a CryptoKeyVersion with MAC purpose.
345
346
Parameters:
347
- request.name: Required. CryptoKeyVersion resource name
348
- request.data: Required. Original data
349
- request.data_crc32c: Optional. CRC32C checksum of data
350
- request.mac: Required. MAC tag to verify
351
- request.mac_crc32c: Optional. CRC32C checksum of MAC
352
353
Returns:
354
MacVerifyResponse with verification result
355
"""
356
```
357
358
### Key Import Operations
359
360
Import pre-existing key material into Google Cloud KMS.
361
362
```python { .api }
363
def list_import_jobs(self, request: ListImportJobsRequest) -> ListImportJobsResponse:
364
"""
365
Lists ImportJobs in a KeyRing.
366
367
Parameters:
368
- request.parent: Required. KeyRing path
369
- request.page_size: Optional. Maximum results per page
370
- request.page_token: Optional. Pagination token
371
- request.filter: Optional. Filter expression
372
- request.order_by: Optional. Sorting order
373
374
Returns:
375
List of ImportJob objects with pagination
376
"""
377
378
def get_import_job(self, request: GetImportJobRequest) -> ImportJob:
379
"""
380
Returns metadata for a given ImportJob.
381
382
Parameters:
383
- request.name: Required. ImportJob resource name
384
385
Returns:
386
ImportJob object with metadata
387
"""
388
389
def create_import_job(self, request: CreateImportJobRequest) -> ImportJob:
390
"""
391
Creates a new ImportJob within a KeyRing.
392
393
Parameters:
394
- request.parent: Required. KeyRing path
395
- request.import_job_id: Required. Unique ID for ImportJob
396
- request.import_job: Required. ImportJob object to create
397
398
Returns:
399
Created ImportJob object
400
"""
401
402
def import_crypto_key_version(self, request: ImportCryptoKeyVersionRequest) -> CryptoKeyVersion:
403
"""
404
Imports wrapped key material into a CryptoKeyVersion.
405
406
Parameters:
407
- request.parent: Required. CryptoKey path
408
- request.crypto_key_version: Optional. CryptoKeyVersion template
409
- request.algorithm: Required. Cryptographic algorithm
410
- request.import_job: Required. ImportJob resource name
411
- request.wrapped_key: Optional. RSA AES wrapped key material
412
- request.rsa_aes_wrapped_key: Optional. RSA AES key wrap data
413
414
Returns:
415
Imported CryptoKeyVersion object
416
"""
417
```
418
419
### Utility Operations
420
421
Additional utility functions for random number generation and resource management.
422
423
```python { .api }
424
def generate_random_bytes(self, request: GenerateRandomBytesRequest) -> GenerateRandomBytesResponse:
425
"""
426
Generates random bytes using Cloud KMS randomness source.
427
428
Parameters:
429
- request.location: Required. Location path for randomness generation
430
- request.length_bytes: Required. Number of random bytes to generate (1-1024)
431
- request.protection_level: Optional. Protection level for randomness generation
432
433
Returns:
434
GenerateRandomBytesResponse with random data
435
"""
436
```
437
438
### IAM Operations
439
440
Identity and Access Management operations for controlling access to KMS resources.
441
442
```python { .api }
443
def set_iam_policy(self, request: iam_policy_pb2.SetIamPolicyRequest) -> policy_pb2.Policy:
444
"""
445
Sets the IAM access control policy on a KMS resource.
446
447
Parameters:
448
- request.resource: Required. Resource name to set policy for
449
- request.policy: Required. IAM policy to set
450
451
Returns:
452
Updated IAM policy object
453
"""
454
455
def get_iam_policy(self, request: iam_policy_pb2.GetIamPolicyRequest) -> policy_pb2.Policy:
456
"""
457
Gets the IAM access control policy for a KMS resource.
458
459
Parameters:
460
- request.resource: Required. Resource name to get policy for
461
- request.options: Optional. Policy options
462
463
Returns:
464
Current IAM policy object or empty policy if none exists
465
"""
466
467
def test_iam_permissions(self, request: iam_policy_pb2.TestIamPermissionsRequest) -> iam_policy_pb2.TestIamPermissionsResponse:
468
"""
469
Tests specified IAM permissions against the IAM access control policy.
470
471
Parameters:
472
- request.resource: Required. Resource name to test permissions for
473
- request.permissions: Required. List of permissions to test
474
475
Returns:
476
List of permissions that the caller has on the resource
477
"""
478
```
479
480
### Operations Management
481
482
Long-running operations management for monitoring asynchronous tasks.
483
484
```python { .api }
485
def get_operation(self, request: operations_pb2.GetOperationRequest) -> operations_pb2.Operation:
486
"""
487
Gets the latest state of a long-running operation.
488
489
Parameters:
490
- request.name: Required. Operation resource name
491
492
Returns:
493
Operation object with current state and metadata
494
"""
495
```
496
497
### Location Information
498
499
Location discovery and information retrieval for Cloud KMS.
500
501
```python { .api }
502
def list_locations(self, request: locations_pb2.ListLocationsRequest) -> locations_pb2.ListLocationsResponse:
503
"""
504
Lists information about supported locations for Cloud KMS.
505
506
Parameters:
507
- request.name: Required. Project resource name
508
- request.filter: Optional. Location filter expression
509
- request.page_size: Optional. Maximum results per page
510
- request.page_token: Optional. Pagination token
511
512
Returns:
513
List of available locations with pagination
514
"""
515
516
def get_location(self, request: locations_pb2.GetLocationRequest) -> locations_pb2.Location:
517
"""
518
Gets information about a specific location.
519
520
Parameters:
521
- request.name: Required. Location resource name
522
523
Returns:
524
Location object with detailed information
525
"""
526
```
527
528
### Path Construction and Parsing
529
530
Utility methods for constructing and parsing Google Cloud KMS resource paths. These helper methods simplify resource name management and are essential for building proper resource references.
531
532
```python { .api }
533
@classmethod
534
def crypto_key_path(cls, project: str, location: str, key_ring: str, crypto_key: str) -> str:
535
"""
536
Constructs a crypto key resource path.
537
538
Parameters:
539
- project: GCP project ID
540
- location: Location (e.g., 'global', 'us-central1')
541
- key_ring: Key ring ID
542
- crypto_key: Crypto key ID
543
544
Returns:
545
Formatted resource path string
546
"""
547
548
@classmethod
549
def crypto_key_version_path(cls, project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) -> str:
550
"""
551
Constructs a crypto key version resource path.
552
553
Parameters:
554
- project: GCP project ID
555
- location: Location
556
- key_ring: Key ring ID
557
- crypto_key: Crypto key ID
558
- crypto_key_version: Crypto key version ID
559
560
Returns:
561
Formatted resource path string
562
"""
563
564
@classmethod
565
def key_ring_path(cls, project: str, location: str, key_ring: str) -> str:
566
"""
567
Constructs a key ring resource path.
568
569
Parameters:
570
- project: GCP project ID
571
- location: Location
572
- key_ring: Key ring ID
573
574
Returns:
575
Formatted resource path string
576
"""
577
578
@classmethod
579
def import_job_path(cls, project: str, location: str, key_ring: str, import_job: str) -> str:
580
"""
581
Constructs an import job resource path.
582
583
Parameters:
584
- project: GCP project ID
585
- location: Location
586
- key_ring: Key ring ID
587
- import_job: Import job ID
588
589
Returns:
590
Formatted resource path string
591
"""
592
593
@classmethod
594
def public_key_path(cls, project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) -> str:
595
"""
596
Constructs a public key resource path.
597
598
Returns:
599
Formatted resource path string
600
"""
601
602
@classmethod
603
def parse_crypto_key_path(cls, path: str) -> Dict[str, str]:
604
"""
605
Parses a crypto key resource path into its components.
606
607
Parameters:
608
- path: Crypto key resource path
609
610
Returns:
611
Dictionary with 'project', 'location', 'key_ring', 'crypto_key' keys
612
"""
613
614
@classmethod
615
def parse_crypto_key_version_path(cls, path: str) -> Dict[str, str]:
616
"""
617
Parses a crypto key version resource path into its components.
618
619
Returns:
620
Dictionary with components as keys
621
"""
622
623
@classmethod
624
def parse_key_ring_path(cls, path: str) -> Dict[str, str]:
625
"""
626
Parses a key ring resource path into its components.
627
628
Returns:
629
Dictionary with 'project', 'location', 'key_ring' keys
630
"""
631
632
@classmethod
633
def parse_import_job_path(cls, path: str) -> Dict[str, str]:
634
"""
635
Parses an import job resource path into its components.
636
637
Returns:
638
Dictionary with components as keys
639
"""
640
641
@classmethod
642
def parse_public_key_path(cls, path: str) -> Dict[str, str]:
643
"""
644
Parses a public key resource path into its components.
645
646
Returns:
647
Dictionary with components as keys
648
"""
649
```
650
651
### Common Resource Path Helpers
652
653
Standard path construction methods for common Google Cloud resource types.
654
655
```python { .api }
656
@classmethod
657
def common_project_path(cls, project: str) -> str:
658
"""Returns a project resource path."""
659
660
@classmethod
661
def common_location_path(cls, project: str, location: str) -> str:
662
"""Returns a location resource path."""
663
664
@classmethod
665
def common_billing_account_path(cls, billing_account: str) -> str:
666
"""Returns a billing account resource path."""
667
668
@classmethod
669
def common_folder_path(cls, folder: str) -> str:
670
"""Returns a folder resource path."""
671
672
@classmethod
673
def common_organization_path(cls, organization: str) -> str:
674
"""Returns an organization resource path."""
675
```
676
677
## Usage Examples
678
679
### Creating and Using a Symmetric Key
680
681
```python
682
from google.cloud import kms
683
684
# Initialize client
685
client = kms.KeyManagementServiceClient()
686
687
# Create key ring
688
location_name = f"projects/{project_id}/locations/{location_id}"
689
key_ring = client.create_key_ring(
690
request={
691
"parent": location_name,
692
"key_ring_id": "example-keyring",
693
"key_ring": {},
694
}
695
)
696
697
# Create symmetric encryption key
698
crypto_key = client.create_crypto_key(
699
request={
700
"parent": key_ring.name,
701
"crypto_key_id": "symmetric-key",
702
"crypto_key": {
703
"purpose": kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
704
},
705
}
706
)
707
708
# Encrypt data
709
plaintext = b"Sensitive data to encrypt"
710
encrypt_response = client.encrypt(
711
request={
712
"name": crypto_key.name,
713
"plaintext": plaintext,
714
}
715
)
716
717
# Decrypt data
718
decrypt_response = client.decrypt(
719
request={
720
"name": crypto_key.name,
721
"ciphertext": encrypt_response.ciphertext,
722
}
723
)
724
725
assert decrypt_response.plaintext == plaintext
726
```
727
728
### Creating and Using an Asymmetric Signing Key
729
730
```python
731
from google.cloud import kms
732
import hashlib
733
734
# Create asymmetric signing key
735
crypto_key = client.create_crypto_key(
736
request={
737
"parent": key_ring.name,
738
"crypto_key_id": "signing-key",
739
"crypto_key": {
740
"purpose": kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN,
741
"version_template": {
742
"algorithm": kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256,
743
},
744
},
745
}
746
)
747
748
# Sign data
749
data = b"Data to sign"
750
digest = kms.Digest()
751
digest.sha256 = hashlib.sha256(data).digest()
752
753
sign_response = client.asymmetric_sign(
754
request={
755
"name": f"{crypto_key.name}/cryptoKeyVersions/1",
756
"digest": digest,
757
}
758
)
759
760
# Get public key for verification
761
public_key = client.get_public_key(
762
request={"name": f"{crypto_key.name}/cryptoKeyVersions/1"}
763
)
764
765
print(f"Signature: {sign_response.signature.hex()}")
766
print(f"Public key: {public_key.pem}")
767
```
768
769
### Using Path Helper Methods
770
771
```python
772
from google.cloud import kms
773
774
# Initialize client
775
client = kms.KeyManagementServiceClient()
776
777
# Construct resource paths
778
key_ring_path = client.key_ring_path(
779
project="my-project",
780
location="global",
781
key_ring="my-keyring"
782
)
783
784
crypto_key_path = client.crypto_key_path(
785
project="my-project",
786
location="global",
787
key_ring="my-keyring",
788
crypto_key="my-key"
789
)
790
791
# Parse resource paths
792
path_components = client.parse_crypto_key_path(crypto_key_path)
793
print(f"Project: {path_components['project']}")
794
print(f"Location: {path_components['location']}")
795
print(f"Key Ring: {path_components['key_ring']}")
796
print(f"Crypto Key: {path_components['crypto_key']}")
797
798
# Use paths in API calls
799
key_ring = client.create_key_ring(
800
request={
801
"parent": client.common_location_path("my-project", "global"),
802
"key_ring_id": "my-keyring",
803
"key_ring": {},
804
}
805
)
806
807
crypto_key = client.create_crypto_key(
808
request={
809
"parent": key_ring_path,
810
"crypto_key_id": "my-key",
811
"crypto_key": {
812
"purpose": kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
813
},
814
}
815
)
816
```