CustomerEncryptionKey

string

[Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.

string

The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example:

"kmsKeyServiceAccount": "name@
projectId.iam.gserviceaccount.com/

string

Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the

rawKey

or the

rsaEncryptedKey

. For example:

"rawKey":
"SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="

string

Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the

rawKey

or the

rsaEncryptedKey

. For example:

"rsaEncryptedKey":
"ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH
z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD
D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe=="

The key must meet the following requirements before you can provide it to Compute Engine:

1. The key is wrapped using a RSA public key certificate provided by Google.
2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding.

https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

string

The name of the encryption key that is stored in Google Cloud KMS. For example:

"kmsKeyName": "projects/
kms_project_id/locations/
region/keyRings/
key_region/cryptoKeys/key

The fully-qualifed key name may be returned for resource GET requests. For example:

"kmsKeyName": "projects/
kms_project_id/locations/
region/keyRings/
key_region/cryptoKeys/key
/cryptoKeyVersions/1