Reference documentation and code samples for the Google Cloud Key Management Service v1 API enum EkmConnection.Types.KeyManagementMode.
[KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode]
describes who can perform control plane cryptographic operations using this
[EkmConnection][google.cloud.kms.v1.EkmConnection].
All [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] use EKM-side key
management operations initiated from Cloud KMS. This means that:
When a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
associated with this [EkmConnection][google.cloud.kms.v1.EkmConnection]
is
created, the EKM automatically generates new key material and a new
key path. The caller cannot supply the key path of pre-existing
external key material.
Destruction of external key material associated with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] can be requested by
calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
Automatic rotation of key material is supported.
Manual
EKM-side key management operations on
[CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] must be initiated from
the EKM directly and cannot be performed from Cloud KMS. This means that:
When creating a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] associated with
this
[EkmConnection][google.cloud.kms.v1.EkmConnection], the caller must
supply the key path of pre-existing external key material that will be
linked to the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
Destruction of external key material cannot be requested via the
Cloud KMS API and must be performed directly in the EKM.
Automatic rotation of key material is not supported.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe documentation covers the \u003ccode\u003eEkmConnection.Types.KeyManagementMode\u003c/code\u003e enum for the Google Cloud Key Management Service v1 API, which is used to manage cryptographic operations.\u003c/p\u003e\n"],["\u003cp\u003eThe latest version documented is 3.16.0, and the content details a range of versions back to 2.2.0 for this specific enum, with each version having it's own documentation page.\u003c/p\u003e\n"],["\u003cp\u003eThere are three key management modes described: \u003ccode\u003eCloudKms\u003c/code\u003e, \u003ccode\u003eManual\u003c/code\u003e, and \u003ccode\u003eUnspecified\u003c/code\u003e, each dictating how key management operations are performed, whether initiated from Cloud KMS or directly from the EKM (External Key Manager).\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eCloudKms\u003c/code\u003e mode allows Cloud KMS to manage key operations like creating versions, requesting destruction, and supporting automatic rotation of key material.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eManual\u003c/code\u003e mode requires all key management operations to be done directly within the EKM, disallowing Cloud KMS API management of the operations, such as the destruction or automatic rotation of keys.\u003c/p\u003e\n"]]],[],null,[]]
