This page provides supplemental information about organization policy
constraints that let you enforce limitations for Cloud Key Management Service. You can use these
constraints to limit resource locations or allowed protection levels for
Cloud KMS keys across an entire project or organization.
The following constraints can be applied to an organization policy and relate
to Cloud Key Management Service.
Enforce resource locations
API Name: constraints/gcp.resourceLocations
When you apply the resourceLocations constraint, you specify one or more
locations. Once set, creation of new resources (e.g key rings, keys,
key versions) is limited to the specified locations.
Keys in other locations, created or imported before the constraint was
applied, will remain usable. However, key rotation (automated creation of
a new primary key version) will fail if the result would be a new
key version in a disallowed location.
Allowed protection levels
API Name: constraints/cloudkms.allowedProtectionLevels
When you apply the allowedProtectionLevels constraint, you specify one or
more protection levels. Once set, new keys, key versions, and
import jobs must use one of the specified protection levels.
Keys with other protection levels, created before the constraint was
applied, will remain usable. However, key rotation (automated creation of
a new primary key version) will fail if the result would be a new
key version with a disallowed protection level.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Organization policy constraints for Cloud KMS\n\nThis page provides supplemental information about [organization policy](/resource-manager/docs/organization-policy/overview)\nconstraints that let you enforce limitations for Cloud Key Management Service. You can use these\nconstraints to limit resource locations or allowed protection levels for\nCloud KMS keys across an entire project or organization.\n\nYou can also use [CMEK organization policies](/kms/docs/cmek-org-policy) to enforce the use of CMEK in\nyour organization and use organization policies to\n[control key destruction](/kms/docs/control-key-destruction).\n\nCloud KMS constraints\n---------------------\n\nThe following constraints can be applied to an organization policy and relate\nto Cloud Key Management Service.\n\n### Enforce resource locations\n\n**API Name** : `constraints/gcp.resourceLocations`\n\nWhen you apply the `resourceLocations` constraint, you specify one or more\n[locations](/kms/docs/locations#location_types). Once set, creation of new resources (e.g key rings, keys,\nkey versions) is limited to the specified locations.\n\nKeys in other locations, created or imported before the constraint was\napplied, will remain usable. However, [key rotation](/kms/docs/key-rotation) (automated creation of\na new primary key version) will fail if the result would be a new\nkey version in a disallowed location.\n| **Note:** Enabling or disabling `resourceLocations` may take up to 10 minutes to go into effect.\n\n### Allowed protection levels\n\n**API Name** : `constraints/cloudkms.allowedProtectionLevels`\n\nWhen you apply the `allowedProtectionLevels` constraint, you specify one or\nmore [protection levels](/kms/docs/algorithms#protection_levels). Once set, new keys, key versions, and\nimport jobs must use one of the specified protection levels.\n\nKeys with other protection levels, created before the constraint was\napplied, will remain usable. However, [key rotation](/kms/docs/key-rotation) (automated creation of\na new primary key version) will fail if the result would be a new\nkey version with a disallowed protection level.\n| **Note:** Enabling or disabling `allowedProtectionLevels` may take up to 10 minutes to go into effect.\n\nWhat's next\n-----------\n\n- Learn about [CMEK organization policies](/kms/docs/cmek-org-policy) and using organization policies to [control key destruction](/kms/docs/control-key-destruction).\n- Learn about the [resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-detail) that applies to organization policies.\n- See [Creating and managing organization policies](/resource-manager/docs/organization-policy/creating-managing-policies) for instructions on working with constraints and organization policies in the Google Cloud console.\n- See [Using constraints](/resource-manager/docs/organization-policy/using-constraints) for instructions on working with constraints and organization policies in the gcloud CLI.\n- See the Resource Manager API [reference documentation](/resource-manager/reference/rest) for relevant API methods, such as [`projects.setOrgPolicy`](/resource-manager/reference/rest/v1/projects/setOrgPolicy)."]]
