Cloud de Confiance by S3NS enforces quotas on resource usage. For Cloud Key Management Service (Cloud KMS), quotas are enforced on management and usage of resources such as keys and key versions, and locations. There are no quotas on the number of key rings, keys, key versions, or other Cloud KMS resources that you can have; only on their usage.
Effective February 16, 2026, Cloud KMS is changing the way quotas are tracked and enforced. This document provides information about how the quotas work before and after the change and helps you identify any steps you may need to take to prepare for the change.
Timeline
The following table provides an overview of the expected timeline for the changes to Cloud KMS quotas.
| Date | What is changing? |
|---|---|
| Cloud KMS started allowing over-quota requests for hardware (Cloud HSM) keys as long as the Cloud KMS system is not overloaded. | |
|
|
| The old metrics are retired and can no longer be monitored. |
Summary of changes
The revised quota system is designed to simplify quota management for Cloud KMS users. The following table summarizes the key changes:
| Before February 16, 2026 | After February 16, 2026 | |
|---|---|---|
| Location scope | Mixed scope: Some metrics are measured globally, and others are measured by region. | Regional scope: All metrics are measured per region. Multiregion usage is counted against the quota for the specific region that serves the request. |
| Quota limits | Static limits: Default quota limits are applied to each project. You can request quota limit increases. | Dynamic limits: Quota limits are initially set based on your project-specific limits and usage prior to February 16, 2026. We recommend that you also opt in to the quota adjuster service, so that your limits are automatically adjusted based on your typical usage. |
| Enforcement | Hard enforcement: When a quota limit is exceeded, requests are denied, even if the system can serve the request. | Soft enforcement: When a quota limit is exceeded, read requests and most write requests and cryptographic operation requests are allowed if the system can serve the request. However, the following quota limits are hard-enforced:
|
| Cloud HSM quotas | Many Cloud HSM quotas: Cloud KMS enforces
separate quotas for Cloud HSM symmetric, asymmetric, and
generateRandomBytes requests. |
One Cloud HSM quota: Cloud KMS enforces a single quota for all Cloud HSM requests. However, different key sizes and operations consume different quantities of quota. |
| What is measured? | Track requests: Quotas count the number of operations performed, but don't help you understand how much processing resources you're consuming. | Track resource usage: Quotas count tokens instead of operations; the number of tokens per operation indicates the relative processing cost of each operation. For more information, see Tokens per operation on this page. |
| Time scale | Mixed time scales: Some quota metrics are reported per minute, but enforced per second. | Consistent time scales: All quota metrics are reported at the same time scale at which they are enforced. Most metrics are reported and enforced per minute. Cloud EKM usage is reported and enforced per second. |
| Project scope | Multiple projects: Some quotas are applied to the project that
contains the CryptoKey and CryptoKeyVersion
resources, and others are applied to the project making the
request. |
Single project: All quotas are applied to the project that
contains the CryptoKey and CryptoKeyVersion
resources. |
| CMEK and Cloud KMS quotas | Unrestricted software CMEK usage: Cloud KMS doesn't enforce quotas on software keys used in CMEK integrations. | Restrict only exceptional usage: CMEK usage counts against the Software usage limit, but with soft enforcement, usage that exceeds your limit is served if the system isn't over capacity. |
Cloud KMS quotas after February 16, 2026
The following table lists the metrics and quotas for Cloud KMS.
| Metric | Time scale Default |
Enforcement | Operations |
|---|---|---|---|
Read usagecloudkms.googleapis.com/read_usage |
Minute 600 TPM |
|
cryptoKeys: get, getIamPolicy, list, testIamPermissions ekmConnections: get, getIamPolicy, list, testIamPermissions, verifyConnectivity importJobs: get, getIamPolicy, list, testIamPermissions |
Write usagecloudkms.googleapis.com/write_usage |
Minute 100 TPM |
|
cryptoKeys: create, patch, setIamPolicy, updatePrimaryVersion cryptoKeyVersions: create, destroy, import, patch, restore ekmConnections: create, patch, setIamPolicy |
Software usagecloudkms.googleapis.com/software_usage |
Minute 6,000,000 TPM |
Soft |
cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, decapsulate, getPublicKey, macSign, macVerify, rawEncrypt, rawDecrypt |
HSM usagecloudkms.googleapis.com/hsm_usage |
Minute 3,000,000 TPM |
Soft | |
External KMS usagecloudkms.googleapis.com/external_usage |
Second 10,000 TPS |
Hard |
Tokens per operation
The following table lists the number of quota tokens that are consumed by each operation for each Cloud KMS resource, key size, and operation. You can use this table to estimate how many tokens of quota a certain application can consume. Operations that are more processing intensive use more tokens of quota.
| Cloud KMS resource | Operation | Tokens per operation |
|---|---|---|
| All Cloud KMS resources | All read operations | Read usage: 1 |
| All software-backed and external Cloud KMS resources | All write operations | Write usage: 1 |
| Hardware-backed keys | Write operations other than create and import | Write usage: 1 |
| Hardware-backed symmetric and MAC keys | Create and import operations | Write usage: 1 HSM usage: 1,200 |
| Hardware-backed asymmetric keys | Create and import operations | Write usage: 1 HSM usage: 50,000 |
| Software-backed keys | All cryptographic operations | Software usage: 100 |
| External (Cloud EKM) keys | All cryptographic operations | External KMS usage: 100 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 100 |
| Hardware (Cloud HSM) keys | generateRandomBytes |
HSM usage: 1,000 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 1,500 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 3,500 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 4,500 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 7,000 |
| Hardware (Cloud HSM) keys |
|
HSM usage: 14,000 |
Suggested actions to prepare for quota changes
| Use case | Suggested preparation |
|---|---|
| Ensure adequate quotas for existing projects | For existing projects, quota limits for the new metrics will be calculated automatically based on the project's actual usage. No action is required for existing projects. |
| Ensure adequate quotas for new projects | If you are planning to create a new project and expect high quota usage, opt in to automated quota adjustment using the quota adjuster service. Allow 1-2 weeks of gradual traffic increase to allow the systems to adjust to your usage, or proactively request the quota limits that you think you will need. |
| Update monitoring to use new quotas | Monitoring using existing quota metrics is available through August 31, 2026. We recommend setting up monitoring using the new metrics after they are available on February 16, 2026 but before August 31, 2026. |
| Opt in to quota adjuster | We recommend that you opt in to using the quota adjuster system to automatically adjust your Cloud KMS quotas based on your usage. Each project that contains Cloud KMS resources must be opted-in to quota adjuster separately. |
Cloud KMS quotas before February 16, 2026
Some quotas on these operations apply to the calling project, the Cloud de Confiance project that makes calls to the Cloud KMS service. Other quotas apply to the hosting project, the Cloud de Confiance project that contains the keys used for the operation.
Calling project quotas don't include usage generated by Cloud de Confiance services using Cloud KMS keys for customer-managed encryption key (CMEK) integration. For example, encryption and decryption requests coming directly from BigQuery, Bigtable, or Spanner don't contribute to Cryptographic requests quotas.
The Cloud de Confiance console lists the limit for each quota in queries per minute
(QPM), but hosting project quotas are enforced by the second. Quotas
enforced in queries per second (QPS) deny requests that exceed the QPS limit,
even if your per-minute usage is less than the listed QPM limit. If you exceed a
QPS limit, you receive a RESOURCE_EXHAUSTED error.
Quotas on the usage of Cloud KMS resources
The following table lists each quota applied to Cloud KMS resources. The table gives the name and limit of each quota, which project the quota applies to, and the operations that count against the quota. You can enter a keyword in the field to filter the table. For example, you can enter calling to see only the quotas applied to the calling project or encrypt to see only the quotas related to encryption operations:
Quota examples
The following sections include examples of each quota using the following example projects:
KEY_PROJECT- A Cloud de Confiance project that contains Cloud KMS keys, including Multi-tenant Cloud HSM and Cloud EKM keys.SPANNER_PROJECT- A Cloud de Confiance project that contains a Spanner instance which uses the customer-managed encryption keys (CMEKs) that reside inKEY_PROJECT.SERVICE_PROJECT- A Cloud de Confiance project that contains a service account that you use to manage Cloud KMS resources that reside inKEY_PROJECT.
Read requests
The Read requests quota limits read requests from the
Cloud de Confiance project calling the Cloud KMS API. For
example, viewing a list of keys in KEY_PROJECT from KEY_PROJECT using
Google Cloud CLI counts against the KEY_PROJECT
Read requests quota. If you use a service account in
SERVICE_PROJECT to view your list of keys, the read request counts
against the SERVICE_PROJECT Read requests quota.
Using the Cloud de Confiance console to view Cloud KMS resources doesn't contribute to the Read requests quota.
Write requests
The Write requests quota limits write requests from the
Cloud de Confiance project calling the Cloud KMS API. For
example, creating keys in KEY_PROJECT using gcloud CLI counts
against the KEY_PROJECT Write requests quota. If you use a
service account in SERVICE_PROJECT to create keys, the write
request counts against the SERVICE_PROJECT Write requests quota.
Using the Cloud de Confiance console to create or manage Cloud KMS resources doesn't contribute to the Read requests quota.
Cryptographic requests
The Cryptographic requests quota limits cryptographic operations from the
Cloud de Confiance project calling the Cloud KMS API. For
example, encrypting data using API calls from a service account resource running
in SERVICE_PROJECT using keys from KEY_PROJECT counts against the
SERVICE_PROJECT Cryptographic requests quota.
Encryption and decryption of data in a Spanner resource in
SPANNER_PROJECT using CMEK integration doesn't count toward the
Cryptographic requests quota of SPANNER_PROJECT.
HSM symmetric cryptographic requests per region
The HSM symmetric cryptographic requests per
region quota limits cryptographic operations using
symmetric Cloud HSM keys on the Cloud de Confiance
project that contains those keys. For example, encrypting data in a
Spanner resource using symmetric HSM keys counts against the
KEY_PROJECT HSM symmetric cryptographic requests per
region quota.
HSM asymmetric cryptographic requests per region
The HSM asymmetric cryptographic requests per
region quota limits cryptographic operations using
asymmetric Cloud HSM keys on the Cloud de Confiance
project that contains those keys. For example, encrypting data in a
Spanner resource using asymmetric HSM keys counts against the
KEY_PROJECT HSM asymmetric cryptographic requests per
region quota.
HSM generate random requests per region
The HSM generate random requests per
region quota limits generate random bytes operations using
Cloud HSM in the Cloud de Confiance project specified in
the request message. For example, requests from any source to generate random
bytes in KEY_PROJECT counts against the KEY_PROJECT
HSM generate random requests per
region quota.
External cryptographic requests per region
The External cryptographic requests per
region quota limits cryptographic operations using external
(Cloud EKM) keys on the Cloud de Confiance project that
contains those keys. For example, encrypting data in a Spanner resource
using EKM keys counts against the KEY_PROJECT External cryptographic requests per
region quota.
Quota error information
If you make a request after your quota is reached, your request results in a
RESOURCE_EXHAUSTED error. The HTTP status code is 429. For information on
how client libraries surface the RESOURCE_EXHAUSTED error, see Client library
mapping.
If you receive the RESOURCE_EXHAUSTED error, you might be sending too many
cryptographic operation requests per second. You can receive the
RESOURCE_EXHAUSTED error even if the Cloud de Confiance console shows that you are
within the queries per minute limit. This issue can happen because
Cloud KMS hosting project quotas are displayed per minute, but are
enforced on a per second scale. To learn more about monitoring metrics, see
Set up quota alerts and monitoring.
For details about troubleshooting Cloud KMS quota issues, see Troubleshoot quota issues.
What's next
- Learn about using Cloud Monitoring with Cloud KMS.
- Learn how to monitor and adjust Cloud KMS quotas.