本页面上的部分或全部信息可能不适用于 Trusted Cloud by S3NS。
配额
Trusted Cloud by S3NS 对资源用量实施配额限制。Cloud KMS 对密钥、密钥环、密钥版本和位置等资源的用量设有配额限制。如需详细了解如何管理或增加配额,请参阅监控和调整 Cloud KMS 配额。
查看 Cloud KMS 配额
KeyRing
、CryptoKey
或 CryptoKeyVersion
资源的数量没有配额限制,但操作次数有配额限制。
这些操作的部分配额适用于调用方项目,即调用 Cloud KMS 服务的Trusted Cloud 项目。其他配额适用于托管项目,即包含用于操作的密钥的 Trusted Cloud 项目。
调用项目配额不包括Trusted Cloud 使用 Cloud KMS 密钥进行客户管理的加密密钥 (CMEK) 集成的服务产生的使用量。例如,直接来自 BigQuery、Bigtable 或 Spanner 的加密和解密请求不会计入加密请求配额。
Trusted Cloud 控制台会以每分钟查询次数 (QPM) 列出每个配额的限制,但托管项目配额是按秒强制执行的。每秒查询次数 (QPS) 配额会拒绝超出 QPS 限额的请求,即使每分钟用量低于所列 QPM 限额也是如此。如果您超出 QPS 限制,则会收到 RESOURCE_EXHAUSTED
错误。
Cloud KMS 资源使用配额
下表列出了应用于 Cloud KMS 资源的每个配额。该表会显示每个配额的名称和上限、配额适用的项目,以及计入配额的操作。您可以在该字段中输入关键字以过滤表格。例如,您可以输入调用,以便仅查看应用于调用项目的配额;也可以输入加密,以便仅查看与加密操作相关的配额:
配额示例
以下部分包含使用以下示例项目的每个配额示例:
KEY_PROJECT
- 包含 Cloud KMS 密钥(包括 Cloud HSM 和 Cloud EKM 密钥)的 Trusted Cloud 项目。
SPANNER_PROJECT
- 一个 Trusted Cloud 项目,其中包含使用位于 KEY_PROJECT
中的客户管理的加密密钥 (CMEK) 的 Spanner 实例。
SERVICE_PROJECT
- Trusted Cloud 一个项目,其中包含您用于管理位于 KEY_PROJECT
中的 Cloud KMS 资源的服务账号。
读请求次数
读取请求配额限制了调用 Cloud KMS API 的Trusted Cloud 项目的读取请求。例如,使用 Google Cloud CLI 从 KEY_PROJECT
查看 KEY_PROJECT
中的键列表会计入 KEY_PROJECT
读取请求配额。如果您在 SERVICE_PROJECT
中使用服务账号查看密钥列表,则读取请求会计入 SERVICE_PROJECT
读取请求配额。
使用 Trusted Cloud 控制台查看 Cloud KMS 资源不会计入读取请求配额。
写请求次数
写入请求配额限制了调用 Cloud KMS API 的Trusted Cloud 项目的写入请求。例如,使用 gcloud CLI 在 KEY_PROJECT
中创建密钥会计入 KEY_PROJECT
写入请求配额。如果您在 SERVICE_PROJECT
中使用服务账号创建密钥,则写入请求会计入 SERVICE_PROJECT
写入请求配额。
使用 Trusted Cloud 控制台创建或管理 Cloud KMS 资源不会计入读取请求配额。
加密请求数
加密请求配额会限制调用 Cloud KMS API 的Trusted Cloud 项目的加密操作。例如,使用 KEY_PROJECT
中的密钥通过在 SERVICE_PROJECT
中运行的服务账号资源进行 API 调用来加密数据,会计入 SERVICE_PROJECT
加密请求配额。
使用 CMEK 集成对 SPANNER_PROJECT
中的 Spanner 资源中的数据进行加密和解密不会计入 SPANNER_PROJECT
的加密请求配额。
每个区域的 HSM 对称加密请求数
每个区域的 HSM 对称加密请求 配额限制了在包含这些密钥的项目 Trusted Cloud上使用对称 Cloud HSM 密钥进行的加密操作。例如,使用对称 HSM 密钥加密 Spanner 资源中的数据会计入 KEY_PROJECT
每个区域的 HSM 对称加密请求 配额。
每个区域的 HSM 非对称加密请求数
每个区域的 HSM 非对称加密请求数配额限制了在包含这些密钥的项目 Trusted Cloud上使用非对称 Cloud HSM 密钥进行的加密操作。例如,使用非对称 HSM 密钥加密 Spanner 资源中的数据会计入 KEY_PROJECT
每个区域的 HSM 非对称加密请求配额。
HSM 按区域生成随机请求
HSM 为每个区域生成随机请求配额限制会在请求消息中指定的 Trusted Cloud 项目中使用 Cloud HSM 生成随机字节操作。例如,来自任何来源的请求在 KEY_PROJECT
中生成随机字节都会计入 KEY_PROJECT
每个区域的 HSM 生成随机请求数配额。
每个区域的外部加密请求数
每个区域的外部加密请求配额限制了包含这些密钥的 Trusted Cloud 项目使用外部 (Cloud EKM) 密钥进行的加密操作。例如,使用 EKM 密钥加密 Spanner 资源中的数据会计入 KEY_PROJECT
每个区域的外部加密请求配额。
配额错误信息
如果您在配额已用尽的情况下发出请求,您的请求将导致一个 RESOURCE_EXHAUSTED
错误。HTTP 状态代码为 429
。如需了解客户端库如何给出 RESOURCE_EXHAUSTED
错误,请参阅客户端库映射。
如果您收到 RESOURCE_EXHAUSTED
错误,则可能表示每秒发送的加密操作请求过多。即使控制台显示您未超出每分钟查询次数限制,您也可能会收到 RESOURCE_EXHAUSTED
错误。 Trusted Cloud 发生这种情况的原因是 Cloud KMS 托管项目配额按分钟显示,但按秒实施。如需详细了解监控指标,请参阅与配额指标有关的监控和提醒功能。
如需详细了解如何排查 Cloud KMS 配额问题,请参阅排查配额问题。
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-18。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["没有我需要的信息","missingTheInformationINeed","thumb-down"],["太复杂/步骤太多","tooComplicatedTooManySteps","thumb-down"],["内容需要更新","outOfDate","thumb-down"],["翻译问题","translationIssue","thumb-down"],["示例/代码问题","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-18。"],[],[],null,["# Quotas\n\nGoogle Cloud enforces quotas on resource usage. For Cloud KMS,\nquotas are enforced on usage of resources such as keys, key rings, key versions,\nand locations. For details on how to manage or increase your quotas, see\n[Monitor and adjust Cloud KMS quotas](/kms/docs/monitor-adjust-quotas).\n\n[View Cloud KMS quotas](https://console.cloud.google.com/apis/api/cloudkms.googleapis.com/quotas)\n\nThere's no quota on the number of `KeyRing`, `CryptoKey`, or `CryptoKeyVersion`\nresources, only on the number of operations.\n\nSome quotas on these operations apply to the *calling project* , the\nGoogle Cloud project that **makes calls to the\nCloud KMS service** . Other quotas apply to the *hosting project* ,\nthe Google Cloud project that **contains the keys used for the\noperation**.\n\nCalling project quotas don't include usage generated by\nGoogle Cloud services using Cloud KMS keys for\n[customer-managed encryption key (CMEK) integration](/kms/docs/using-other-products#cmek_integrations).\nFor example, encryption and decryption requests coming directly from\nBigQuery, Bigtable, or Spanner don't contribute to\n[Cryptographic requests](#cryptographic_requests) quotas.\n\nThe Google Cloud console lists the limit for each quota in queries per minute\n(QPM), but hosting project quotas are enforced by the second. Quotas\nenforced in queries per second (QPS) deny requests that exceed the QPS limit,\neven if your per-minute usage is less than the listed QPM limit. If you exceed a\nQPS limit, you receive a [`RESOURCE_EXHAUSTED` error](#error).\n\nQuotas on the usage of Cloud KMS resources\n------------------------------------------\n\nThe following table lists each quota applied to Cloud KMS resources. The table gives the name and limit of each quota, which project the quota applies to, and the operations that count against the quota. You can enter a keyword\nin the field to filter the table. For example, you can enter *calling* to see\nonly quotas applied to the calling project or *encrypt* to see only quotas\nrelated to encryption operations: \n\nQuota examples\n--------------\n\nThe following sections include examples of each quota using the following\nexample projects:\n\n- `KEY_PROJECT` - A Google Cloud project that contains\n Cloud KMS keys including Cloud HSM and\n Cloud EKM keys.\n\n- `SPANNER_PROJECT` - A Google Cloud project that contains a\n Spanner instance which uses the customer-managed encryption keys\n (CMEKs) that reside in `KEY_PROJECT`.\n\n- `SERVICE_PROJECT` - A Google Cloud project that contains a\n service account that you use to manage Cloud KMS resources that\n reside in `KEY_PROJECT`.\n\n### Read requests\n\nThe **Read requests** quota limits read requests from the\nGoogle Cloud project calling the Cloud KMS API. For\nexample, viewing a list of keys in `KEY_PROJECT` from `KEY_PROJECT` using\nGoogle Cloud CLI counts against the `KEY_PROJECT`\n**Read requests** quota. If you use a service account in\n`SERVICE_PROJECT` to view your list of keys, the read request counts\nagainst the `SERVICE_PROJECT` **Read requests** quota.\n\nUsing the Google Cloud console to view Cloud KMS resources doesn't\ncontribute to the **Read requests** quota.\n\n### Write requests\n\nThe **Write requests** quota limits write requests from the\nGoogle Cloud project calling the Cloud KMS API. For\nexample, creating keys in `KEY_PROJECT` using gcloud CLI counts\nagainst the `KEY_PROJECT` **Write requests** quota. If you use a\nservice account in `SERVICE_PROJECT` to create keys, the write\nrequest counts against the `SERVICE_PROJECT` **Write requests** quota.\n\nUsing the Google Cloud console to create or manage Cloud KMS\nresources doesn't contribute to the **Read requests** quota.\n\n### Cryptographic requests\n\nThe **Cryptographic requests** quota limits cryptographic operations from the\nGoogle Cloud project calling the Cloud KMS API. For\nexample, encrypting data using API calls from a service account resource running\nin `SERVICE_PROJECT` using keys from `KEY_PROJECT` counts against the\n`SERVICE_PROJECT` **Cryptographic requests** quota.\n\nEncryption and decryption of data in a Spanner resource in\n`SPANNER_PROJECT` using CMEK integration doesn't count toward the\n**Cryptographic requests** quota of `SPANNER_PROJECT`.\n\n### HSM symmetric cryptographic requests per\nregion\n\nThe **HSM symmetric cryptographic requests per\nregion** quota limits cryptographic operations using\nsymmetric [Cloud HSM](/kms/docs/hsm) keys on the Google Cloud\nproject that contains those keys. For example, encrypting data in a\nSpanner resource using symmetric HSM keys counts against the\n`KEY_PROJECT` **HSM symmetric cryptographic requests per\nregion** quota.\n\n### HSM asymmetric cryptographic requests per\nregion\n\nThe **HSM asymmetric cryptographic requests per\nregion** quota limits cryptographic operations using\nasymmetric [Cloud HSM](/kms/docs/hsm) keys on the Google Cloud\nproject that contains those keys. For example, encrypting data in a\nSpanner resource using asymmetric HSM keys counts against the\n`KEY_PROJECT` **HSM asymmetric cryptographic requests per\nregion** quota.\n\n### HSM generate random requests per\nregion\n\nThe **HSM generate random requests per\nregion** quota limits generate random bytes operations using\n[Cloud HSM](/kms/docs/hsm) in the Google Cloud project specified in\nthe request message. For example, requests from any source to generate random\nbytes in `KEY_PROJECT` counts against the `KEY_PROJECT`\n**HSM generate random requests per\nregion** quota.\n\n### External cryptographic requests per\nregion\n\nThe **External cryptographic requests per\nregion** quota limits cryptographic operations using external\n([Cloud EKM](/kms/docs/ekm)) keys on the Google Cloud project that\ncontains those keys. For example, encrypting data in a Spanner resource\nusing EKM keys counts against the `KEY_PROJECT` **External cryptographic requests per\nregion** quota.\n\nQuota error information\n-----------------------\n\nIf you make a request after your quota is reached, your request results in a\n`RESOURCE_EXHAUSTED` error. The HTTP status code is `429`. For information on\nhow client libraries surface the `RESOURCE_EXHAUSTED` error, see [Client library\nmapping](/apis/design/errors#client_library_mapping).\n\nIf you receive the `RESOURCE_EXHAUSTED` error, you might be sending too many\n[cryptographic operation requests](#cryptographic_requests) per second. You can receive the\n`RESOURCE_EXHAUSTED` error even if the Google Cloud console shows that you are\nwithin the queries per minute limit. This issue can happen because\nCloud KMS hosting project quotas are displayed per minute, but are\nenforced on a per second scale. To learn more about monitoring metrics, see\n[Set up quota alerts and monitoring](/docs/quotas/set-up-quota-alerts).\n\nFor details about troubleshooting Cloud KMS quota issues, see\n[Troubleshoot quota issues](/kms/docs/monitor-adjust-quotas#troubleshoot_quotas).\n\nWhat's next\n-----------\n\n- Learn about [using Cloud Monitoring with Cloud KMS](/kms/docs/monitoring#rate_quota_metrics).\n- Learn how to [monitor and adjust Cloud KMS quotas](/kms/docs/monitor-adjust-quotas)."]]