|
26 | 26 | package="google.cloud.kms.v1", |
27 | 27 | manifest={ |
28 | 28 | "ProtectionLevel", |
| 29 | + "AccessReason", |
29 | 30 | "KeyRing", |
30 | 31 | "CryptoKey", |
31 | 32 | "CryptoKeyVersionTemplate", |
|
34 | 35 | "PublicKey", |
35 | 36 | "ImportJob", |
36 | 37 | "ExternalProtectionLevelOptions", |
| 38 | + "KeyAccessJustificationsPolicy", |
37 | 39 | }, |
38 | 40 | ) |
39 | 41 |
|
@@ -66,6 +68,90 @@ class ProtectionLevel(proto.Enum): |
66 | 68 | EXTERNAL_VPC = 4 |
67 | 69 |
|
68 | 70 |
|
| 71 | +class AccessReason(proto.Enum): |
| 72 | + r"""Describes the reason for a data access. Please refer to |
| 73 | + https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes |
| 74 | + for the detailed semantic meaning of justification reason codes. |
| 75 | +
|
| 76 | + Values: |
| 77 | + REASON_UNSPECIFIED (0): |
| 78 | + Unspecified access reason. |
| 79 | + CUSTOMER_INITIATED_SUPPORT (1): |
| 80 | + Customer-initiated support. |
| 81 | + GOOGLE_INITIATED_SERVICE (2): |
| 82 | + Google-initiated access for system management |
| 83 | + and troubleshooting. |
| 84 | + THIRD_PARTY_DATA_REQUEST (3): |
| 85 | + Google-initiated access in response to a |
| 86 | + legal request or legal process. |
| 87 | + GOOGLE_INITIATED_REVIEW (4): |
| 88 | + Google-initiated access for security, fraud, |
| 89 | + abuse, or compliance purposes. |
| 90 | + CUSTOMER_INITIATED_ACCESS (5): |
| 91 | + Customer uses their account to perform any |
| 92 | + access to their own data which their IAM policy |
| 93 | + authorizes. |
| 94 | + GOOGLE_INITIATED_SYSTEM_OPERATION (6): |
| 95 | + Google systems access customer data to help |
| 96 | + optimize the structure of the data or quality |
| 97 | + for future uses by the customer. |
| 98 | + REASON_NOT_EXPECTED (7): |
| 99 | + No reason is expected for this key request. |
| 100 | + MODIFIED_CUSTOMER_INITIATED_ACCESS (8): |
| 101 | + Customer uses their account to perform any access to their |
| 102 | + own data which their IAM policy authorizes, and one of the |
| 103 | + following is true: |
| 104 | +
|
| 105 | + - A Google administrator has reset the root-access account |
| 106 | + associated with the user's organization within the past 7 |
| 107 | + days. |
| 108 | + - A Google-initiated emergency access operation has |
| 109 | + interacted with a resource in the same project or folder |
| 110 | + as the currently accessed resource within the past 7 |
| 111 | + days. |
| 112 | + MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION (9): |
| 113 | + Google systems access customer data to help optimize the |
| 114 | + structure of the data or quality for future uses by the |
| 115 | + customer, and one of the following is true: |
| 116 | +
|
| 117 | + - A Google administrator has reset the root-access account |
| 118 | + associated with the user's organization within the past 7 |
| 119 | + days. |
| 120 | + - A Google-initiated emergency access operation has |
| 121 | + interacted with a resource in the same project or folder |
| 122 | + as the currently accessed resource within the past 7 |
| 123 | + days. |
| 124 | + GOOGLE_RESPONSE_TO_PRODUCTION_ALERT (10): |
| 125 | + Google-initiated access to maintain system |
| 126 | + reliability. |
| 127 | + CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING (11): |
| 128 | + One of the following operations is being executed while |
| 129 | + simultaneously encountering an internal technical issue |
| 130 | + which prevented a more precise justification code from being |
| 131 | + generated: |
| 132 | +
|
| 133 | + - Your account has been used to perform any access to your |
| 134 | + own data which your IAM policy authorizes. |
| 135 | + - An automated Google system operates on encrypted customer |
| 136 | + data which your IAM policy authorizes. |
| 137 | + - Customer-initiated Google support access. |
| 138 | + - Google-initiated support access to protect system |
| 139 | + reliability. |
| 140 | + """ |
| 141 | + REASON_UNSPECIFIED = 0 |
| 142 | + CUSTOMER_INITIATED_SUPPORT = 1 |
| 143 | + GOOGLE_INITIATED_SERVICE = 2 |
| 144 | + THIRD_PARTY_DATA_REQUEST = 3 |
| 145 | + GOOGLE_INITIATED_REVIEW = 4 |
| 146 | + CUSTOMER_INITIATED_ACCESS = 5 |
| 147 | + GOOGLE_INITIATED_SYSTEM_OPERATION = 6 |
| 148 | + REASON_NOT_EXPECTED = 7 |
| 149 | + MODIFIED_CUSTOMER_INITIATED_ACCESS = 8 |
| 150 | + MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION = 9 |
| 151 | + GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 10 |
| 152 | + CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING = 11 |
| 153 | + |
| 154 | + |
69 | 155 | class KeyRing(proto.Message): |
70 | 156 | r"""A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical |
71 | 157 | grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. |
@@ -208,6 +294,19 @@ class CryptoKey(proto.Message): |
208 | 294 | is non-exhaustive and may apply to additional |
209 | 295 | [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in |
210 | 296 | the future. |
| 297 | + key_access_justifications_policy (google.cloud.kms_v1.types.KeyAccessJustificationsPolicy): |
| 298 | + Optional. The policy used for Key Access |
| 299 | + Justifications Policy Enforcement. If this field |
| 300 | + is present and this key is enrolled in Key |
| 301 | + Access Justifications Policy Enforcement, the |
| 302 | + policy will be evaluated in encrypt, decrypt, |
| 303 | + and sign operations, and the operation will fail |
| 304 | + if rejected by the policy. The policy is defined |
| 305 | + by specifying zero or more allowed justification |
| 306 | + codes. |
| 307 | + https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes |
| 308 | + By default, this field is absent, and all |
| 309 | + justification codes are allowed. |
211 | 310 | """ |
212 | 311 |
|
213 | 312 | class CryptoKeyPurpose(proto.Enum): |
@@ -313,6 +412,11 @@ class CryptoKeyPurpose(proto.Enum): |
313 | 412 | proto.STRING, |
314 | 413 | number=15, |
315 | 414 | ) |
| 415 | + key_access_justifications_policy: "KeyAccessJustificationsPolicy" = proto.Field( |
| 416 | + proto.MESSAGE, |
| 417 | + number=17, |
| 418 | + message="KeyAccessJustificationsPolicy", |
| 419 | + ) |
316 | 420 |
|
317 | 421 |
|
318 | 422 | class CryptoKeyVersionTemplate(proto.Message): |
@@ -1251,4 +1355,29 @@ class ExternalProtectionLevelOptions(proto.Message): |
1251 | 1355 | ) |
1252 | 1356 |
|
1253 | 1357 |
|
| 1358 | +class KeyAccessJustificationsPolicy(proto.Message): |
| 1359 | + r"""A |
| 1360 | + [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy] |
| 1361 | + specifies zero or more allowed |
| 1362 | + [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, |
| 1363 | + decrypt, and sign operations on a |
| 1364 | + [CryptoKey][google.cloud.kms.v1.CryptoKey]. |
| 1365 | +
|
| 1366 | + Attributes: |
| 1367 | + allowed_access_reasons (MutableSequence[google.cloud.kms_v1.types.AccessReason]): |
| 1368 | + The list of allowed reasons for access to a |
| 1369 | + [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed |
| 1370 | + access reasons means all encrypt, decrypt, and sign |
| 1371 | + operations for the |
| 1372 | + [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with |
| 1373 | + this policy will fail. |
| 1374 | + """ |
| 1375 | + |
| 1376 | + allowed_access_reasons: MutableSequence["AccessReason"] = proto.RepeatedField( |
| 1377 | + proto.ENUM, |
| 1378 | + number=1, |
| 1379 | + enum="AccessReason", |
| 1380 | + ) |
| 1381 | + |
| 1382 | + |
1254 | 1383 | __all__ = tuple(sorted(__protobuf__.manifest)) |
0 commit comments