Class EkmServiceClient (2.14.1) 

EkmServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.ekm_service.transports.base.EkmServiceTransport]] = None, client_options: Optional[Union[google.api_core.client_options.ClientOptions, dict]] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)

Google Cloud Key Management EKM Service

Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

Properties

transport

Returns the transport used by the client instance.

Returns
Type Description
EkmServiceTransport The transport used by the client instance.

Methods

EkmServiceClient

EkmServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.ekm_service.transports.base.EkmServiceTransport]] = None, client_options: Optional[Union[google.api_core.client_options.ClientOptions, dict]] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)

Instantiates the ekm service client.

Parameters
Name Description
credentials Optional[google.auth.credentials.Credentials]

The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.

transport Union[str, EkmServiceTransport]

The transport to use. If set to None, a transport is chosen automatically.

client_options Optional[Union[google.api_core.client_options.ClientOptions, dict]]

Custom options for the client. It won't take effect if a transport instance is provided. (1) The api_endpoint property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: "always" (always use the default mTLS endpoint), "never" (always use the default regular endpoint) and "auto" (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, the api_endpoint property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is "true", then the client_cert_source property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not set, no client certificate will be used.

client_info google.api_core.gapic_v1.client_info.ClientInfo

The client info used to send a user-agent string along with API requests. If None, then default info will be used. Generally, you only need to set this if you're developing your own client library.

Exceptions
Type Description
google.auth.exceptions.MutualTLSChannelError If mutual TLS transport creation failed for any reason.

__exit__

__exit__(type, value, traceback)

Releases underlying transport's resources.

common_billing_account_path

common_billing_account_path(billing_account: str)

Returns a fully-qualified billing_account string.

common_folder_path

common_folder_path(folder: str)

Returns a fully-qualified folder string.

common_location_path

common_location_path(project: str, location: str)

Returns a fully-qualified location string.

common_organization_path

common_organization_path(organization: str)

Returns a fully-qualified organization string.

common_project_path

common_project_path(project: str)

Returns a fully-qualified project string.

create_ekm_connection

create_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.CreateEkmConnectionRequest, dict]] = None, *, parent: Optional[str] = None, ekm_connection_id: Optional[str] = None, ekm_connection: Optional[google.cloud.kms_v1.types.ekm_service.EkmConnection] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Creates a new xref_EkmConnection in a given Project and Location.

# This snippet has been automatically generated and should be regarded as a
# code template only.
# It will require modifications to work:
# - It may require correct/in-range values for request initialization.
# - It may require specifying regional endpoints when creating the service
# client as shown in:
# https://googleapis.dev/python/google-api-core/latest/client_options.html
from google.cloud import kms_v1
def sample_create_ekm_connection():
 # Create a client
 client = kms_v1.EkmServiceClient()
 # Initialize request argument(s)
 request = kms_v1.CreateEkmConnectionRequest(
 parent="parent_value",
 ekm_connection_id="ekm_connection_id_value",
 )
 # Make the request
 response = client.create_ekm_connection(request=request)
 # Handle the response
 print(response)
Parameters
Name Description
request Union[google.cloud.kms_v1.types.CreateEkmConnectionRequest, dict]

The request object. Request message for EkmService.CreateEkmConnection.

parent str

Required. The resource name of the location associated with the EkmConnection, in the format projects//locations/. This corresponds to the parent field on the request instance; if request is provided, this should not be set.

ekm_connection_id str

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}. This corresponds to the ekm_connection_id field on the request instance; if request is provided, this should not be set.

ekm_connection google.cloud.kms_v1.types.EkmConnection

Required. An EkmConnection with initial field values. This corresponds to the ekm_connection field on the request instance; if request is provided, this should not be set.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
google.cloud.kms_v1.types.EkmConnection An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection.

ekm_connection_path

ekm_connection_path(project: str, location: str, ekm_connection: str)

Returns a fully-qualified ekm_connection string.

from_service_account_file

from_service_account_file(filename: str, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter
Name Description
filename str

The path to the service account private key json file.

Returns
Type Description
EkmServiceClient The constructed client.

from_service_account_info

from_service_account_info(info: dict, *args, **kwargs)

Creates an instance of this client using the provided credentials info.

Parameter
Name Description
info dict

The service account private key info.

Returns
Type Description
EkmServiceClient The constructed client.

from_service_account_json

from_service_account_json(filename: str, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter
Name Description
filename str

The path to the service account private key json file.

Returns
Type Description
EkmServiceClient The constructed client.

get_ekm_connection

get_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.GetEkmConnectionRequest, dict]] = None, *, name: Optional[str] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Returns metadata for a given xref_EkmConnection.

# This snippet has been automatically generated and should be regarded as a
# code template only.
# It will require modifications to work:
# - It may require correct/in-range values for request initialization.
# - It may require specifying regional endpoints when creating the service
# client as shown in:
# https://googleapis.dev/python/google-api-core/latest/client_options.html
from google.cloud import kms_v1
def sample_get_ekm_connection():
 # Create a client
 client = kms_v1.EkmServiceClient()
 # Initialize request argument(s)
 request = kms_v1.GetEkmConnectionRequest(
 name="name_value",
 )
 # Make the request
 response = client.get_ekm_connection(request=request)
 # Handle the response
 print(response)
Parameters
Name Description
request Union[google.cloud.kms_v1.types.GetEkmConnectionRequest, dict]

The request object. Request message for EkmService.GetEkmConnection.

name str

Required. The name of the EkmConnection to get. This corresponds to the name field on the request instance; if request is provided, this should not be set.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
google.cloud.kms_v1.types.EkmConnection An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection.

get_iam_policy

get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Gets the IAM access control policy for a function.

Returns an empty policy if the function exists and does not have a policy set.

Parameters
Name Description
request .iam_policy_pb2.GetIamPolicyRequest

The request object. Request message for GetIamPolicy method.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
.policy_pb2.Policy Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020年10月01日t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**="" ::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020年10月01日t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="">IAM developer's guide __.

get_mtls_endpoint_and_cert_source

get_mtls_endpoint_and_cert_source(
 client_options: Optional[google.api_core.client_options.ClientOptions] = None,
)

Return the API endpoint and client cert source for mutual TLS.

The client cert source is determined in the following order: (1) if GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not "true", the client cert source is None. (2) if client_options.client_cert_source is provided, use the provided one; if the default client cert source exists, use the default one; otherwise the client cert source is None.

The API endpoint is determined in the following order: (1) if client_options.api_endpoint if provided, use the provided one. (2) if GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is "always", use the default mTLS endpoint; if the environment variable is "never", use the default API endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise use the default API endpoint.

More details can be found at https://google.aip.dev/auth/4114.

Parameter
Name Description
client_options google.api_core.client_options.ClientOptions

Custom options for the client. Only the api_endpoint and client_cert_source properties may be used in this method.

Exceptions
Type Description
google.auth.exceptions.MutualTLSChannelError If any errors happen.
Returns
Type Description
Tuple[str, Callable[[], Tuple[bytes, bytes]]] returns the API endpoint and the client cert source to use.

list_ekm_connections

list_ekm_connections(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.ListEkmConnectionsRequest, dict]] = None, *, parent: Optional[str] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Lists xref_EkmConnections.

# This snippet has been automatically generated and should be regarded as a
# code template only.
# It will require modifications to work:
# - It may require correct/in-range values for request initialization.
# - It may require specifying regional endpoints when creating the service
# client as shown in:
# https://googleapis.dev/python/google-api-core/latest/client_options.html
from google.cloud import kms_v1
def sample_list_ekm_connections():
 # Create a client
 client = kms_v1.EkmServiceClient()
 # Initialize request argument(s)
 request = kms_v1.ListEkmConnectionsRequest(
 parent="parent_value",
 )
 # Make the request
 page_result = client.list_ekm_connections(request=request)
 # Handle the response
 for response in page_result:
 print(response)
Parameters
Name Description
request Union[google.cloud.kms_v1.types.ListEkmConnectionsRequest, dict]

The request object. Request message for EkmService.ListEkmConnections.

parent str

Required. The resource name of the location associated with the EkmConnections to list, in the format projects//locations/. This corresponds to the parent field on the request instance; if request is provided, this should not be set.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
google.cloud.kms_v1.services.ekm_service.pagers.ListEkmConnectionsPager Response message for EkmService.ListEkmConnections. Iterating over this object will yield results and resolve additional pages automatically.

parse_common_billing_account_path

parse_common_billing_account_path(path: str)

Parse a billing_account path into its component segments.

parse_common_folder_path

parse_common_folder_path(path: str)

Parse a folder path into its component segments.

parse_common_location_path

parse_common_location_path(path: str)

Parse a location path into its component segments.

parse_common_organization_path

parse_common_organization_path(path: str)

Parse a organization path into its component segments.

parse_common_project_path

parse_common_project_path(path: str)

Parse a project path into its component segments.

parse_ekm_connection_path

parse_ekm_connection_path(path: str)

Parses a ekm_connection path into its component segments.

parse_service_path

parse_service_path(path: str)

Parses a service path into its component segments.

service_path

service_path(project: str, location: str, namespace: str, service: str)

Returns a fully-qualified service string.

set_iam_policy

set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Sets the IAM access control policy on the specified function.

Replaces any existing policy.

Parameters
Name Description
request .iam_policy_pb2.SetIamPolicyRequest

The request object. Request message for SetIamPolicy method.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
.policy_pb2.Policy Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020年10月01日t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**="" ::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020年10月01日t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="">IAM developer's guide __.

test_iam_permissions

test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Tests the specified IAM permissions against the IAM access control policy for a function.

If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Parameters
Name Description
request .iam_policy_pb2.TestIamPermissionsRequest

The request object. Request message for TestIamPermissions method.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
.iam_policy_pb2.TestIamPermissionsResponse Response message for TestIamPermissions method.

update_ekm_connection

update_ekm_connection(request: Optional[Union[google.cloud.kms_v1.types.ekm_service.UpdateEkmConnectionRequest, dict]] = None, *, ekm_connection: Optional[google.cloud.kms_v1.types.ekm_service.EkmConnection] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: Union[google.api_core.retry.Retry, google.api_core.gapic_v1.method._MethodDefault] = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Union[float, object] = <_MethodDefault._DEFAULT_VALUE: <object object>>, metadata: Sequence[Tuple[str, str]] = ())

Updates an xref_EkmConnection's metadata.

# This snippet has been automatically generated and should be regarded as a
# code template only.
# It will require modifications to work:
# - It may require correct/in-range values for request initialization.
# - It may require specifying regional endpoints when creating the service
# client as shown in:
# https://googleapis.dev/python/google-api-core/latest/client_options.html
from google.cloud import kms_v1
def sample_update_ekm_connection():
 # Create a client
 client = kms_v1.EkmServiceClient()
 # Initialize request argument(s)
 request = kms_v1.UpdateEkmConnectionRequest(
 )
 # Make the request
 response = client.update_ekm_connection(request=request)
 # Handle the response
 print(response)
Parameters
Name Description
request Union[google.cloud.kms_v1.types.UpdateEkmConnectionRequest, dict]

The request object. Request message for EkmService.UpdateEkmConnection.

ekm_connection google.cloud.kms_v1.types.EkmConnection

Required. EkmConnection with updated values. This corresponds to the ekm_connection field on the request instance; if request is provided, this should not be set.

update_mask google.protobuf.field_mask_pb2.FieldMask

Required. List of fields to be updated in this request. This corresponds to the update_mask field on the request instance; if request is provided, this should not be set.

retry google.api_core.retry.Retry

Designation of what errors, if any, should be retried.

timeout float

The timeout for this request.

metadata Sequence[Tuple[str, str]]

Strings which should be sent along with the request as metadata.

Returns
Type Description
google.cloud.kms_v1.types.EkmConnection An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月30日 UTC.