Class: Google::Cloud::Kms::V1::EkmConnection

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/kms/v1/ekm_service.rb

Overview

An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection.

Defined Under Namespace

Modules: KeyManagementMode Classes: ServiceResolver

Instance Attribute Summary collapse

Instance Attribute Details

#create_time::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which the EkmConnection was created.

Returns:



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end

#crypto_space_path::String

Returns Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.

Returns:



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end

#etag::String

Returns Optional. Etag of the currently stored EkmConnection.

Returns:

  • (::String)

    Optional. Etag of the currently stored EkmConnection.



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end

#key_management_mode::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode

Returns Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL.

Returns:



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end

#name::String (readonly)

Returns Output only. The resource name for the EkmConnection in the format projects/*/locations/*/ekmConnections/*.

Returns:

  • (::String)

    Output only. The resource name for the EkmConnection in the format projects/*/locations/*/ekmConnections/*.



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end

#service_resolvers::Array<::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver>

Returns Optional. A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported.

Returns:



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'proto_docs/google/cloud/kms/v1/ekm_service.rb', line 231

class EkmConnection
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A {::Google::Cloud::Kms::V1::EkmConnection::ServiceResolver ServiceResolver}
  # represents an EKM replica that can be reached within an
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  # @!attribute [rw] service_directory_service
  #   @return [::String]
  #     Required. The resource name of the Service Directory service pointing to
  #     an EKM replica, in the format
  #     `projects/*/locations/*/namespaces/*/services/*`.
  # @!attribute [rw] endpoint_filter
  #   @return [::String]
  #     Optional. The filter applied to the endpoints of the resolved service. If
  #     no filter is specified, all endpoints will be considered. An endpoint
  #     will be chosen arbitrarily from the filtered list for each request.
  #
  #     For endpoint filter syntax and examples, see
  #     https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
  # @!attribute [rw] hostname
  #   @return [::String]
  #     Required. The hostname of the EKM replica used at TLS and HTTP layers.
  # @!attribute [rw] server_certificates
  #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
  #     Required. A list of leaf server certificates used to authenticate HTTPS
  #     connections to the EKM replica. Currently, a maximum of 10
  #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
  class ServiceResolver
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # {::Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode KeyManagementMode}
  # describes who can perform control plane cryptographic operations using this
  # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
  module KeyManagementMode
    # Not specified.
    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0

    # EKM-side key management operations on
    # {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} must be initiated from
    # the EKM directly and cannot be performed from Cloud KMS. This means that:
    # * When creating a
    # {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} associated with
    # this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}, the caller must
    #   supply the key path of pre-existing external key material that will be
    #   linked to the {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
    # * Destruction of external key material cannot be requested via the
    #   Cloud KMS API and must be performed directly in the EKM.
    # * Automatic rotation of key material is not supported.
    MANUAL = 1

    # All {::Google::Cloud::Kms::V1::CryptoKey CryptoKeys} created with this
    # {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} use EKM-side key
    # management operations initiated from Cloud KMS. This means that:
    # * When a {::Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
    # associated with this {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}
    # is
    #   created, the EKM automatically generates new key material and a new
    #   key path. The caller cannot supply the key path of pre-existing
    #   external key material.
    # * Destruction of external key material associated with this
    #   {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} can be requested by
    #   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
    # * Automatic rotation of key material is supported.
    CLOUD_KMS = 2
  end
end