keyManagementMode property

String? keyManagementMode
getter/setter pair

Describes who can perform control plane operations on the EKM.

If unset, this defaults to MANUAL.

Optional. Possible string values are:

  • "KEY_MANAGEMENT_MODE_UNSPECIFIED" : Not specified.
  • "MANUAL" : EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that: * When creating a CryptoKeyVersion associated with this EkmConnection, the caller must supply the key path of pre-existing external key material that will be linked to the CryptoKeyVersion. * Destruction of external key material cannot be requested via the Cloud KMS API and must be performed directly in the EKM. * Automatic rotation of key material is not supported.
  • "CLOUD_KMS" : All CryptoKeys created with this EkmConnection use EKM-side key management operations initiated from Cloud KMS. This means that: * When a CryptoKeyVersion associated with this EkmConnection is created, the EKM automatically generates new key material and a new key path. The caller cannot supply the key path of pre-existing external key material. * Destruction of external key material associated with this EkmConnection can be requested by calling DestroyCryptoKeyVersion. * Automatic rotation of key material is supported.

Implementation

core.String? keyManagementMode;