feat(cloudkms): update the api

yoshi-automation · yoshi-automation · commit 223c4dc8fb47 · 2024-06-18T07:08:21.000Z
#### cloudkms:v1

The following keys were added:
- schemas.CryptoKey.properties.keyAccessJustificationsPolicy.$ref (Total Keys: 1)
- schemas.KeyAccessJustificationsPolicy (Total Keys: 4)

The following keys were changed:
- endpoints (Total Keys: 1)
diff --git a/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html b/docs/dyn/cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
@@ -135,6 +135,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
@@ -198,6 +203,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
@@ -332,6 +342,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
@@ -458,6 +473,11 @@ <h3>Method Details</h3>
       &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
       &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
       &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+      &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+        &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+          &quot;A String&quot;,
+        ],
+      },
       &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
         &quot;a_key&quot;: &quot;A String&quot;,
       },
@@ -539,6 +559,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
@@ -601,6 +626,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
@@ -791,6 +821,11 @@ <h3>Method Details</h3>
   &quot;cryptoKeyBackend&quot;: &quot;A String&quot;, # Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
   &quot;destroyScheduledDuration&quot;: &quot;A String&quot;, # Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
   &quot;importOnly&quot;: True or False, # Immutable. Whether this key may contain imported versions only.
+  &quot;keyAccessJustificationsPolicy&quot;: { # A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey. # Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.
+    &quot;allowedAccessReasons&quot;: [ # The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.
+      &quot;A String&quot;,
+    ],
+  },
   &quot;labels&quot;: { # Labels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
     &quot;a_key&quot;: &quot;A String&quot;,
   },
diff --git a/googleapiclient/discovery_cache/documents/cloudkms.v1.json b/googleapiclient/discovery_cache/documents/cloudkms.v1.json
@@ -33,6 +33,11 @@
 "description": "Regional Endpoint",
 "endpointUrl": "https://cloudkms.me-central2.rep.googleapis.com/",
 "location": "me-central2"
+},
+{
+"description": "Regional Endpoint",
+"endpointUrl": "https://cloudkms.us-east1.rep.googleapis.com/",
+"location": "us-east1"
 }
 ],
 "fullyEncodeReservedExpansion": true,
@@ -2056,7 +2061,7 @@
 }
 }
 },
-"revision": "20240523",
+"revision": "20240611",
 "rootUrl": "https://cloudkms.googleapis.com/",
 "schemas": {
 "AsymmetricDecryptRequest": {
@@ -2381,6 +2386,10 @@
 "description": "Immutable. Whether this key may contain imported versions only.",
 "type": "boolean"
 },
+"keyAccessJustificationsPolicy": {
+"$ref": "KeyAccessJustificationsPolicy",
+"description": "Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in Encrypt, Decrypt, and Sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed."
+},
 "labels": {
 "additionalProperties": {
 "type": "string"
@@ -3270,6 +3279,48 @@
 },
 "type": "object"
 },
+"KeyAccessJustificationsPolicy": {
+"description": "A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for Encrypt, Decrypt, and Sign requests on a CryptoKey.",
+"id": "KeyAccessJustificationsPolicy",
+"properties": {
+"allowedAccessReasons": {
+"description": "The list of allowed reasons for access to a CryptoKey. Zero allowed access reasons means all Encrypt, Decrypt, and Sign requests for the CryptoKey associated with this policy will fail.",
+"items": {
+"enum": [
+"REASON_UNSPECIFIED",
+"CUSTOMER_INITIATED_SUPPORT",
+"GOOGLE_INITIATED_SERVICE",
+"THIRD_PARTY_DATA_REQUEST",
+"GOOGLE_INITIATED_REVIEW",
+"CUSTOMER_INITIATED_ACCESS",
+"GOOGLE_INITIATED_SYSTEM_OPERATION",
+"REASON_NOT_EXPECTED",
+"MODIFIED_CUSTOMER_INITIATED_ACCESS",
+"MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION",
+"GOOGLE_RESPONSE_TO_PRODUCTION_ALERT",
+"CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING"
+],
+"enumDescriptions": [
+"Unspecified access reason.",
+"Customer-initiated support.",
+"Google-initiated access for system management and troubleshooting.",
+"Google-initiated access in response to a legal request or legal process.",
+"Google-initiated access for security, fraud, abuse, or compliance purposes.",
+"Customer uses their account to perform any access to their own data which their IAM policy authorizes.",
+"Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer.",
+"No reason is expected for this key request.",
+"Customer uses their account to perform any access to their own data which their IAM policy authorizes, and one of the following is true: * A Google administrator has reset the root-access account associated with the user's organization within the past 7 days. * A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.",
+"Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer, and one of the following is true: * A Google administrator has reset the root-access account associated with the user's organization within the past 7 days. * A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.",
+"Google-initiated access to maintain system reliability.",
+"One of the following operations is being executed while simultaneously encountering an internal technical issue which prevented a more precise justification code from being generated: * Your account has been used to perform any access to your own data which your IAM policy authorizes. * An automated Google system operates on encrypted customer data which your IAM policy authorizes. * Customer-initiated Google support access. * Google-initiated support access to protect system reliability."
+],
+"type": "string"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "KeyHandle": {
 "description": "Resource-oriented representation of a request to Cloud KMS Autokey and the resulting provisioning of a CryptoKey.",
 "id": "KeyHandle",
