» google_kms_crypto_key

A CryptoKey represents a logical key that can be used for cryptographic operations.

To get more information about CryptoKey, see:

» Example Usage - Kms Crypto Key Basic

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "100000s"

  lifecycle {
    prevent_destroy = true

» Example Usage - Kms Crypto Key Asymmetric Sign

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"

resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
  name     = "crypto-key-example"
  key_ring = google_kms_key_ring.keyring.id
  purpose  = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "EC_SIGN_P384_SHA384"

  lifecycle {
    prevent_destroy = true

» Argument Reference

The following arguments are supported:

  • name - (Required) The resource name for the CryptoKey.

  • key_ring - (Required) The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

  • labels - (Optional) Labels with user-defined metadata to apply to this resource.

  • purpose - (Optional) The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is ENCRYPT_DECRYPT. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT.

  • rotation_period - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

  • version_template - (Optional) A template describing settings for new crypto key versions. Structure is documented below.

The version_template block supports:

  • algorithm - (Required) The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protection_level - (Optional) The protection level to use when creating a version based on this template. Default value is SOFTWARE. Possible values are SOFTWARE and HSM.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{key_ring}}/cryptoKeys/{{name}}

  • self_link: The self link of the created CryptoKey. Its format is {{key_ring}}/cryptoKeys/{{name}}.

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • update - Default is 4 minutes.
  • delete - Default is 4 minutes.

» Import

CryptoKey can be imported using any of these accepted formats:

$ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
$ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}

» User Project Overrides

This resource supports User Project Overrides.