GCP Cloud KMS Crypto Key Version
A CryptoKeyVersion represents an individual cryptographic key and its associated key material within a Cloud KMS CryptoKey. An ENABLED version can be used for cryptographic operations. Each CryptoKey can have multiple versions, allowing for key rotation. For security reasons, the raw cryptographic key material can never be viewed or exported - it can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. For more information, refer to the official documentation.
Terraform Mappings:
google_kms_crypto_key_version.id
Supported Methods​
GET: Get GCP Cloud KMS Crypto Key Version by "location|keyRing|cryptoKey|version"LISTSEARCH: Search for GCP Cloud KMS Crypto Key Versions by "location|keyRing|cryptoKey" (returns all versions of the specified CryptoKey)
Possible Links​
gcp-cloud-kms-crypto-key​
A CryptoKeyVersion belongs to exactly one parent CryptoKey. The parent CryptoKey contains the version's configuration and purpose. Deleting the parent CryptoKey will delete all of its CryptoKeyVersions, but deleting a CryptoKeyVersion does not affect the parent key.
gcp-cloudkms-importjob​
If the key material was imported (rather than generated by KMS), the CryptoKeyVersion references the ImportJob that was used for the import operation. The ImportJob contains metadata about how the key material was imported. Deleting the ImportJob after a successful import does not affect the CryptoKeyVersion.
gcp-cloudkms-ekmconnection​
For CryptoKeyVersions with EXTERNAL_VPC protection level, the version links to an EKM (External Key Manager) connection that manages the external key material. This is used when keys are stored and operated on in an external key management system rather than within Google Cloud KMS.