Skip to content

Commit

Permalink
feat(kms-inventory-v1): Support Key Access Justifications policy conf…
Browse files Browse the repository at this point in the history 
…iguration (#26138)
  • Loading branch information
@gcf-owl-bot
gcf-owl-bot[bot] authored Jun 21, 2024
1 parent 88e4dfc commit a8be605
Showing 1 changed file with 94 additions and 0 deletions.
94 changes: 94 additions & 0 deletions google-cloud-kms-inventory-v1/proto_docs/google/cloud/kms/v1/resources.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,16 @@ class KeyRing
# resource name in the format `projects/*/locations/*/ekmConnections/*`.
# Note, this list is non-exhaustive and may apply to additional
# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevels} in the future.
# @!attribute [rw] key_access_justifications_policy
# @return [::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy]
# Optional. The policy used for Key Access Justifications Policy Enforcement.
# If this field is present and this key is enrolled in Key Access
# Justifications Policy Enforcement, the policy will be evaluated in encrypt,
# decrypt, and sign operations, and the operation will fail if rejected by
# the policy. The policy is defined by specifying zero or more allowed
# justification codes.
# https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
# By default, this field is absent, and all justification codes are allowed.
class CryptoKey
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
Expand Down Expand Up @@ -876,6 +886,23 @@ class ExternalProtectionLevelOptions
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# A
# {::Google::Cloud::Kms::V1::KeyAccessJustificationsPolicy KeyAccessJustificationsPolicy}
# specifies zero or more allowed
# {::Google::Cloud::Kms::V1::AccessReason AccessReason} values for encrypt, decrypt,
# and sign operations on a {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
# @!attribute [rw] allowed_access_reasons
# @return [::Array<::Google::Cloud::Kms::V1::AccessReason>]
# The list of allowed reasons for access to a
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey}. Zero allowed access reasons
# means all encrypt, decrypt, and sign operations for the
# {::Google::Cloud::Kms::V1::CryptoKey CryptoKey} associated with this policy will
# fail.
class KeyAccessJustificationsPolicy
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# {::Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how
# cryptographic operations are performed. For more information, see [Protection
# levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
Expand All @@ -895,6 +922,73 @@ module ProtectionLevel
# Crypto operations are performed in an EKM-over-VPC backend.
EXTERNAL_VPC = 4
end

# Describes the reason for a data access. Please refer to
# https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
# for the detailed semantic meaning of justification reason codes.
module AccessReason
# Unspecified access reason.
REASON_UNSPECIFIED = 0

# Customer-initiated support.
CUSTOMER_INITIATED_SUPPORT = 1

# Google-initiated access for system management and troubleshooting.
GOOGLE_INITIATED_SERVICE = 2

# Google-initiated access in response to a legal request or legal process.
THIRD_PARTY_DATA_REQUEST = 3

# Google-initiated access for security, fraud, abuse, or compliance purposes.
GOOGLE_INITIATED_REVIEW = 4

# Customer uses their account to perform any access to their own data which
# their IAM policy authorizes.
CUSTOMER_INITIATED_ACCESS = 5

# Google systems access customer data to help optimize the structure of the
# data or quality for future uses by the customer.
GOOGLE_INITIATED_SYSTEM_OPERATION = 6

# No reason is expected for this key request.
REASON_NOT_EXPECTED = 7

# Customer uses their account to perform any access to their own data which
# their IAM policy authorizes, and one of the following is true:
#
# * A Google administrator has reset the root-access account associated with
# the user's organization within the past 7 days.
# * A Google-initiated emergency access operation has interacted with a
# resource in the same project or folder as the currently accessed resource
# within the past 7 days.
MODIFIED_CUSTOMER_INITIATED_ACCESS = 8

# Google systems access customer data to help optimize the structure of the
# data or quality for future uses by the customer, and one of the following
# is true:
#
# * A Google administrator has reset the root-access account associated with
# the user's organization within the past 7 days.
# * A Google-initiated emergency access operation has interacted with a
# resource in the same project or folder as the currently accessed resource
# within the past 7 days.
MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION = 9

# Google-initiated access to maintain system reliability.
GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 10

# One of the following operations is being executed while simultaneously
# encountering an internal technical issue which prevented a more precise
# justification code from being generated:
#
# * Your account has been used to perform any access to your own data which
# your IAM policy authorizes.
# * An automated Google system operates on encrypted customer data which your
# IAM policy authorizes.
# * Customer-initiated Google support access.
# * Google-initiated support access to protect system reliability.
CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING = 11
end
end
end
end
Expand Down

0 comments on commit a8be605

Please sign in to comment.