Console
    Start free

    Quotas

    Google Cloud enforces quotas on resource usage. For Cloud Key Management Service (Cloud KMS), quotas are enforced on management and usage of resources such as keys and key versions, and locations. There are no quotas on the number of key rings, keys, key versions, or other Cloud KMS resources that you can have; only on their usage.

    View Cloud KMS quotas

    Effective February 16, 2026, Cloud KMS is changing the way quotas are tracked and enforced. This document provides information about how the quotas work before and after the change and helps you identify any steps you may need to take to prepare for the change.

    Timeline

    The following table provides an overview of the expected timeline for the changes to Cloud KMS quotas.

    Date
    What is changing?
    October 28, 2024
    Cloud KMS started allowing over-quota requests for hardware (Cloud HSM) keys as long as the Cloud KMS system is not overloaded.
    February 16, 2026
    • Cloud KMS starts using the new metrics. The old metrics are still available for monitoring purposes, but are no longer used for quota enforcement.
    • You can opt in to using the quota adjuster system to automatically adjust your Cloud KMS based on your usage.
    August 31, 2026
    The old metrics are retired and can no longer be monitored.

    Summary of changes

    The revised quota system is designed to simplify quota management for Cloud KMS users. The following table summarizes the key changes:

    Before February 16, 2026
    After February 16, 2026
    Location scope
    Mixed scope: Some metrics are measured globally, and others are measured by region.
    Regional scope: All metrics are measured per region. Multiregion usage is counted against the quota for the specific region that serves the request.
    Quota limits
    Static limits: Default quota limits are applied to each project. You can request quota limit increases.
    Dynamic limits: Quota limits are initially set based on your project-specific limits and usage prior to February 16, 2026. We recommend that you also opt in to the quota adjuster service , so that your limits are automatically adjusted based on your typical usage.
    Enforcement
    Hard enforcement: When a quota limit is exceeded, requests are denied, even if the system can serve the request.

    Soft enforcement: When a quota limit is exceeded, read requests and most write requests and cryptographic operation requests are allowed if the system can serve the request. However, the following quota limits are hard-enforced:

    • Create and import requests for hardware (Cloud HSM) keys
    • All requests for external (Cloud EKM) keys
    Cloud HSM quotas
    Many Cloud HSM quotas: Cloud KMS enforces separate quotas for Cloud HSM symmetric, asymmetric, and generateRandomBytes requests.
    One Cloud HSM quota: Cloud KMS enforces a single quota for all Cloud HSM requests. However, different key sizes and operations consume different quantities of quota.
    What is measured?
    Track requests: Quotas count the number of operations performed, but don't help you understand how much processing resources you're consuming.
    Track resource usage: Quotas count tokens instead of operations; the number of tokens per operation indicates the relative processing cost of each operation. For more information, see Tokens per operation on this page.
    Time scale
    Mixed time scales: Some quota metrics are reported per minute, but enforced per second.
    Consistent time scales: All quota metrics are reported at the same time scale at which they are enforced. Most metrics are reported and enforced per minute. Cloud EKM usage is reported and enforced per second.
    Project scope
    Multiple projects: Some quotas are applied to the project that contains the CryptoKey and CryptoKeyVersion resources, and others are applied to the project making the request.
    Single project: All quotas are applied to the project that contains the CryptoKey and CryptoKeyVersion resources.
    CMEK and Cloud KMS quotas
    Unrestricted software CMEK usage: Cloud KMS doesn't enforce quotas on software keys used in CMEK integrations.
    Restrict only exceptional usage: CMEK usage counts against the Software usage limit, but with soft enforcement, usage that exceeds your limit is served if the system isn't over capacity.

    Cloud KMS quotas after February 16, 2026

    The following table lists the metrics and quotas for Cloud KMS.

    Metric
    Time scale
    Default
    Enforcement
    Operations
    Read usage
    cloudkms.googleapis.com​/read_usage
    Minute
    600 TPM
    • Software-backed keys: Soft
    • Hardware-backed keys: Soft
    • External keys: Hard

    cryptoKeys : get , getIamPolicy , list , testIamPermissions

    cryptoKeyVersions : get , list

    ekmConnections : get , getIamPolicy , list , testIamPermissions , verifyConnectivity

    importJobs : get , getIamPolicy , list , testIamPermissions

    keyRings : get , getIamPolicy , list , testIamPermissions

    locations : get , list

    Write usage
    cloudkms.googleapis.com​/write_usage
    Minute
    100 TPM
    • Software-backed keys: Soft
    • Hardware-backed keys: Soft
    • External keys: Hard

    cryptoKeys : create , patch , setIamPolicy , updatePrimaryVersion

    cryptoKeyVersions : create , destroy , import , patch , restore

    ekmConnections : create , patch , setIamPolicy

    importJobs : create , setIamPolicy

    keyRings : create , setIamPolicy

    Software usage
    cloudkms.googleapis.com​/software_usage
    Minute
    6,000,000 TPM
    Soft

    cryptoKeys : encrypt , decrypt

    cryptoKeyVersions : asymmetricDecrypt , asymmetricSign , decapsulate , getPublicKey , macSign , macVerify , rawEncrypt , rawDecrypt

    locations : generateRandomBytes

    HSM usage
    cloudkms.googleapis.com​/hsm_usage
    Minute
    3,000,000 TPM
    Soft
    External KMS usage
    cloudkms.googleapis.com​/external_usage
    Second
    10,000 TPS
    Hard

    Tokens per operation

    The following table lists the number of quota tokens that are consumed by each operation for each Cloud KMS resource, key size, and operation. You can use this table to estimate how many tokens of quota a certain application can consume. Operations that are more processing intensive use more tokens of quota.

    Cloud KMS resource
    Operation
    Tokens per operation
    All Cloud KMS resources
    All read operations
    Read usage: 1
    All software-backed and external Cloud KMS resources
    All write operations
    Write usage: 1
    Hardware-backed keys
    Write operations other than create and import
    Write usage: 1
    Hardware-backed symmetric and MAC keys
    Create and import operations
    Write usage: 1
    HSM usage: 1,200
    Hardware-backed asymmetric keys
    Create and import operations
    Write usage: 1
    HSM usage: 50,000
    Software-backed keys
    All cryptographic operations
    Software usage: 100
    External (Cloud EKM) keys
    All cryptographic operations
    External KMS usage: 100
    Hardware (Cloud HSM) keys
    • Symmetric encryption or decryption
    • MAC sign or verify
    • getPublicKey
    HSM usage: 100
    Hardware (Cloud HSM) keys
    generateRandomBytes
    HSM usage: 1,000
    Hardware (Cloud HSM) keys
    • Asymmetric sign with 2048-bit RSA keys
    • Asymmetric decrypt with 2048-bit keys
    HSM usage: 1,500
    Hardware (Cloud HSM) keys
    • Asymmetric sign with 3072-bit RSA keys
    • Asymmetric decrypt with 3072-bit keys
    HSM usage: 3,500
    Hardware (Cloud HSM) keys
    • Asymmetric sign with EC_SIGN_P224_SHA256 keys
    • Asymmetric sign with EC_SIGN_P256_SHA256 keys
    • Asymmetric sign with EC_SIGN_SECP256K1_SHA256 keys
    HSM usage: 4,500
    Hardware (Cloud HSM) keys
    • Asymmetric sign with EC_SIGN_P384_SHA384 keys
    • Asymmetric sign with EC_SIGN_P521_SHA512 keys
    HSM usage: 7,000
    Hardware (Cloud HSM) keys
    • Asymmetric decrypt with 4096-bit keys
    • Asymmetric sign with 4096-bit RSA keys
    HSM usage: 14,000

    Suggested actions to prepare for quota changes

    Use case Suggested preparation
    Ensure adequate quotas for existing projects For existing projects, quota limits for the new metrics will be calculated automatically based on the project's actual usage. No action is required for existing projects.
    Ensure adequate quotas for new projects If you are planning to create a new project and expect high quota usage, opt in to automated quota adjustment using the quota adjuster service . Allow 1-2 weeks of gradual traffic increase to allow the systems to adjust to your usage, or proactively request the quota limits that you think you will need.
    Update monitoring to use new quotas Monitoring using existing quota metrics is available through August 31, 2026. We recommend setting up monitoring using the new metrics after they are available on February 16, 2026 but before August 31, 2026.
    Opt in to quota adjuster We recommend that you opt in to using the quota adjuster system to automatically adjust your Cloud KMS quotas based on your usage. Each project that contains Cloud KMS resources must be opted-in to quota adjuster separately.

    Cloud KMS quotas before February 16, 2026

    Some quotas on these operations apply to the calling project , the Google Cloud project that makes calls to the Cloud KMS service. Other quotas apply to the hosting project , the Google Cloud project that contains the keys used for the operation.

    Calling project quotas don't include usage generated by Google Cloud services using Cloud KMS keys for customer-managed encryption key (CMEK) integration . For example, encryption and decryption requests coming directly from BigQuery, Bigtable, or Spanner don't contribute to Cryptographic requests quotas.

    The Google Cloud console lists the limit for each quota in queries per minute (QPM), but hosting project quotas are enforced by the second. Quotas enforced in queries per second (QPS) deny requests that exceed the QPS limit, even if your per-minute usage is less than the listed QPM limit. If you exceed a QPS limit, you receive a RESOURCE_EXHAUSTED error .

    Quotas on the usage of Cloud KMS resources

    The following table lists each quota applied to Cloud KMS resources. The table gives the name and limit of each quota, which project the quota applies to, and the operations that count against the quota. You can enter a keyword in the field to filter the table. For example, you can enter calling to see only the quotas applied to the calling project or encrypt to see only the quotas related to encryption operations:

    Quota Project Limit Resources and operations
    Read requests
    cloudkms.googleapis.com​/read_requests
    		Calling project 300 QPM

    cryptoKeys : get , getIamPolicy , list , testIamPermissions

    cryptoKeyVersions : get , list

    ekmConnections : get , getIamPolicy , list , testIamPermissions , verifyConnectivity

    importJobs : get , getIamPolicy , list , testIamPermissions

    keyRings : get , getIamPolicy , list , testIamPermissions

    locations : get , list

    Exempted: operations from Google Cloud console.
    Write requests
    cloudkms.googleapis.com​/write_requests
    		Calling project 60 QPM

    cryptoKeys : create , patch , setIamPolicy , updatePrimaryVersion

    cryptoKeyVersions : create , destroy , import , patch , restore

    ekmConnections : create , patch , setIamPolicy

    importJobs : create , setIamPolicy

    keyRings : create , setIamPolicy

    Exempted: operations from Google Cloud console.
    Cryptographic requests
    cloudkms.googleapis.com​/crypto_requests
    		Calling project 60,000 QPM

    cryptoKeys : encrypt , decrypt

    cryptoKeyVersions : asymmetricDecrypt , asymmetricSign , getPublicKey , macSign , macVerify , rawEncrypt , rawDecrypt

    locations : generateRandomBytes

    Exempted: operations from CMEK integrations.
    HSM symmetric cryptographic requests per region
    cloudkms.googleapis.com​/hsm_symmetric_requests
    		Hosting project 500 QPS

    cryptoKeys : encrypt , decrypt

    cryptoKeyVersions : asymmetricDecrypt , asymmetricSign , getPublicKey , macSign , macVerify , rawEncrypt , rawDecrypt

    Exempted: Single-tenant Cloud HSM keys.
    HSM asymmetric cryptographic requests per region
    cloudkms.googleapis.com​/hsm_asymmetric_requests
    		Hosting project 50 QPS

    cryptoKeys : encrypt , decrypt

    cryptoKeyVersions : asymmetricDecrypt , asymmetricSign , getPublicKey , macSign , macVerify

    Exempted: Single-tenant Cloud HSM keys.
    HSM generate random requests per region
    cloudkms.googleapis.com​/hsm_generate_random_requests
    		Hosting project 50 QPS

    locations : generateRandomBytes

    Exempted: Single-tenant Cloud HSM keys.
    External cryptographic requests per region
    cloudkms.googleapis.com​/external_kms_requests
    		Hosting project 100 QPS

    cryptoKeys : encrypt , decrypt

    cryptoKeyVersions : asymmetricDecrypt , asymmetricSign , getPublicKey , macSign , macVerify

    Quota examples

    The following sections include examples of each quota using the following example projects:

    • KEY_PROJECT - A Google Cloud project that contains Cloud KMS keys, including Multi-tenant Cloud HSM and Cloud EKM keys.

    • SPANNER_PROJECT - A Google Cloud project that contains a Spanner instance which uses the customer-managed encryption keys (CMEKs) that reside in KEY_PROJECT .

    • SERVICE_PROJECT - A Google Cloud project that contains a service account that you use to manage Cloud KMS resources that reside in KEY_PROJECT .

    Read requests

    The Read requestsquota limits read requests from the Google Cloud project calling the Cloud KMS API. For example, viewing a list of keys in KEY_PROJECT from KEY_PROJECT using Google Cloud CLI counts against the KEY_PROJECT Read requestsquota. If you use a service account in SERVICE_PROJECT to view your list of keys, the read request counts against the SERVICE_PROJECT Read requestsquota.

    Using the Google Cloud console to view Cloud KMS resources doesn't contribute to the Read requestsquota.

    Write requests

    The Write requestsquota limits write requests from the Google Cloud project calling the Cloud KMS API. For example, creating keys in KEY_PROJECT using gcloud CLI counts against the KEY_PROJECT Write requestsquota. If you use a service account in SERVICE_PROJECT to create keys, the write request counts against the SERVICE_PROJECT Write requestsquota.

    Using the Google Cloud console to create or manage Cloud KMS resources doesn't contribute to the Read requestsquota.

    Cryptographic requests

    The Cryptographic requestsquota limits cryptographic operations from the Google Cloud project calling the Cloud KMS API. For example, encrypting data using API calls from a service account resource running in SERVICE_PROJECT using keys from KEY_PROJECT counts against the SERVICE_PROJECT Cryptographic requestsquota.

    Encryption and decryption of data in a Spanner resource in SPANNER_PROJECT using CMEK integration doesn't count toward the Cryptographic requestsquota of SPANNER_PROJECT .

    HSM symmetric cryptographic requests per region

    The HSM symmetric cryptographic requests per regionquota limits cryptographic operations using symmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using symmetric HSM keys counts against the KEY_PROJECT HSM symmetric cryptographic requests per regionquota.

    HSM asymmetric cryptographic requests per region

    The HSM asymmetric cryptographic requests per regionquota limits cryptographic operations using asymmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using asymmetric HSM keys counts against the KEY_PROJECT HSM asymmetric cryptographic requests per regionquota.

    HSM generate random requests per region

    The HSM generate random requests per regionquota limits generate random bytes operations using Cloud HSM in the Google Cloud project specified in the request message. For example, requests from any source to generate random bytes in KEY_PROJECT counts against the KEY_PROJECT HSM generate random requests per regionquota.

    External cryptographic requests per region

    The External cryptographic requests per regionquota limits cryptographic operations using external ( Cloud EKM ) keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using EKM keys counts against the KEY_PROJECT External cryptographic requests per regionquota.

    Quota error information

    If you make a request after your quota is reached, your request results in a RESOURCE_EXHAUSTED error. The HTTP status code is 429 . For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping .

    If you receive the RESOURCE_EXHAUSTED error, you might be sending too many cryptographic operation requests per second. You can receive the RESOURCE_EXHAUSTED error even if the Google Cloud console shows that you are within the queries per minute limit. This issue can happen because Cloud KMS hosting project quotas are displayed per minute, but are enforced on a per second scale. To learn more about monitoring metrics, see Set up quota alerts and monitoring .

    For details about troubleshooting Cloud KMS quota issues, see Troubleshoot quota issues .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: