Stay organized with collectionsSave and categorize content based on your preferences.
The Key Management Service (KMS) API uses Kubernetes custom resources to manage
the lifecycle of the crypto keys.
To use the KMS API, use the GDC console. If
your application uses your own libraries to call the API, adopt the example
service endpoint in the following section, and the full API definitions to build
your requests:
TheMANAGEMENT_API_SERVER_ENDPOINTvariable is the
endpoint of the Management API server.
Using thekubectl proxycommand, access the URL in your browser to
obtain the discovery document for the KMS API. Thekubectl proxycommand opens
up a proxy on127.0.0.1:8001to the Kubernetes API server on your local
machine. After that command is running, access the documents at the
following URLs:
http://127.0.0.1:8001/apis/kms.gdc.goog/v1
http://127.0.0.1:8001/apis/kms.global.gdc.goog/v1
Example resources
The following are sample resources. The namespace is
a project namespace. View theCreate a keysection in theCreate and delete keyspage for more information on creating
keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Key Management Service (KMS) API utilizes Kubernetes custom resources to manage the entire lifecycle of cryptographic keys.\u003c/p\u003e\n"],["\u003cp\u003eKMS APIs are available in both zonal and global deployment packages, with distinct API endpoints for each type, identifiable by the \u003ccode\u003ekms.gdc.goog\u003c/code\u003e and \u003ccode\u003ekms.global.gdc.goog\u003c/code\u003e domains respectively.\u003c/p\u003e\n"],["\u003cp\u003eTo access the KMS API, users can either leverage the GDC console or use their own libraries, directing API requests to the provided service endpoints.\u003c/p\u003e\n"],["\u003cp\u003eDiscovery documents for both zonal and global KMS APIs can be accessed locally via a \u003ccode\u003ekubectl proxy\u003c/code\u003e, opening a proxy on \u003ccode\u003e127.0.0.1:8001\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe content also includes several example resources, namely AEADKey, SigningKey, KeyImport, KeyExport, RotationJob, and MZAEADKey, illustrating different key types and operations within the KMS API framework.\u003c/p\u003e\n"]]],[],null,["# Key Management Service API overview\n\nThe Key Management Service (KMS) API uses Kubernetes custom resources to manage\nthe lifecycle of the crypto keys.\n\nTo use the KMS API, use the GDC console. If\nyour application uses your own libraries to call the API, adopt the example\nservice endpoint in the following section, and the full API definitions to build\nyour requests:\n\n- [kms.gdc.goog](/distributed-cloud/hosted/docs/latest/gdch/apis/service/kms/v1/kms-v1)\n- [kms.global.gdc.goog](/distributed-cloud/hosted/docs/latest/gdch/apis/service/kms/v1/global-kms-v1)\n\nService endpoint and discovery document\n---------------------------------------\n\nThe KMS APIs are provided in two packages depending on zonal deployment or\nglobal deployment.\n\nThe API endpoints for the zonal and global KMS APIs are the following,\nrespectively:\n\n- `https://`\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/kms.gdc.goog/v1`\n- `https://`\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/kms.global.gdc.goog/v1`\n\nThe \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e variable is the\nendpoint of the Management API server.\n\nUsing the `kubectl proxy` command, access the URL in your browser to\nobtain the discovery document for the KMS API. The `kubectl proxy` command opens\nup a proxy on `127.0.0.1:8001` to the Kubernetes API server on your local\nmachine. After that command is running, access the documents at the\nfollowing URLs:\n\n- `http://127.0.0.1:8001/apis/kms.gdc.goog/v1`\n- `http://127.0.0.1:8001/apis/kms.global.gdc.goog/v1`\n\nExample resources\n-----------------\n\nThe following are sample resources. The namespace is\na project namespace. View the\n[Create a key](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/create-delete-keys#create)\nsection in the *Create and delete keys* page for more information on creating\nkeys.\n\n### AEADKey resource\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: AEADKey\n metadata:\n name: my-test-key\n namespace: user-kms-project\n spec:\n algorithm: AES_256_GCM\n\n### SigningKey resource\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: SigningKey\n metadata:\n name: my-test-key\n namespace: user-kms-project\n spec:\n algorithm: EC_SIGN_P384_SHA384\n\n### KeyImport resource\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: KeyImport\n metadata:\n name: my-test-key-import\n namespace: user-kms-project\n spec:\n context:\n mechanism: ECDH_P521_AES256\n\n### KeyExport resource\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: KeyExport\n metadata:\n name: my-test-key-export\n namespace: user-kms-project\n spec:\n context:\n mechanism: ECDH_P521_AES256\n publicKey: pub_key_from_import\n keyToExport:\n kind: AEADKey\n name: key_name_to_export\n\n### RotationJob resource\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: RotationJob\n metadata:\n name: my-test-rotate-job\n spec:\n rootKeyResourceName: namespaces/kms-system/secrets/kms-key-ctm-root\n\n### MZAEADKey resource\n\n apiVersion: \"kms.global.gdc.goog/v1\"\n kind: MZAEADKey\n metadata:\n name: my-test-mz-key\n namespace: user-kms-project\n spec:\n algorithm: AES_256_GCM"]]
