Google Cloud Key Management Service

raw JSON →
3.12.0 verified Tue May 12 auth: no python install: verified quickstart: stale

The `google-cloud-kms` client library provides an interface for interacting with Google Cloud Key Management Service (KMS). KMS is a cloud-hosted key management service that allows you to manage cryptographic keys for your cloud services. It enables generation, usage, rotation, and destruction of various cryptographic keys (AES256, RSA, EC) and integrates with Cloud IAM and Cloud Audit Logging. The library is actively maintained with frequent releases, currently at version 3.12.0, supporting Python 3.9 and higher.

pip install google-cloud-kms

Common errors

error PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource projects/<PROJECT>/locations/<LOCATION>/keyRings/<KEYRING>/cryptoKeys/<KEY>.
cause The service account (e.g., for Cloud Storage, BigQuery, or your application) or user account attempting the operation lacks the necessary IAM permission `roles/cloudkms.cryptoKeyEncrypterDecrypter` on the specified KMS key resource. This is particularly common for Google-managed service agents when using Customer-Managed Encryption Keys (CMEK).
fix
Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the appropriate service account or user on the KMS key, its containing keyring, or the project. For Google-managed service agents (e.g., service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com for Cloud Storage), ensure that specific service agent has the role.
error FAILED_PRECONDITION: Google Cloud KMS API has not been used in this project before, or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=xxxx then retry.
cause The Cloud KMS API has not been explicitly enabled for the Google Cloud project you are using, or there is a temporary propagation delay after enabling it.
fix
Enable the Cloud KMS API for your project by navigating to the provided URL (e.g., https://console.developers.google.com/apis/library/cloudkms.googleapis.com) or by running gcloud services enable cloudkms.googleapis.com in your terminal, then wait a few minutes before retrying the operation.
error INVALID_ARGUMENT: Request field version_template.algorithm is required if purpose is not ENCRYPT_DECRYPT.
cause When creating a cryptographic key, if its purpose is not `ENCRYPT_DECRYPT` (e.g., it's intended for `ASYMMETRIC_SIGN` or `ASYMMETRIC_DECRYPT`), you must explicitly specify the `version_template.algorithm` field with a valid algorithm.
fix
Include the version_template.algorithm parameter in your key creation request with an appropriate algorithm that matches the key's purpose, such as RSA_SIGN_PKCS1_2048_SHA256 for signing keys.
error INVALID_ARGUMENT: The KMS key location must match the storage location. Received KMS key location: <KMS_LOCATION>, storage location: <STORAGE_LOCATION>
cause When using Customer-Managed Encryption Keys (CMEK) with certain Google Cloud services (like Cloud Logging or Cloud Storage), the geographic location (region) of the KMS key must match the location of the resource it is encrypting.
fix
Ensure that the Cloud KMS key is created and located in the exact same Google Cloud region as the resource (e.g., storage bucket, log bucket) that it is intended to protect. If locations do not match, create a new key in the correct region.

Warnings

breaking Starting with version 3.0.0 (released 2024-09-23), the default retry policy has been removed from all API calls. This affects both synchronous and asynchronous clients, meaning calls will no longer automatically retry on transient errors unless a custom retry policy is explicitly configured.
fix Review your application's error handling for KMS API calls. Implement custom retry logic using `google.api_core.retry` if automatic retries are needed for resilience against transient failures.
gotcha Cloud KMS has a plaintext size limit of 64 KiB (65,536 bytes) for direct encryption operations. Attempting to encrypt larger data directly will result in an error.
fix For data larger than 64 KiB, use envelope encryption. This involves generating a data encryption key (DEK) locally, encrypting your large data with the DEK, and then encrypting only the DEK with Cloud KMS. The DEK can then be stored alongside the encrypted data.
gotcha Incorrect IAM permissions are a frequent source of `Permission Denied` errors. Ensure the service account or user calling KMS has the necessary roles (e.g., `roles/cloudkms.viewer`, `roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the specific key, key ring, or project, and that roles are applied to the correct resource type (e.g., KMS keys, not a GCS bucket when encrypting GCS objects with a CMEK).
fix Verify that the principal making the API call has the `Cloud KMS CryptoKey Encrypter/Decrypter` role (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the specific cryptographic key being used. Use `gcloud iam roles describe roles/cloudkms.cryptoKeyEncrypterDecrypter` to see the contained permissions.
gotcha Resource names (key paths) must be precisely formatted using `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_ID/cryptoKeys/KEY_ID`. Mismatched IDs or incorrect segment ordering will result in `NOT_FOUND` or `INVALID_ARGUMENT` errors. The location can be global or a specific region.
fix Always construct resource names carefully, preferably using variables for the project, location, key ring, and key IDs, and ensure they match your existing Cloud KMS resources. Double-check the region for your key ring/key.
gotcha When manually importing key material, issues with key formatting or wrapping can lead to the imported key version having an `IMPORT_FAILED` status.
fix It is recommended to use automatic key wrapping if possible. If manual wrapping is necessary, carefully review the key formatting requirements and ensure the correct wrapping key from the import job is used.
breaking The client failed to initialize because Application Default Credentials (ADC) were not found. This occurs when the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, or when the application is not running in a Google Cloud environment (e.g., GCE, GKE, Cloud Run, Cloud Functions) with an associated service account.
fix Ensure that Application Default Credentials are configured correctly. If running locally, set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the path of your service account key file, or run `gcloud auth application-default login`. If deploying to Google Cloud, ensure the service has an associated service account with appropriate roles.
gotcha The client failed to initialize due to missing or improperly configured Application Default Credentials (ADC). This error ('Your default credentials were not found') indicates the client could not locate any credentials to authenticate with Google Cloud services.
fix Ensure your environment is correctly set up for Application Default Credentials. This typically involves: 1. Setting the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the path of a service account key file. 2. Running your application in a Google Cloud environment (e.g., Compute Engine, Cloud Run, GKE) where an appropriate service account is attached to the resource. Refer to https://cloud.google.com/docs/authentication/external/set-up-adc for detailed setup instructions.

Install compatibility verified last tested: 2026-05-12

python os / libc status wheel install import disk
3.10 alpine (musl) - - 2.35s 71.7M
3.10 slim (glibc) - - 1.22s 69M
3.11 alpine (musl) - - 2.98s 76.9M
3.11 slim (glibc) - - 1.84s 75M
3.12 alpine (musl) - - 2.99s 68.3M
3.12 slim (glibc) - - 2.40s 66M
3.13 alpine (musl) - - 2.89s 67.8M
3.13 slim (glibc) - - 2.33s 66M
3.9 alpine (musl) - - 2.04s 71.9M
3.9 slim (glibc) - - 1.43s 70M

Imports

Quickstart stale last tested: 2026-04-23

This quickstart demonstrates how to initialize the `google-cloud-kms` client and perform a symmetric encryption and decryption operation. Ensure your GCP project ID, KMS key location, key ring ID, and key ID are set as environment variables or replaced. You also need to authenticate to Google Cloud, for example, by setting the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to a service account key file path or by running in a GCP environment with appropriate permissions.

import os
from google.cloud import kms
import base64

project_id = os.environ.get('GCP_PROJECT_ID', 'your-project-id')
location_id = os.environ.get('KMS_KEY_LOCATION', 'global') # e.g., 'global', 'us-central1'
key_ring_id = os.environ.get('KMS_KEY_RING_ID', 'my-key-ring')
key_id = os.environ.get('KMS_KEY_ID', 'my-symmetric-key')

# Construct the key resource name
key_name = (
    f"projects/{project_id}/locations/{location_id}/keyRings/"
    f"{key_ring_id}/cryptoKeys/{key_id}"
)

# Initialize the KMS client
try:
    client = kms.KeyManagementServiceClient()
    print("KMS client initialized.")
except Exception as e:
    print(f"Error initializing KMS client: {e}")
    print("Ensure GOOGLE_APPLICATION_CREDENTIALS is set or running in a GCP environment.")
    exit(1)

# Data to encrypt
plaintext = b"This is a super secret message."

try:
    # Encrypt the plaintext
    encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext})
    ciphertext = encrypt_response.ciphertext
    print(f"Plaintext encrypted. Ciphertext (base64): {base64.b64encode(ciphertext).decode('utf-8')}")

    # Decrypt the ciphertext
    decrypt_response = client.decrypt(request={'name': key_name, 'ciphertext': ciphertext})
    decrypted_text = decrypt_response.plaintext
    print(f"Ciphertext decrypted. Decrypted text: {decrypted_text.decode('utf-8')}")

    assert plaintext == decrypted_text
    print("Encryption and decryption successful!")

except Exception as e:
    print(f"An error occurred during KMS operation: {e}")
    print("Make sure the key exists, has appropriate IAM permissions, and billing is enabled.")
last verified Tue May 12
next check Fri Jun 26