google-cloud-platformgoogle-cloud-iamgoogle-cloud-kms

How do I check if key rotation is enabled for each key in every keyring in GCP using the cloud client library or clientapi?


Is there a way to get key rotation using the cloud client library or the googleapiclient instead of having to check it manually for each keyring and key. I want a script that will go through all the keyring and give me a list of keys that do not have rotation or versioning enabled. ps i searched a lot but none of the API's response had key rotation

any help would be appreciated


Solution

  • You have to go through all your Cloud KMS key rings and cryptoKeys. But on each of them, you can get the rotationPeriod. If the property is messing, the rotation period is not defined on the key.

    Here an example with the discovery API

    from googleapiclient.discovery import build
    service = build('cloudkms', 'v1')
    resp = service.projects().locations().keyRings().cryptoKeys().get(name="projects/<PROJECT ID>/locations/<LOCATION>/keyRings/<KEY RING>/cryptoKeys/<KEY NAME>").execute()
    print(resp['rotationPeriod'])