KMS Inventory API

Name: KMS Inventory API API
Brand: KMS Inventory API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth23 EndpointsREST

For Agents

Inventory Cloud KMS keys across a project and search for resources protected by customer-managed encryption keys at organization scope. Read-only audit data for security teams.

Quickstart

Get started with KMS Inventory API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list resources protected by a google kms key"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with KMS Inventory API API.

List all Cloud KMS crypto keys inside a Google Cloud project

Summarize the resources protected by a specific crypto key

Search an entire organization for resources covered by customer-managed encryption

Audit which BigQuery, Cloud Storage, and Compute resources rely on a key before rotation

GET STARTED

Start building with KMS Inventory API API

Explore with Jentic

View OpenAPI Document

Use for: List all Cloud KMS crypto keys in a project, Find every resource protected by a specific KMS key, Search the organization for resources using customer-managed encryption, I need to audit CMEK coverage before rotating a key

Not supported: Does not create, rotate, or destroy keys, encrypt data, or manage IAM policies — use only to inventory crypto keys and search for resources they protect.

The KMS Inventory API gives Google Cloud security teams an organization-wide view of Cloud KMS crypto keys and the resources protected by them. It exposes operations to list every crypto key inside a project, summarize the resources protected by a specific key, and search across an entire organization for resources covered by customer-managed encryption. The API is read-only and complements the standard Cloud KMS API by providing inventory and audit data.

Use Cases

Patterns agents use KMS Inventory API API for, with concrete tasks.

★ Pre-rotation impact assessment

Before rotating or destroying a Cloud KMS key, security teams need to know exactly which resources depend on it. Calling /v1/{+name}/protectedResourcesSummary on the key returns counts grouped by resource type and project, so the agent can confirm the rotation will not orphan production data.

Call GET /v1/projects/{p}/locations/{l}/keyRings/{kr}/cryptoKeys/{k}/protectedResourcesSummary and return the resourceCount grouped by cloudProduct.

Organization-wide CMEK compliance audit

Compliance teams must demonstrate that regulated workloads use customer-managed encryption keys. The /v1/{+scope}/protectedResources:search endpoint lists every protected resource across an organization, optionally filtered by crypto key, so the agent can produce evidence that BigQuery datasets, Cloud Storage buckets, and Compute disks all sit behind CMEK.

Call protectedResources:search with scope=organizations/{orgId}&cryptoKey={keyName} and return the list of resource names.

Cleanup of unused crypto keys

Each Cloud KMS key version costs money even when nothing references it. By listing keys with /v1/{+parent}/cryptoKeys then checking protectedResourcesSummary for each, an agent can identify keys with zero protected resources that are safe to schedule for destruction.

List crypto keys in a project then for each key with resourceCount=0, output the key resource name for review.

Agent-driven CMEK reporting via Jentic

A security agent triggered by a quarterly compliance review can use Jentic to call the three KMS Inventory operations without writing GCP-specific resource path code. Jentic returns the search and summary schemas in a uniform shape so the agent can feed results straight into a compliance report.

Run google_kmsinventory_search_protected_resources for the organization and write the returned resource list to the compliance bucket.

Key Endpoints

3 endpoints — the kms inventory api gives google cloud security teams an organization-wide view of cloud kms crypto keys and the resources protected by them.

METHOD

PATH

DESCRIPTION

GET

/v1/{+parent}/cryptoKeys

List crypto keys inside a project

GET

/v1/{+name}/protectedResourcesSummary

Summarize resources protected by a specific crypto key

GET

/v1/{+scope}/protectedResources:search

Search organization-wide for protected resources

GET

/v1/{+parent}/cryptoKeys

List crypto keys inside a project

GET

/v1/{+name}/protectedResourcesSummary

Summarize resources protected by a specific crypto key

GET

/v1/{+scope}/protectedResources:search

Search organization-wide for protected resources

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

GCP service account keys with org-level KMS Inventory permissions are stored encrypted in the Jentic vault. Agents receive a short-lived OAuth 2.0 token scoped to https://www.googleapis.com/auth/cloud-platform — the JSON key never reaches the agent.

Intent-based discovery

Agents search Jentic with intents like 'list resources protected by a kms key' or 'find unused crypto keys' and Jentic returns the matching v1 operation with the right scope and parent path templates already documented.

Time to first call

Direct integration: 4-8 hours to grant the right org-level IAM roles, build the resource path strings, and handle pagination. Through Jentic: under 20 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Key Management Service API

Cloud KMS creates, rotates, and uses keys; KMS Inventory reports on what those keys protect

Use Cloud KMS to manage key lifecycle; pair with KMS Inventory before any rotation or destruction to verify resource impact.

Complementary

Secret Manager API

Secret Manager stores API keys and credentials; KMS Inventory audits the encryption keys protecting them

Use Secret Manager for application secrets; query KMS Inventory when an audit needs the encryption posture of those secrets.

Complementary

Cloud Identity API

Cloud Identity manages users and groups; KMS Inventory tracks the keys encrypting their data

Pair when an investigation needs both the principals involved and the keys protecting affected resources.

FAQs

Specific to using KMS Inventory API API through Jentic.

What authentication does the KMS Inventory API use?

OAuth 2.0 with the https://www.googleapis.com/auth/cloud-platform scope, using a service account that has cloudkms.protectedResourcesSummary.get and cloudkms.protectedResources.search IAM permissions at the organization level. Through Jentic the service account JSON sits in the encrypted vault and only a short-lived access token reaches the agent.

How is KMS Inventory different from the Cloud KMS API?

The Cloud KMS API manages keys (create, rotate, encrypt, decrypt, destroy). The KMS Inventory API is read-only and answers a different question: which resources are currently protected by a given key, across an entire project or organization.

What are the rate limits for the KMS Inventory API?

Google enforces a default of 60 read requests per minute per project for inventory operations. The protectedResources:search endpoint also caps page size at 500 resources, so large organizations need to paginate.

How do I audit CMEK coverage through Jentic?

Run jentic search 'list resources protected by a kms key' to surface protectedResources:search, jentic load to retrieve its parameters, then jentic execute with scope=organizations/{orgId} and an optional cryptoKey filter. Jentic returns the paginated resource list ready for a compliance report.

Can I find unused crypto keys with this API?

Yes. List crypto keys in a project with GET /v1/{+parent}/cryptoKeys, then call protectedResourcesSummary on each — keys whose resourceCount is zero are unreferenced and candidates for scheduled destruction.

Is the KMS Inventory API free?

The inventory API itself has no per-call charge; you only pay for the underlying Cloud KMS keys and key versions. Quota is governed by the Cloud KMS API service in the project.