Key Management Service API, REST: SymmetricKey.Update

Written by

Updated at December 9, 2025

HTTP request
Path parameters
Body parameters
Response
UpdateSymmetricKeyMetadata
Status
SymmetricKey
SymmetricKeyVersion

Updates the specified symmetric KMS key.

HTTP request

PATCH https://kms.api.cloud.yandex.net/kms/v1/keys/{keyId}

Path parameters

Field

Description

keyId

string

Required field. ID of the symmetric KMS key to update.
To get the ID of a symmetric KMS key use a SymmetricKeyService.List request.

The maximum string length in characters is 50.

Body parameters

{
  "updateMask": "string",
  "name": "string",
  "description": "string",
  "status": "string",
  "labels": "object",
  "defaultAlgorithm": "string",
  "rotationPeriod": "string",
  "deletionProtection": "boolean"
}

Field	Description
updateMask	string (field-mask) Required field. A comma-separated names off ALL fields to be updated. Only the specified fields will be changed. The others will be left untouched. If the field is specified in `updateMask` and no value for that field was sent in the request, the field's value will be reset to the default. The default value for most fields is null or 0. If `updateMask` is not sent in the request, all fields' values will be updated. Fields specified in the request will be updated to provided values. The rest of the fields will be reset to the default.
name	string New name for the symmetric KMS key. The maximum string length in characters is 100.
description	string New description for the symmetric KMS key. The maximum string length in characters is 1024.
status	enum (Status) New status for the symmetric KMS key. Using the SymmetricKeyService.Update method you can only set ACTIVE or INACTIVE status. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
labels	object (map<string, string>) Custom labels for the symmetric KMS key as `key:value` pairs. Maximum 64 per key. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
defaultAlgorithm	enum (SymmetricAlgorithm) Default encryption algorithm to be used with new versions of the symmetric KMS key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys. `AES_256_HSM`: AES algorithm with 256-bit keys hosted by HSM `GOST_R_3412_2015_K`: GOST R 34.12-2015 Kuznyechik algorithm
rotationPeriod	string (duration) Time period between automatic symmetric KMS key rotations.
deletionProtection	boolean Flag that inhibits deletion of the symmetric KMS key

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": {
    "keyId": "string"
  },
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": {
    "id": "string",
    "folderId": "string",
    "createdAt": "string",
    "name": "string",
    "description": "string",
    "labels": "object",
    "status": "string",
    "primaryVersion": {
      "id": "string",
      "keyId": "string",
      "status": "string",
      "algorithm": "string",
      "createdAt": "string",
      "primary": "boolean",
      "destroyAt": "string",
      "hostedByHsm": "boolean"
    },
    "defaultAlgorithm": "string",
    "rotatedAt": "string",
    "rotationPeriod": "string",
    "deletionProtection": "boolean"
  }
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
createdAt	string (date-time) Creation timestamp. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
createdBy	string ID of the user or service account who initiated the operation.
modifiedAt	string (date-time) The time when the Operation resource was last modified. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
done	boolean If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	UpdateSymmetricKeyMetadata Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
error	Status The error result of the operation in case of failure or cancellation. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
response	SymmetricKey The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.

UpdateSymmetricKeyMetadata

Field

Description

keyId

string

ID of the key being updated.

Status

The error result of the operation in case of failure or cancellation.

Field	Description
code	integer (int32) Error code. An enum value of google.rpc.Code.
message	string An error message.
details[]	object A list of messages that carry the error details.

SymmetricKey

A symmetric KMS key that may contain several versions of the cryptographic material.

Field	Description
id	string ID of the key.
folderId	string ID of the folder that the key belongs to.
createdAt	string (date-time) Time when the key was created. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
name	string Name of the key.
description	string Description of the key.
labels	object (map<string, string>) Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum (Status) Current status of the key. `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the SymmetricKeyService.Update method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the SymmetricKeyService.Update method.
primaryVersion	SymmetricKeyVersion Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.
defaultAlgorithm	enum (SymmetricAlgorithm) Default encryption algorithm to be used with new versions of the key. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys. `AES_256_HSM`: AES algorithm with 256-bit keys hosted by HSM `GOST_R_3412_2015_K`: GOST R 34.12-2015 Kuznyechik algorithm
rotatedAt	string (date-time) Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
rotationPeriod	string (duration) Time period between automatic key rotations.
deletionProtection	boolean Flag that inhibits deletion of the key

SymmetricKeyVersion

Symmetric KMS key version: metadata about actual cryptographic data.

Field	Description
id	string ID of the key version.
keyId	string ID of the symmetric KMS key that the version belongs to.
status	enum (Status) Status of the key version. `ACTIVE`: The version is active and can be used for encryption and decryption. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the `SymmetricKeyVersion.destroyAt` field. `DESTROYED`: The version is destroyed and cannot be recovered.
algorithm	enum (SymmetricAlgorithm) Encryption algorithm that should be used when using the key version to encrypt plaintext. `AES_128`: AES algorithm with 128-bit keys. `AES_192`: AES algorithm with 192-bit keys. `AES_256`: AES algorithm with 256-bit keys. `AES_256_HSM`: AES algorithm with 256-bit keys hosted by HSM `GOST_R_3412_2015_K`: GOST R 34.12-2015 Kuznyechik algorithm
createdAt	string (date-time) Time when the key version was created. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
primary	boolean Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.
destroyAt	string (date-time) Time when the key version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
hostedByHsm	boolean Indication of the version that is hosted by HSM.

Key Management Service API, REST: SymmetricKey.Update

HTTP requestHTTP request

Path parametersPath parameters

Body parametersBody parameters

ResponseResponse

UpdateSymmetricKeyMetadataUpdateSymmetricKeyMetadata

StatusStatus

SymmetricKeySymmetricKey

SymmetricKeyVersionSymmetricKeyVersion

Was the article helpful?