Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Key Management Service API, REST: AsymmetricEncryptionKey.Update

Written by
Updated at October 3, 2025

Updates the specified asymmetric KMS key.

HTTP request

PATCH https://kms.api.cloud.yandex.net/kms/v1/asymmetricEncryptionKeys/{keyId}

Path parameters

Field

Description

keyId

string

Required field. ID of the asymmetric KMS key to update.
To get the ID of a asymmetric KMS key use a AsymmetricEncryptionKeyService.List request.

Body parameters

{
  "updateMask": "string",
  "name": "string",
  "description": "string",
  "status": "string",
  "labels": "object",
  "deletionProtection": "boolean"
}

Field

Description

updateMask

string (field-mask)

Required field. A comma-separated names off ALL fields to be updated.
Only the specified fields will be changed. The others will be left untouched.
If the field is specified in updateMask and no value for that field was sent in the request,
the field's value will be reset to the default. The default value for most fields is null or 0.

If updateMask is not sent in the request, all fields' values will be updated.
Fields specified in the request will be updated to provided values.
The rest of the fields will be reset to the default.

name

string

New name for the asymmetric KMS key.

description

string

New description for the asymmetric KMS key.

status

enum (Status)

New status for the asymmetric KMS key.
Using the AsymmetricEncryptionKeyService.Update method you can only set ACTIVE or INACTIVE status.

  • STATUS_UNSPECIFIED
  • CREATING: The key is being created.
  • ACTIVE: The key is active and can be used for encryption and decryption or signature and verification.
    Can be set to INACTIVE using the [AsymmetricKeyService.Update] method.
  • INACTIVE: The key is inactive and unusable.
    Can be set to ACTIVE using the [AsymmetricKeyService.Update] method.

labels

object (map<string, string>)

Custom labels for the asymmetric KMS key as key:value pairs. Maximum 64 per key.

deletionProtection

boolean

Flag that inhibits deletion of the asymmetric KMS key

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": {
    "keyId": "string"
  },
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": {
    "id": "string",
    "folderId": "string",
    "createdAt": "string",
    "name": "string",
    "description": "string",
    "labels": "object",
    "status": "string",
    "encryptionAlgorithm": "string",
    "deletionProtection": "boolean"
  }
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field

Description

id

string

ID of the operation.

description

string

Description of the operation. 0-256 characters long.

createdAt

string (date-time)

Creation timestamp.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

createdBy

string

ID of the user or service account who initiated the operation.

modifiedAt

string (date-time)

The time when the Operation resource was last modified.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

done

boolean

If the value is false, it means the operation is still in progress.
If true, the operation is completed, and either error or response is available.

metadata

UpdateAsymmetricEncryptionKeyMetadata

Service-specific metadata associated with the operation.
It typically contains the ID of the target resource that the operation is performed on.
Any method that returns a long-running operation should document the metadata type, if any.

error

Status

The error result of the operation in case of failure or cancellation.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

response

AsymmetricEncryptionKey

The normal response of the operation in case of success.
If the original method returns no data on success, such as Delete,
the response is google.protobuf.Empty.
If the original method is the standard Create/Update,
the response should be the target resource of the operation.
Any method that returns a long-running operation should document the response type, if any.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

UpdateAsymmetricEncryptionKeyMetadata

Field

Description

keyId

string

ID of the key being updated.

Status

The error result of the operation in case of failure or cancellation.

Field

Description

code

integer (int32)

Error code. An enum value of google.rpc.Code.

message

string

An error message.

details[]

object

A list of messages that carry the error details.

AsymmetricEncryptionKey

An asymmetric KMS key that may contain several versions of the cryptographic material.

Field

Description

id

string

ID of the key.

folderId

string

ID of the folder that the key belongs to.

createdAt

string (date-time)

Time when the key was created.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

name

string

Name of the key.

description

string

Description of the key.

labels

object (map<string, string>)

Custom labels for the key as key:value pairs. Maximum 64 per key.

status

enum (Status)

Current status of the key.

  • STATUS_UNSPECIFIED
  • CREATING: The key is being created.
  • ACTIVE: The key is active and can be used for encryption and decryption or signature and verification.
    Can be set to INACTIVE using the [AsymmetricKeyService.Update] method.
  • INACTIVE: The key is inactive and unusable.
    Can be set to ACTIVE using the [AsymmetricKeyService.Update] method.

encryptionAlgorithm

enum (AsymmetricEncryptionAlgorithm)

Asymmetric Encryption Algorithm ID.

  • ASYMMETRIC_ENCRYPTION_ALGORITHM_UNSPECIFIED
  • RSA_2048_ENC_OAEP_SHA_256: RSA-2048 encryption with OAEP padding and SHA-256
  • RSA_3072_ENC_OAEP_SHA_256: RSA-3072 encryption with OAEP padding and SHA-256
  • RSA_4096_ENC_OAEP_SHA_256: RSA-4096 encryption with OAEP padding and SHA-256

deletionProtection

boolean

Flag that inhibits deletion of the key
Previous
List
Next
Delete
© 2025 Direct Cursus Technology L.L.C.