From 86fc579ca453a427d2967debf537aeb54c8d27d9 Mon Sep 17 00:00:00 2001
From: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
Date: Thu, 30 Jul 2020 13:35:29 -0700
Subject: [PATCH] feat!: migrate to microgenerator. (#16)

---
 packages/google-cloud-kms/.coveragerc         |   15 +-
 packages/google-cloud-kms/README.rst          |    6 +-
 packages/google-cloud-kms/UPGRADING.md        |  167 +
 packages/google-cloud-kms/docs/UPGRADING.md   |    1 +
 .../docs/_templates/layout.html               |    4 +-
 packages/google-cloud-kms/docs/conf.py        |   11 +-
 .../google-cloud-kms/docs/gapic/v1/api.rst    |    6 -
 .../google-cloud-kms/docs/gapic/v1/types.rst  |    5 -
 packages/google-cloud-kms/docs/index.rst      |   15 +-
 .../google-cloud-kms/docs/kms_v1/services.rst |    6 +
 .../google-cloud-kms/docs/kms_v1/types.rst    |    5 +
 packages/google-cloud-kms/google/cloud/kms.py |   25 -
 .../google/cloud/kms/__init__.py              |  112 +
 .../google/cloud/kms/py.typed                 |    2 +
 .../google/cloud/kms_v1/__init__.py           |  118 +-
 .../google/cloud/kms_v1/gapic/__init__.py     |    0
 .../google/cloud/kms_v1/gapic/enums.py        |  252 -
 .../gapic/key_management_service_client.py    | 2556 -------
 .../key_management_service_client_config.py   |  155 -
 .../cloud/kms_v1/gapic/transports/__init__.py |    0
 .../key_management_service_grpc_transport.py  |  502 --
 .../google/cloud/kms_v1/proto/__init__.py     |    0
 .../google/cloud/kms_v1/proto/resources.proto |    2 +-
 .../cloud/kms_v1/proto/resources_pb2.py       | 1997 -----
 .../cloud/kms_v1/proto/resources_pb2_grpc.py  |    2 -
 .../google/cloud/kms_v1/proto/service_pb2.py  | 3624 ---------
 .../cloud/kms_v1/proto/service_pb2_grpc.py    |  498 --
 .../google/cloud/kms_v1/py.typed              |    2 +
 .../{ => cloud/kms_v1/services}/__init__.py   |   14 +-
 .../key_management_service}/__init__.py       |   18 +-
 .../key_management_service/async_client.py    | 2761 +++++++
 .../services/key_management_service/client.py | 2675 +++++++
 .../services/key_management_service/pagers.py |  533 ++
 .../transports/__init__.py                    |   38 +
 .../key_management_service/transports/base.py |  705 ++
 .../key_management_service/transports/grpc.py | 1001 +++
 .../transports/grpc_asyncio.py                | 1024 +++
 .../google/cloud/kms_v1/types.py              |   47 -
 .../google/cloud/kms_v1/types/__init__.py     |  107 +
 .../google/cloud/kms_v1/types/resources.py    |  650 ++
 .../google/cloud/kms_v1/types/service.py      |  913 +++
 packages/google-cloud-kms/mypy.ini            |    3 +
 packages/google-cloud-kms/noxfile.py          |   26 +-
 .../samples/attestations/README.rst           |   29 +-
 .../samples/attestations/noxfile.py           |    3 +-
 .../snippets/create_key_asymmetric_decrypt.py |    6 +-
 .../snippets/create_key_asymmetric_sign.py    |    6 +-
 .../samples/snippets/create_key_hsm.py        |    8 +-
 .../samples/snippets/create_key_labels.py     |    6 +-
 .../samples/snippets/create_key_ring.py       |    4 +-
 .../snippets/create_key_rotation_schedule.py  |    6 +-
 .../create_key_symmetric_encrypt_decrypt.py   |    6 +-
 .../samples/snippets/create_key_version.py    |    2 +-
 .../samples/snippets/decrypt_asymmetric.py    |    2 +-
 .../samples/snippets/decrypt_symmetric.py     |    2 +-
 .../samples/snippets/destroy_key_version.py   |    2 +-
 .../samples/snippets/disable_key_version.py   |   12 +-
 .../samples/snippets/enable_key_version.py    |   12 +-
 .../samples/snippets/encrypt_asymmetric.py    |    2 +-
 .../samples/snippets/encrypt_symmetric.py     |    2 +-
 .../samples/snippets/get_key_labels.py        |    2 +-
 .../snippets/get_key_version_attestation.py   |    2 +-
 .../samples/snippets/get_public_key.py        |    2 +-
 .../samples/snippets/iam_add_member.py        |    9 +-
 .../samples/snippets/iam_get_policy.py        |    2 +-
 .../samples/snippets/iam_remove_member.py     |    8 +-
 .../samples/snippets/noxfile.py               |    3 +-
 .../samples/snippets/quickstart.py            |    4 +-
 .../samples/snippets/restore_key_version.py   |    2 +-
 .../samples/snippets/sign_asymmetric.py       |    2 +-
 .../samples/snippets/snippets_test.py         |  132 +-
 .../snippets/update_key_add_rotation.py       |   22 +-
 .../snippets/update_key_remove_labels.py      |   12 +-
 .../snippets/update_key_remove_rotation.py    |   10 +-
 .../snippets/update_key_set_primary.py        |    2 +-
 .../snippets/update_key_update_labels.py      |   14 +-
 .../samples/snippets/verify_asymmetric_ec.py  |    2 +-
 .../samples/snippets/verify_asymmetric_rsa.py |    2 +-
 .../scripts/fixup_kms_v1_keywords.py          |  204 +
 packages/google-cloud-kms/setup.py            |   24 +-
 packages/google-cloud-kms/synth.metadata      |   22 +-
 packages/google-cloud-kms/synth.py            |   78 +-
 packages/google-cloud-kms/tests/system.py     |   29 -
 .../tests/unit/gapic/kms_v1/__init__.py       |    1 +
 .../kms_v1/test_key_management_service.py     | 6815 +++++++++++++++++
 .../test_key_management_service_client_v1.py  | 1328 ----
 86 files changed, 18138 insertions(+), 11308 deletions(-)
 create mode 100644 packages/google-cloud-kms/UPGRADING.md
 create mode 120000 packages/google-cloud-kms/docs/UPGRADING.md
 delete mode 100644 packages/google-cloud-kms/docs/gapic/v1/api.rst
 delete mode 100644 packages/google-cloud-kms/docs/gapic/v1/types.rst
 create mode 100644 packages/google-cloud-kms/docs/kms_v1/services.rst
 create mode 100644 packages/google-cloud-kms/docs/kms_v1/types.rst
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms/__init__.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms/py.typed
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/__init__.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/enums.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client_config.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/__init__.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/key_management_service_grpc_transport.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/proto/__init__.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2_grpc.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2_grpc.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/py.typed
 rename packages/google-cloud-kms/google/{ => cloud/kms_v1/services}/__init__.py (71%)
 rename packages/google-cloud-kms/google/cloud/{ => kms_v1/services/key_management_service}/__init__.py (69%)
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/pagers.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/__init__.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/base.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py
 delete mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/types.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/types/__init__.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py
 create mode 100644 packages/google-cloud-kms/google/cloud/kms_v1/types/service.py
 create mode 100644 packages/google-cloud-kms/mypy.ini
 create mode 100644 packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py
 delete mode 100644 packages/google-cloud-kms/tests/system.py
 create mode 100644 packages/google-cloud-kms/tests/unit/gapic/kms_v1/__init__.py
 create mode 100644 packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py
 delete mode 100644 packages/google-cloud-kms/tests/unit/gapic/v1/test_key_management_service_client_v1.py

diff --git a/packages/google-cloud-kms/.coveragerc b/packages/google-cloud-kms/.coveragerc
index dd39c8546c41..2257f8d2feb5 100644
--- a/packages/google-cloud-kms/.coveragerc
+++ b/packages/google-cloud-kms/.coveragerc
@@ -14,22 +14,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Generated by synthtool. DO NOT EDIT!
 [run]
 branch = True
 
 [report]
 fail_under = 100
 show_missing = True
+omit =
+    google/cloud/kms/__init__.py
 exclude_lines =
     # Re-enable the standard pragma
     pragma: NO COVER
     # Ignore debug-only repr
     def __repr__
-    # Ignore abstract methods
-    raise NotImplementedError
-omit =
-  */gapic/*.py
-  */proto/*.py
-  */core/*.py
-  */site-packages/*.py
\ No newline at end of file
+    # Ignore pkg_resources exceptions.
+    # This is added at the module level as a safeguard for if someone
+    # generates the code and tries to run it without pip installing. This
+    # makes it virtually impossible to test properly.
+    except pkg_resources.DistributionNotFound
diff --git a/packages/google-cloud-kms/README.rst b/packages/google-cloud-kms/README.rst
index d1a48ae0fcab..691392770fdd 100644
--- a/packages/google-cloud-kms/README.rst
+++ b/packages/google-cloud-kms/README.rst
@@ -51,11 +51,13 @@ dependencies.
 
 Supported Python Versions
 ^^^^^^^^^^^^^^^^^^^^^^^^^
-Python >= 3.5
+Python >= 3.6
 
 Deprecated Python Versions
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
-Python == 2.7. Python 2.7 support will be removed on January 1, 2020.
+Python == 2.7.
+
+The last version of this library compatible with Python 2.7 is google-cloud-kms==1.4.0.
 
 
 Mac/Linux
diff --git a/packages/google-cloud-kms/UPGRADING.md b/packages/google-cloud-kms/UPGRADING.md
new file mode 100644
index 000000000000..1d9fc5b780bc
--- /dev/null
+++ b/packages/google-cloud-kms/UPGRADING.md
@@ -0,0 +1,167 @@
+# 2.0.0 Migration Guide
+
+The 2.0 release of the `google-cloud-kms` client is a significant upgrade based on a [next-gen code generator](https://github.com/googleapis/gapic-generator-python), and includes substantial interface changes. Existing code written for earlier versions of this library will likely require updates to use this version. This document describes the changes that have been made, and what you need to do to update your usage.
+
+If you experience issues or have questions, please file an [issue](https://github.com/googleapis/python-kms/issues).
+
+## Supported Python Versions
+
+> **WARNING**: Breaking change
+
+The 2.0.0 release requires Python 3.6+.
+
+
+## Method Calls
+
+> **WARNING**: Breaking change
+
+Methods expect request objects. We provide a script that will convert most common use cases.
+
+* Install the library
+
+```py
+python3 -m pip install google-cloud-kms
+```
+
+* The script `fixup_kms_v1_keywords.py` is shipped with the library. It expects
+an input directory (with the code to convert) and an empty destination directory.
+
+```sh
+$ fixup_kms_v1_keywords.py --input-directory .samples/ --output-directory samples/
+```
+
+**Before:**
+```py
+ from google.cloud import kms
+
+client = kms.KeyManagementServiceClient()
+location_name = client.location_path(project_id, location_id)
+key_ring = {}
+
+created_key_ring = client.create_key_ring(location_name, id, key_ring)
+```
+
+
+**After:**
+```py
+from google.cloud import kms
+
+client = kms.KeyManagementServiceClient()
+location_name = f'projects/{project_id}/locations/{location_id}'
+key_ring = {}
+
+created_key_ring = client.create_key_ring(request={'parent': location_name, 'key_ring_id': id, 'key_ring': key_ring})
+```
+
+### More Details
+
+In `google-cloud-kms<2.0.0`, parameters required by the API were positional parameters and optional parameters were keyword parameters.
+
+**Before:**
+```py
+    def create_key_ring(
+        self,
+        parent,
+        key_ring_id,
+        key_ring,
+        retry=google.api_core.gapic_v1.method.DEFAULT,
+        timeout=google.api_core.gapic_v1.method.DEFAULT,
+        metadata=None,
+    ):
+```
+
+In the 2.0.0 release, all methods have a single positional parameter `request`. Method docstrings indicate whether a parameter is required or optional.
+
+Some methods have additional keyword only parameters. The available parameters depend on the `google.api.method_signature` annotation specified by the API producer.
+
+
+**After:**
+```py
+    def create_key_ring(
+        self,
+        request: service.CreateKeyRingRequest = None,
+        *,
+        parent: str = None,
+        key_ring_id: str = None,
+        key_ring: resources.KeyRing = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.KeyRing:
+```
+
+> **NOTE:** The `request` parameter and flattened keyword parameters for the API are mutually exclusive.
+> Passing both will result in an error.
+
+
+Both of these calls are valid:
+
+```py
+response = client.create_key_ring(
+    request={
+        "parent": parent,
+        "key_ring_id": key_ring_id,
+        "key_ring": key_ring
+    }
+)
+```
+
+```py
+response = client.create_key_ring(
+    parent=parent,
+    key_ring_id=key_ring_id,
+    key_ring=key_ring
+)
+```
+
+This call is invalid because it mixes `request` with a keyword argument `key_ring`. Executing this code
+will result in an error.
+
+```py
+response = client.create_key_ring(
+    request={
+        "parent": parent,
+        "key_ring_id": key_ring_id,
+    },
+    key_ring=key_ring
+)
+```
+
+
+
+## Enums and Types
+
+
+> **WARNING**: Breaking change
+
+The submodules `enums` and `types` have been removed.
+
+**Before:**
+```py
+
+ from google.cloud import kms
+
+purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
+key_ring = kms.types.KeyRing()
+```
+
+
+**After:**
+```py
+from google.cloud import kms
+
+purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
+key_ring = kms.KeyRing()
+```
+
+## Resource Path Helper Methods
+
+The resource path helper method `location_path` has been removed. Please construct
+this path manually.
+
+```py
+project = 'my-project'
+location = 'us-east1'
+
+location_path = f'projects/{project}/locations/{location}'
+```
diff --git a/packages/google-cloud-kms/docs/UPGRADING.md b/packages/google-cloud-kms/docs/UPGRADING.md
new file mode 120000
index 000000000000..01097c8c0fb8
--- /dev/null
+++ b/packages/google-cloud-kms/docs/UPGRADING.md
@@ -0,0 +1 @@
+../UPGRADING.md
\ No newline at end of file
diff --git a/packages/google-cloud-kms/docs/_templates/layout.html b/packages/google-cloud-kms/docs/_templates/layout.html
index 228529efe2d2..6316a537f72b 100644
--- a/packages/google-cloud-kms/docs/_templates/layout.html
+++ b/packages/google-cloud-kms/docs/_templates/layout.html
@@ -21,8 +21,8 @@
 
           <div class="body" role="main">
           	<div class="admonition" id="python2-eol"> 
-          	 On January 1, 2020 this library will no longer support Python 2 on the latest released version. 
-          	 Previously released library versions will continue to be available. For more information please
+          	 As of January 1, 2020 this library no longer supports Python 2 on the latest released version. 
+          	 Library versions released prior to that date will continue to be available. For more information please
           	 visit <a href="https://cloud.google.com/python/docs/python2-sunset/">Python 2 support on Google Cloud</a>.
           	</div>
             {% block body %} {% endblock %}
diff --git a/packages/google-cloud-kms/docs/conf.py b/packages/google-cloud-kms/docs/conf.py
index 098ce4688efe..b1a1e95dda47 100644
--- a/packages/google-cloud-kms/docs/conf.py
+++ b/packages/google-cloud-kms/docs/conf.py
@@ -38,21 +38,18 @@
     "sphinx.ext.napoleon",
     "sphinx.ext.todo",
     "sphinx.ext.viewcode",
+    "recommonmark",
 ]
 
 # autodoc/autosummary flags
 autoclass_content = "both"
-autodoc_default_flags = ["members"]
+autodoc_default_options = {"members": True}
 autosummary_generate = True
 
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ["_templates"]
 
-# Allow markdown includes (so releases.md can include CHANGLEOG.md)
-# http://www.sphinx-doc.org/en/master/markdown.html
-source_parsers = {".md": "recommonmark.parser.CommonMarkParser"}
-
 # The suffix(es) of source filenames.
 # You can specify multiple suffix as a list of string:
 # source_suffix = ['.rst', '.md']
@@ -293,7 +290,7 @@
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    (master_doc, "google-cloud-kms", u"google-cloud-kms Documentation", [author], 1)
+    (master_doc, "google-cloud-kms", u"google-cloud-kms Documentation", [author], 1,)
 ]
 
 # If true, show URL addresses after external links.
@@ -334,7 +331,7 @@
 intersphinx_mapping = {
     "python": ("http://python.readthedocs.org/en/latest/", None),
     "google-auth": ("https://google-auth.readthedocs.io/en/stable", None),
-    "google.api_core": ("https://googleapis.dev/python/google-api-core/latest/", None),
+    "google.api_core": ("https://googleapis.dev/python/google-api-core/latest/", None,),
     "grpc": ("https://grpc.io/grpc/python/", None),
 }
 
diff --git a/packages/google-cloud-kms/docs/gapic/v1/api.rst b/packages/google-cloud-kms/docs/gapic/v1/api.rst
deleted file mode 100644
index cb91e8588bd0..000000000000
--- a/packages/google-cloud-kms/docs/gapic/v1/api.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-Client for Cloud Key Management Service (KMS) API
-=================================================
-
-.. automodule:: google.cloud.kms_v1
-    :members:
-    :inherited-members:
\ No newline at end of file
diff --git a/packages/google-cloud-kms/docs/gapic/v1/types.rst b/packages/google-cloud-kms/docs/gapic/v1/types.rst
deleted file mode 100644
index b04846228f17..000000000000
--- a/packages/google-cloud-kms/docs/gapic/v1/types.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Types for Cloud Key Management Service (KMS) API Client
-=======================================================
-
-.. automodule:: google.cloud.kms_v1.types
-    :members:
\ No newline at end of file
diff --git a/packages/google-cloud-kms/docs/index.rst b/packages/google-cloud-kms/docs/index.rst
index 9307e8ff6769..8fc633c2fe45 100644
--- a/packages/google-cloud-kms/docs/index.rst
+++ b/packages/google-cloud-kms/docs/index.rst
@@ -7,8 +7,19 @@ API Reference
 .. toctree::
    :maxdepth: 2
 
-   gapic/v1/api
-   gapic/v1/types
+   kms_v1/services
+   kms_v1/types
+
+
+Migration Guide
+---------------
+
+See the guide below for instructions on migrating to the 2.x release of this library.
+
+.. toctree::
+    :maxdepth: 2
+
+    UPGRADING
 
 
 Changelog
diff --git a/packages/google-cloud-kms/docs/kms_v1/services.rst b/packages/google-cloud-kms/docs/kms_v1/services.rst
new file mode 100644
index 000000000000..93db565f76a7
--- /dev/null
+++ b/packages/google-cloud-kms/docs/kms_v1/services.rst
@@ -0,0 +1,6 @@
+Services for Google Cloud Kms v1 API
+====================================
+
+.. automodule:: google.cloud.kms_v1.services.key_management_service
+    :members:
+    :inherited-members:
diff --git a/packages/google-cloud-kms/docs/kms_v1/types.rst b/packages/google-cloud-kms/docs/kms_v1/types.rst
new file mode 100644
index 000000000000..401cef20746d
--- /dev/null
+++ b/packages/google-cloud-kms/docs/kms_v1/types.rst
@@ -0,0 +1,5 @@
+Types for Google Cloud Kms v1 API
+=================================
+
+.. automodule:: google.cloud.kms_v1.types
+    :members:
diff --git a/packages/google-cloud-kms/google/cloud/kms.py b/packages/google-cloud-kms/google/cloud/kms.py
deleted file mode 100644
index 8aa4cdb0c7f8..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms.py
+++ /dev/null
@@ -1,25 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-from __future__ import absolute_import
-
-from google.cloud.kms_v1 import KeyManagementServiceClient
-from google.cloud.kms_v1 import enums
-from google.cloud.kms_v1 import types
-
-
-__all__ = ("enums", "types", "KeyManagementServiceClient")
diff --git a/packages/google-cloud-kms/google/cloud/kms/__init__.py b/packages/google-cloud-kms/google/cloud/kms/__init__.py
new file mode 100644
index 000000000000..10e86d90aa7b
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms/__init__.py
@@ -0,0 +1,112 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from google.cloud.kms_v1.services.key_management_service.async_client import (
+    KeyManagementServiceAsyncClient,
+)
+from google.cloud.kms_v1.services.key_management_service.client import (
+    KeyManagementServiceClient,
+)
+from google.cloud.kms_v1.types.resources import CryptoKey
+from google.cloud.kms_v1.types.resources import CryptoKeyVersion
+from google.cloud.kms_v1.types.resources import CryptoKeyVersionTemplate
+from google.cloud.kms_v1.types.resources import ExternalProtectionLevelOptions
+from google.cloud.kms_v1.types.resources import ImportJob
+from google.cloud.kms_v1.types.resources import KeyOperationAttestation
+from google.cloud.kms_v1.types.resources import KeyRing
+from google.cloud.kms_v1.types.resources import ProtectionLevel
+from google.cloud.kms_v1.types.resources import PublicKey
+from google.cloud.kms_v1.types.service import AsymmetricDecryptRequest
+from google.cloud.kms_v1.types.service import AsymmetricDecryptResponse
+from google.cloud.kms_v1.types.service import AsymmetricSignRequest
+from google.cloud.kms_v1.types.service import AsymmetricSignResponse
+from google.cloud.kms_v1.types.service import CreateCryptoKeyRequest
+from google.cloud.kms_v1.types.service import CreateCryptoKeyVersionRequest
+from google.cloud.kms_v1.types.service import CreateImportJobRequest
+from google.cloud.kms_v1.types.service import CreateKeyRingRequest
+from google.cloud.kms_v1.types.service import DecryptRequest
+from google.cloud.kms_v1.types.service import DecryptResponse
+from google.cloud.kms_v1.types.service import DestroyCryptoKeyVersionRequest
+from google.cloud.kms_v1.types.service import Digest
+from google.cloud.kms_v1.types.service import EncryptRequest
+from google.cloud.kms_v1.types.service import EncryptResponse
+from google.cloud.kms_v1.types.service import GetCryptoKeyRequest
+from google.cloud.kms_v1.types.service import GetCryptoKeyVersionRequest
+from google.cloud.kms_v1.types.service import GetImportJobRequest
+from google.cloud.kms_v1.types.service import GetKeyRingRequest
+from google.cloud.kms_v1.types.service import GetPublicKeyRequest
+from google.cloud.kms_v1.types.service import ImportCryptoKeyVersionRequest
+from google.cloud.kms_v1.types.service import ListCryptoKeyVersionsRequest
+from google.cloud.kms_v1.types.service import ListCryptoKeyVersionsResponse
+from google.cloud.kms_v1.types.service import ListCryptoKeysRequest
+from google.cloud.kms_v1.types.service import ListCryptoKeysResponse
+from google.cloud.kms_v1.types.service import ListImportJobsRequest
+from google.cloud.kms_v1.types.service import ListImportJobsResponse
+from google.cloud.kms_v1.types.service import ListKeyRingsRequest
+from google.cloud.kms_v1.types.service import ListKeyRingsResponse
+from google.cloud.kms_v1.types.service import LocationMetadata
+from google.cloud.kms_v1.types.service import RestoreCryptoKeyVersionRequest
+from google.cloud.kms_v1.types.service import UpdateCryptoKeyPrimaryVersionRequest
+from google.cloud.kms_v1.types.service import UpdateCryptoKeyRequest
+from google.cloud.kms_v1.types.service import UpdateCryptoKeyVersionRequest
+
+__all__ = (
+    "AsymmetricDecryptRequest",
+    "AsymmetricDecryptResponse",
+    "AsymmetricSignRequest",
+    "AsymmetricSignResponse",
+    "CreateCryptoKeyRequest",
+    "CreateCryptoKeyVersionRequest",
+    "CreateImportJobRequest",
+    "CreateKeyRingRequest",
+    "CryptoKey",
+    "CryptoKeyVersion",
+    "CryptoKeyVersionTemplate",
+    "DecryptRequest",
+    "DecryptResponse",
+    "DestroyCryptoKeyVersionRequest",
+    "Digest",
+    "EncryptRequest",
+    "EncryptResponse",
+    "ExternalProtectionLevelOptions",
+    "GetCryptoKeyRequest",
+    "GetCryptoKeyVersionRequest",
+    "GetImportJobRequest",
+    "GetKeyRingRequest",
+    "GetPublicKeyRequest",
+    "ImportCryptoKeyVersionRequest",
+    "ImportJob",
+    "KeyManagementServiceAsyncClient",
+    "KeyManagementServiceClient",
+    "KeyOperationAttestation",
+    "KeyRing",
+    "ListCryptoKeyVersionsRequest",
+    "ListCryptoKeyVersionsResponse",
+    "ListCryptoKeysRequest",
+    "ListCryptoKeysResponse",
+    "ListImportJobsRequest",
+    "ListImportJobsResponse",
+    "ListKeyRingsRequest",
+    "ListKeyRingsResponse",
+    "LocationMetadata",
+    "ProtectionLevel",
+    "PublicKey",
+    "RestoreCryptoKeyVersionRequest",
+    "UpdateCryptoKeyPrimaryVersionRequest",
+    "UpdateCryptoKeyRequest",
+    "UpdateCryptoKeyVersionRequest",
+)
diff --git a/packages/google-cloud-kms/google/cloud/kms/py.typed b/packages/google-cloud-kms/google/cloud/kms/py.typed
new file mode 100644
index 000000000000..3720b5f23ae9
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms/py.typed
@@ -0,0 +1,2 @@
+# Marker file for PEP 561.
+# The google-cloud-kms package uses inline types.
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/__init__.py
index 73099d6d940f..a68d1c3bbb20 100644
--- a/packages/google-cloud-kms/google/cloud/kms_v1/__init__.py
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/__init__.py
@@ -1,43 +1,107 @@
 # -*- coding: utf-8 -*-
-#
+
 # Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     https://www.apache.org/licenses/LICENSE-2.0
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+#
 
-
-from __future__ import absolute_import
-import sys
-import warnings
-
-from google.cloud.kms_v1 import types
-from google.cloud.kms_v1.gapic import enums
-from google.cloud.kms_v1.gapic import key_management_service_client
-
-
-if sys.version_info[:2] == (2, 7):
-    message = (
-        "A future version of this library will drop support for Python 2.7."
-        "More details about Python 2 support for Google Cloud Client Libraries"
-        "can be found at https://cloud.google.com/python/docs/python2-sunset/"
-    )
-    warnings.warn(message, DeprecationWarning)
-
-
-class KeyManagementServiceClient(
-    key_management_service_client.KeyManagementServiceClient
-):
-    __doc__ = key_management_service_client.KeyManagementServiceClient.__doc__
-    enums = enums
+from .services.key_management_service import KeyManagementServiceClient
+from .types.resources import CryptoKey
+from .types.resources import CryptoKeyVersion
+from .types.resources import CryptoKeyVersionTemplate
+from .types.resources import ExternalProtectionLevelOptions
+from .types.resources import ImportJob
+from .types.resources import KeyOperationAttestation
+from .types.resources import KeyRing
+from .types.resources import ProtectionLevel
+from .types.resources import PublicKey
+from .types.service import AsymmetricDecryptRequest
+from .types.service import AsymmetricDecryptResponse
+from .types.service import AsymmetricSignRequest
+from .types.service import AsymmetricSignResponse
+from .types.service import CreateCryptoKeyRequest
+from .types.service import CreateCryptoKeyVersionRequest
+from .types.service import CreateImportJobRequest
+from .types.service import CreateKeyRingRequest
+from .types.service import DecryptRequest
+from .types.service import DecryptResponse
+from .types.service import DestroyCryptoKeyVersionRequest
+from .types.service import Digest
+from .types.service import EncryptRequest
+from .types.service import EncryptResponse
+from .types.service import GetCryptoKeyRequest
+from .types.service import GetCryptoKeyVersionRequest
+from .types.service import GetImportJobRequest
+from .types.service import GetKeyRingRequest
+from .types.service import GetPublicKeyRequest
+from .types.service import ImportCryptoKeyVersionRequest
+from .types.service import ListCryptoKeyVersionsRequest
+from .types.service import ListCryptoKeyVersionsResponse
+from .types.service import ListCryptoKeysRequest
+from .types.service import ListCryptoKeysResponse
+from .types.service import ListImportJobsRequest
+from .types.service import ListImportJobsResponse
+from .types.service import ListKeyRingsRequest
+from .types.service import ListKeyRingsResponse
+from .types.service import LocationMetadata
+from .types.service import RestoreCryptoKeyVersionRequest
+from .types.service import UpdateCryptoKeyPrimaryVersionRequest
+from .types.service import UpdateCryptoKeyRequest
+from .types.service import UpdateCryptoKeyVersionRequest
 
 
-__all__ = ("enums", "types", "KeyManagementServiceClient")
+__all__ = (
+    "AsymmetricDecryptRequest",
+    "AsymmetricDecryptResponse",
+    "AsymmetricSignRequest",
+    "AsymmetricSignResponse",
+    "CreateCryptoKeyRequest",
+    "CreateCryptoKeyVersionRequest",
+    "CreateImportJobRequest",
+    "CreateKeyRingRequest",
+    "CryptoKey",
+    "CryptoKeyVersion",
+    "CryptoKeyVersionTemplate",
+    "DecryptRequest",
+    "DecryptResponse",
+    "DestroyCryptoKeyVersionRequest",
+    "Digest",
+    "EncryptRequest",
+    "EncryptResponse",
+    "ExternalProtectionLevelOptions",
+    "GetCryptoKeyRequest",
+    "GetCryptoKeyVersionRequest",
+    "GetImportJobRequest",
+    "GetKeyRingRequest",
+    "GetPublicKeyRequest",
+    "ImportCryptoKeyVersionRequest",
+    "ImportJob",
+    "KeyOperationAttestation",
+    "KeyRing",
+    "ListCryptoKeyVersionsRequest",
+    "ListCryptoKeyVersionsResponse",
+    "ListCryptoKeysRequest",
+    "ListCryptoKeysResponse",
+    "ListImportJobsRequest",
+    "ListImportJobsResponse",
+    "ListKeyRingsRequest",
+    "ListKeyRingsResponse",
+    "LocationMetadata",
+    "ProtectionLevel",
+    "PublicKey",
+    "RestoreCryptoKeyVersionRequest",
+    "UpdateCryptoKeyPrimaryVersionRequest",
+    "UpdateCryptoKeyRequest",
+    "UpdateCryptoKeyVersionRequest",
+    "KeyManagementServiceClient",
+)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/__init__.py
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/enums.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/enums.py
deleted file mode 100644
index cf27deeba3ff..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/enums.py
+++ /dev/null
@@ -1,252 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Wrappers for protocol buffer enum types."""
-
-import enum
-
-
-class ProtectionLevel(enum.IntEnum):
-    """
-    ``ProtectionLevel`` specifies how cryptographic operations are
-    performed. For more information, see [Protection levels]
-    (https://cloud.google.com/kms/docs/algorithms#protection\_levels).
-
-    Attributes:
-      PROTECTION_LEVEL_UNSPECIFIED (int): Not specified.
-      SOFTWARE (int): Crypto operations are performed in software.
-      HSM (int): Crypto operations are performed in a Hardware Security Module.
-      EXTERNAL (int): Crypto operations are performed by an external key manager.
-    """
-
-    PROTECTION_LEVEL_UNSPECIFIED = 0
-    SOFTWARE = 1
-    HSM = 2
-    EXTERNAL = 3
-
-
-class CryptoKey(object):
-    class CryptoKeyPurpose(enum.IntEnum):
-        """
-        ``CryptoKeyPurpose`` describes the cryptographic capabilities of a
-        ``CryptoKey``. A given key can only be used for the operations allowed
-        by its purpose. For more information, see `Key
-        purposes <https://cloud.google.com/kms/docs/algorithms#key_purposes>`__.
-
-        Attributes:
-          CRYPTO_KEY_PURPOSE_UNSPECIFIED (int): Not specified.
-          ENCRYPT_DECRYPT (int): ``CryptoKeys`` with this purpose may be used with ``Encrypt`` and
-          ``Decrypt``.
-          ASYMMETRIC_SIGN (int): ``CryptoKeys`` with this purpose may be used with ``AsymmetricSign`` and
-          ``GetPublicKey``.
-          ASYMMETRIC_DECRYPT (int): ``CryptoKeys`` with this purpose may be used with ``AsymmetricDecrypt``
-          and ``GetPublicKey``.
-        """
-
-        CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
-        ENCRYPT_DECRYPT = 1
-        ASYMMETRIC_SIGN = 5
-        ASYMMETRIC_DECRYPT = 6
-
-
-class CryptoKeyVersion(object):
-    class CryptoKeyVersionAlgorithm(enum.IntEnum):
-        """
-        The algorithm of the ``CryptoKeyVersion``, indicating what parameters
-        must be used for each cryptographic operation.
-
-        The ``GOOGLE_SYMMETRIC_ENCRYPTION`` algorithm is usable with
-        ``CryptoKey.purpose`` ``ENCRYPT_DECRYPT``.
-
-        Algorithms beginning with "RSA\_SIGN\_" are usable with
-        ``CryptoKey.purpose`` ``ASYMMETRIC_SIGN``.
-
-        The fields in the name after "RSA\_SIGN\_" correspond to the following
-        parameters: padding algorithm, modulus bit length, and digest algorithm.
-
-        For PSS, the salt length used is equal to the length of digest
-        algorithm. For example, ``RSA_SIGN_PSS_2048_SHA256`` will use PSS with a
-        salt length of 256 bits or 32 bytes.
-
-        Algorithms beginning with "RSA\_DECRYPT\_" are usable with
-        ``CryptoKey.purpose`` ``ASYMMETRIC_DECRYPT``.
-
-        The fields in the name after "RSA\_DECRYPT\_" correspond to the
-        following parameters: padding algorithm, modulus bit length, and digest
-        algorithm.
-
-        Algorithms beginning with "EC\_SIGN\_" are usable with
-        ``CryptoKey.purpose`` ``ASYMMETRIC_SIGN``.
-
-        The fields in the name after "EC\_SIGN\_" correspond to the following
-        parameters: elliptic curve, digest algorithm.
-
-        For more information, see [Key purposes and algorithms]
-        (https://cloud.google.com/kms/docs/algorithms).
-
-        Attributes:
-          CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED (int): Not specified.
-          GOOGLE_SYMMETRIC_ENCRYPTION (int): Creates symmetric encryption keys.
-          RSA_SIGN_PSS_2048_SHA256 (int): RSASSA-PSS 2048 bit key with a SHA256 digest.
-          RSA_SIGN_PSS_3072_SHA256 (int): RSASSA-PSS 3072 bit key with a SHA256 digest.
-          RSA_SIGN_PSS_4096_SHA256 (int): RSASSA-PSS 4096 bit key with a SHA256 digest.
-          RSA_SIGN_PSS_4096_SHA512 (int): RSASSA-PSS 4096 bit key with a SHA512 digest.
-          RSA_SIGN_PKCS1_2048_SHA256 (int): RSASSA-PKCS1-v1\_5 with a 2048 bit key and a SHA256 digest.
-          RSA_SIGN_PKCS1_3072_SHA256 (int): RSASSA-PKCS1-v1\_5 with a 3072 bit key and a SHA256 digest.
-          RSA_SIGN_PKCS1_4096_SHA256 (int): RSASSA-PKCS1-v1\_5 with a 4096 bit key and a SHA256 digest.
-          RSA_SIGN_PKCS1_4096_SHA512 (int): RSASSA-PKCS1-v1\_5 with a 4096 bit key and a SHA512 digest.
-          RSA_DECRYPT_OAEP_2048_SHA256 (int): RSAES-OAEP 2048 bit key with a SHA256 digest.
-          RSA_DECRYPT_OAEP_3072_SHA256 (int): RSAES-OAEP 3072 bit key with a SHA256 digest.
-          RSA_DECRYPT_OAEP_4096_SHA256 (int): RSAES-OAEP 4096 bit key with a SHA256 digest.
-          RSA_DECRYPT_OAEP_4096_SHA512 (int): RSAES-OAEP 4096 bit key with a SHA512 digest.
-          EC_SIGN_P256_SHA256 (int): ECDSA on the NIST P-256 curve with a SHA256 digest.
-          EC_SIGN_P384_SHA384 (int): ECDSA on the NIST P-384 curve with a SHA384 digest.
-          EXTERNAL_SYMMETRIC_ENCRYPTION (int): Algorithm representing symmetric encryption by an external key manager.
-        """
-
-        CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
-        GOOGLE_SYMMETRIC_ENCRYPTION = 1
-        RSA_SIGN_PSS_2048_SHA256 = 2
-        RSA_SIGN_PSS_3072_SHA256 = 3
-        RSA_SIGN_PSS_4096_SHA256 = 4
-        RSA_SIGN_PSS_4096_SHA512 = 15
-        RSA_SIGN_PKCS1_2048_SHA256 = 5
-        RSA_SIGN_PKCS1_3072_SHA256 = 6
-        RSA_SIGN_PKCS1_4096_SHA256 = 7
-        RSA_SIGN_PKCS1_4096_SHA512 = 16
-        RSA_DECRYPT_OAEP_2048_SHA256 = 8
-        RSA_DECRYPT_OAEP_3072_SHA256 = 9
-        RSA_DECRYPT_OAEP_4096_SHA256 = 10
-        RSA_DECRYPT_OAEP_4096_SHA512 = 17
-        EC_SIGN_P256_SHA256 = 12
-        EC_SIGN_P384_SHA384 = 13
-        EXTERNAL_SYMMETRIC_ENCRYPTION = 18
-
-    class CryptoKeyVersionState(enum.IntEnum):
-        """
-        The state of a ``CryptoKeyVersion``, indicating if it can be used.
-
-        Attributes:
-          CRYPTO_KEY_VERSION_STATE_UNSPECIFIED (int): Not specified.
-          PENDING_GENERATION (int): This version is still being generated. It may not be used, enabled,
-          disabled, or destroyed yet. Cloud KMS will automatically mark this
-          version ``ENABLED`` as soon as the version is ready.
-          ENABLED (int): This version may be used for cryptographic operations.
-          DISABLED (int): This version may not be used, but the key material is still available,
-          and the version can be placed back into the ``ENABLED`` state.
-          DESTROYED (int): This version is destroyed, and the key material is no longer stored.
-          A version may not leave this state once entered.
-          DESTROY_SCHEDULED (int): This version is scheduled for destruction, and will be destroyed soon.
-          Call ``RestoreCryptoKeyVersion`` to put it back into the ``DISABLED``
-          state.
-          PENDING_IMPORT (int): This version is still being imported. It may not be used, enabled,
-          disabled, or destroyed yet. Cloud KMS will automatically mark this
-          version ``ENABLED`` as soon as the version is ready.
-          IMPORT_FAILED (int): This version was not imported successfully. It may not be used, enabled,
-          disabled, or destroyed. The submitted key material has been discarded.
-          Additional details can be found in
-          ``CryptoKeyVersion.import_failure_reason``.
-        """
-
-        CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
-        PENDING_GENERATION = 5
-        ENABLED = 1
-        DISABLED = 2
-        DESTROYED = 3
-        DESTROY_SCHEDULED = 4
-        PENDING_IMPORT = 6
-        IMPORT_FAILED = 7
-
-    class CryptoKeyVersionView(enum.IntEnum):
-        """
-        A view for ``CryptoKeyVersion``\ s. Controls the level of detail
-        returned for ``CryptoKeyVersions`` in
-        ``KeyManagementService.ListCryptoKeyVersions`` and
-        ``KeyManagementService.ListCryptoKeys``.
-
-        Attributes:
-          CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED (int): Default view for each ``CryptoKeyVersion``. Does not include the
-          ``attestation`` field.
-          FULL (int): Provides all fields in each ``CryptoKeyVersion``, including the
-          ``attestation``.
-        """
-
-        CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
-        FULL = 1
-
-
-class ImportJob(object):
-    class ImportJobState(enum.IntEnum):
-        """
-        The state of the ``ImportJob``, indicating if it can be used.
-
-        Attributes:
-          IMPORT_JOB_STATE_UNSPECIFIED (int): Not specified.
-          PENDING_GENERATION (int): The wrapping key for this job is still being generated. It may not be
-          used. Cloud KMS will automatically mark this job as ``ACTIVE`` as soon
-          as the wrapping key is generated.
-          ACTIVE (int): This job may be used in ``CreateCryptoKey`` and
-          ``CreateCryptoKeyVersion`` requests.
-          EXPIRED (int): This job can no longer be used and may not leave this state once entered.
-        """
-
-        IMPORT_JOB_STATE_UNSPECIFIED = 0
-        PENDING_GENERATION = 1
-        ACTIVE = 2
-        EXPIRED = 3
-
-    class ImportMethod(enum.IntEnum):
-        """
-        ``ImportMethod`` describes the key wrapping method chosen for this
-        ``ImportJob``.
-
-        Attributes:
-          IMPORT_METHOD_UNSPECIFIED (int): Not specified.
-          RSA_OAEP_3072_SHA1_AES_256 (int): This ImportMethod represents the CKM\_RSA\_AES\_KEY\_WRAP key wrapping
-          scheme defined in the PKCS #11 standard. In summary, this involves
-          wrapping the raw key with an ephemeral AES key, and wrapping the
-          ephemeral AES key with a 3072 bit RSA key. For more details, see `RSA
-          AES key wrap
-          mechanism <http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908>`__.
-          RSA_OAEP_4096_SHA1_AES_256 (int): This ImportMethod represents the CKM\_RSA\_AES\_KEY\_WRAP key wrapping
-          scheme defined in the PKCS #11 standard. In summary, this involves
-          wrapping the raw key with an ephemeral AES key, and wrapping the
-          ephemeral AES key with a 4096 bit RSA key. For more details, see `RSA
-          AES key wrap
-          mechanism <http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908>`__.
-        """
-
-        IMPORT_METHOD_UNSPECIFIED = 0
-        RSA_OAEP_3072_SHA1_AES_256 = 1
-        RSA_OAEP_4096_SHA1_AES_256 = 2
-
-
-class KeyOperationAttestation(object):
-    class AttestationFormat(enum.IntEnum):
-        """
-        Attestation formats provided by the HSM.
-
-        Attributes:
-          ATTESTATION_FORMAT_UNSPECIFIED (int): Not specified.
-          CAVIUM_V1_COMPRESSED (int): Cavium HSM attestation compressed with gzip. Note that this format is
-          defined by Cavium and subject to change at any time.
-          CAVIUM_V2_COMPRESSED (int): Cavium HSM attestation V2 compressed with gzip. This is a new format
-          introduced in Cavium's version 3.2-08.
-        """
-
-        ATTESTATION_FORMAT_UNSPECIFIED = 0
-        CAVIUM_V1_COMPRESSED = 3
-        CAVIUM_V2_COMPRESSED = 4
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client.py
deleted file mode 100644
index 1a5632cfbb1a..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client.py
+++ /dev/null
@@ -1,2556 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Accesses the google.cloud.kms.v1 KeyManagementService API."""
-
-import functools
-import pkg_resources
-import warnings
-
-from google.oauth2 import service_account
-import google.api_core.client_options
-import google.api_core.gapic_v1.client_info
-import google.api_core.gapic_v1.config
-import google.api_core.gapic_v1.method
-import google.api_core.gapic_v1.routing_header
-import google.api_core.grpc_helpers
-import google.api_core.page_iterator
-import google.api_core.path_template
-import google.api_core.protobuf_helpers
-import grpc
-
-from google.cloud.kms_v1.gapic import enums
-from google.cloud.kms_v1.gapic import key_management_service_client_config
-from google.cloud.kms_v1.gapic.transports import key_management_service_grpc_transport
-from google.cloud.kms_v1.proto import resources_pb2
-from google.cloud.kms_v1.proto import service_pb2
-from google.cloud.kms_v1.proto import service_pb2_grpc
-from google.iam.v1 import iam_policy_pb2
-from google.iam.v1 import iam_policy_pb2_grpc
-from google.iam.v1 import options_pb2
-from google.iam.v1 import policy_pb2
-from google.protobuf import field_mask_pb2
-
-
-_GAPIC_LIBRARY_VERSION = pkg_resources.get_distribution("google-cloud-kms").version
-
-
-class KeyManagementServiceClient(object):
-    """
-    Google Cloud Key Management Service
-
-    Manages cryptographic keys and operations using those keys. Implements a
-    REST model with the following objects:
-
-    -  ``KeyRing``
-    -  ``CryptoKey``
-    -  ``CryptoKeyVersion``
-    -  ``ImportJob``
-
-    If you are using manual gRPC libraries, see `Using gRPC with Cloud
-    KMS <https://cloud.google.com/kms/docs/grpc>`__.
-    """
-
-    SERVICE_ADDRESS = "cloudkms.googleapis.com:443"
-    """The default address of the service."""
-
-    # The name of the interface for this client. This is the key used to
-    # find the method configuration in the client_config dictionary.
-    _INTERFACE_NAME = "google.cloud.kms.v1.KeyManagementService"
-
-    @classmethod
-    def from_service_account_file(cls, filename, *args, **kwargs):
-        """Creates an instance of this client using the provided credentials
-        file.
-
-        Args:
-            filename (str): The path to the service account private key json
-                file.
-            args: Additional arguments to pass to the constructor.
-            kwargs: Additional arguments to pass to the constructor.
-
-        Returns:
-            KeyManagementServiceClient: The constructed client.
-        """
-        credentials = service_account.Credentials.from_service_account_file(filename)
-        kwargs["credentials"] = credentials
-        return cls(*args, **kwargs)
-
-    from_service_account_json = from_service_account_file
-
-    @classmethod
-    def crypto_key_path(cls, project, location, key_ring, crypto_key):
-        """Return a fully-qualified crypto_key string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}",
-            project=project,
-            location=location,
-            key_ring=key_ring,
-            crypto_key=crypto_key,
-        )
-
-    @classmethod
-    def crypto_key_path_path(cls, project, location, key_ring, crypto_key_path):
-        """Return a fully-qualified crypto_key_path string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key_path=**}",
-            project=project,
-            location=location,
-            key_ring=key_ring,
-            crypto_key_path=crypto_key_path,
-        )
-
-    @classmethod
-    def crypto_key_version_path(
-        cls, project, location, key_ring, crypto_key, crypto_key_version
-    ):
-
-        """Return a fully-qualified crypto_key_version string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}",
-            project=project,
-            location=location,
-            key_ring=key_ring,
-            crypto_key=crypto_key,
-            crypto_key_version=crypto_key_version,
-        )
-
-    @classmethod
-    def import_job_path(cls, project, location, key_ring, import_job):
-        """Return a fully-qualified import_job string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}",
-            project=project,
-            location=location,
-            key_ring=key_ring,
-            import_job=import_job,
-        )
-
-    @classmethod
-    def key_ring_path(cls, project, location, key_ring):
-        """Return a fully-qualified key_ring string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}/keyRings/{key_ring}",
-            project=project,
-            location=location,
-            key_ring=key_ring,
-        )
-
-    @classmethod
-    def location_path(cls, project, location):
-        """Return a fully-qualified location string."""
-        return google.api_core.path_template.expand(
-            "projects/{project}/locations/{location}",
-            project=project,
-            location=location,
-        )
-
-    def __init__(
-        self,
-        transport=None,
-        channel=None,
-        credentials=None,
-        client_config=None,
-        client_info=None,
-        client_options=None,
-    ):
-        """Constructor.
-
-        Args:
-            transport (Union[~.KeyManagementServiceGrpcTransport,
-                    Callable[[~.Credentials, type], ~.KeyManagementServiceGrpcTransport]): A transport
-                instance, responsible for actually making the API calls.
-                The default transport uses the gRPC protocol.
-                This argument may also be a callable which returns a
-                transport instance. Callables will be sent the credentials
-                as the first argument and the default transport class as
-                the second argument.
-            channel (grpc.Channel): DEPRECATED. A ``Channel`` instance
-                through which to make calls. This argument is mutually exclusive
-                with ``credentials``; providing both will raise an exception.
-            credentials (google.auth.credentials.Credentials): The
-                authorization credentials to attach to requests. These
-                credentials identify this application to the service. If none
-                are specified, the client will attempt to ascertain the
-                credentials from the environment.
-                This argument is mutually exclusive with providing a
-                transport instance to ``transport``; doing so will raise
-                an exception.
-            client_config (dict): DEPRECATED. A dictionary of call options for
-                each method. If not specified, the default configuration is used.
-            client_info (google.api_core.gapic_v1.client_info.ClientInfo):
-                The client info used to send a user-agent string along with
-                API requests. If ``None``, then default info will be used.
-                Generally, you only need to set this if you're developing
-                your own client library.
-            client_options (Union[dict, google.api_core.client_options.ClientOptions]):
-                Client options used to set user options on the client. API Endpoint
-                should be set through client_options.
-        """
-        # Raise deprecation warnings for things we want to go away.
-        if client_config is not None:
-            warnings.warn(
-                "The `client_config` argument is deprecated.",
-                PendingDeprecationWarning,
-                stacklevel=2,
-            )
-        else:
-            client_config = key_management_service_client_config.config
-
-        if channel:
-            warnings.warn(
-                "The `channel` argument is deprecated; use " "`transport` instead.",
-                PendingDeprecationWarning,
-                stacklevel=2,
-            )
-
-        api_endpoint = self.SERVICE_ADDRESS
-        if client_options:
-            if type(client_options) == dict:
-                client_options = google.api_core.client_options.from_dict(
-                    client_options
-                )
-            if client_options.api_endpoint:
-                api_endpoint = client_options.api_endpoint
-
-        # Instantiate the transport.
-        # The transport is responsible for handling serialization and
-        # deserialization and actually sending data to the service.
-        if transport:
-            if callable(transport):
-                self.transport = transport(
-                    credentials=credentials,
-                    default_class=key_management_service_grpc_transport.KeyManagementServiceGrpcTransport,
-                    address=api_endpoint,
-                )
-            else:
-                if credentials:
-                    raise ValueError(
-                        "Received both a transport instance and "
-                        "credentials; these are mutually exclusive."
-                    )
-                self.transport = transport
-        else:
-            self.transport = key_management_service_grpc_transport.KeyManagementServiceGrpcTransport(
-                address=api_endpoint, channel=channel, credentials=credentials
-            )
-
-        if client_info is None:
-            client_info = google.api_core.gapic_v1.client_info.ClientInfo(
-                gapic_version=_GAPIC_LIBRARY_VERSION
-            )
-        else:
-            client_info.gapic_version = _GAPIC_LIBRARY_VERSION
-        self._client_info = client_info
-
-        # Parse out the default settings for retry and timeout for each RPC
-        # from the client configuration.
-        # (Ordinarily, these are the defaults specified in the `*_config.py`
-        # file next to this one.)
-        self._method_configs = google.api_core.gapic_v1.config.parse_method_configs(
-            client_config["interfaces"][self._INTERFACE_NAME]
-        )
-
-        # Save a dictionary of cached API call functions.
-        # These are the actual callables which invoke the proper
-        # transport methods, wrapped with `wrap_method` to add retry,
-        # timeout, and the like.
-        self._inner_api_calls = {}
-
-    # Service calls
-    def list_key_rings(
-        self,
-        parent,
-        page_size=None,
-        filter_=None,
-        order_by=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Lists ``KeyRings``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.location_path('[PROJECT]', '[LOCATION]')
-            >>>
-            >>> # Iterate over all results
-            >>> for element in client.list_key_rings(parent):
-            ...     # process element
-            ...     pass
-            >>>
-            >>>
-            >>> # Alternatively:
-            >>>
-            >>> # Iterate over results one page at a time
-            >>> for page in client.list_key_rings(parent).pages:
-            ...     for element in page:
-            ...         # process element
-            ...         pass
-
-        Args:
-            parent (str): Required. The resource name of the location associated with the
-                ``KeyRings``, in the format ``projects/*/locations/*``.
-            page_size (int): The maximum number of resources contained in the
-                underlying API response. If page streaming is performed per-
-                resource, this parameter does not affect the return value. If page
-                streaming is performed per-page, this determines the maximum number
-                of resources in a page.
-            filter_ (str): Optional. Only include resources that match the filter in the response.
-                For more information, see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            order_by (str): Optional. Specify how the results should be sorted. If not specified,
-                the results will be sorted in the default order. For more information,
-                see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.api_core.page_iterator.PageIterator` instance.
-            An iterable of :class:`~google.cloud.kms_v1.types.KeyRing` instances.
-            You can also iterate over the pages of the response
-            using its `pages` property.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "list_key_rings" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "list_key_rings"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.list_key_rings,
-                default_retry=self._method_configs["ListKeyRings"].retry,
-                default_timeout=self._method_configs["ListKeyRings"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.ListKeyRingsRequest(
-            parent=parent, page_size=page_size, filter=filter_, order_by=order_by
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        iterator = google.api_core.page_iterator.GRPCIterator(
-            client=None,
-            method=functools.partial(
-                self._inner_api_calls["list_key_rings"],
-                retry=retry,
-                timeout=timeout,
-                metadata=metadata,
-            ),
-            request=request,
-            items_field="key_rings",
-            request_token_field="page_token",
-            response_token_field="next_page_token",
-        )
-        return iterator
-
-    def list_import_jobs(
-        self,
-        parent,
-        page_size=None,
-        filter_=None,
-        order_by=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Lists ``ImportJobs``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
-            >>>
-            >>> # Iterate over all results
-            >>> for element in client.list_import_jobs(parent):
-            ...     # process element
-            ...     pass
-            >>>
-            >>>
-            >>> # Alternatively:
-            >>>
-            >>> # Iterate over results one page at a time
-            >>> for page in client.list_import_jobs(parent).pages:
-            ...     for element in page:
-            ...         # process element
-            ...         pass
-
-        Args:
-            parent (str): Required. The resource name of the ``KeyRing`` to list, in the format
-                ``projects/*/locations/*/keyRings/*``.
-            page_size (int): The maximum number of resources contained in the
-                underlying API response. If page streaming is performed per-
-                resource, this parameter does not affect the return value. If page
-                streaming is performed per-page, this determines the maximum number
-                of resources in a page.
-            filter_ (str): Optional. Only include resources that match the filter in the response.
-                For more information, see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            order_by (str): Optional. Specify how the results should be sorted. If not specified,
-                the results will be sorted in the default order. For more information,
-                see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.api_core.page_iterator.PageIterator` instance.
-            An iterable of :class:`~google.cloud.kms_v1.types.ImportJob` instances.
-            You can also iterate over the pages of the response
-            using its `pages` property.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "list_import_jobs" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "list_import_jobs"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.list_import_jobs,
-                default_retry=self._method_configs["ListImportJobs"].retry,
-                default_timeout=self._method_configs["ListImportJobs"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.ListImportJobsRequest(
-            parent=parent, page_size=page_size, filter=filter_, order_by=order_by
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        iterator = google.api_core.page_iterator.GRPCIterator(
-            client=None,
-            method=functools.partial(
-                self._inner_api_calls["list_import_jobs"],
-                retry=retry,
-                timeout=timeout,
-                metadata=metadata,
-            ),
-            request=request,
-            items_field="import_jobs",
-            request_token_field="page_token",
-            response_token_field="next_page_token",
-        )
-        return iterator
-
-    def list_crypto_keys(
-        self,
-        parent,
-        page_size=None,
-        version_view=None,
-        filter_=None,
-        order_by=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Lists ``CryptoKeys``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
-            >>>
-            >>> # Iterate over all results
-            >>> for element in client.list_crypto_keys(parent):
-            ...     # process element
-            ...     pass
-            >>>
-            >>>
-            >>> # Alternatively:
-            >>>
-            >>> # Iterate over results one page at a time
-            >>> for page in client.list_crypto_keys(parent).pages:
-            ...     for element in page:
-            ...         # process element
-            ...         pass
-
-        Args:
-            parent (str): Required. The resource name of the ``KeyRing`` to list, in the format
-                ``projects/*/locations/*/keyRings/*``.
-            page_size (int): The maximum number of resources contained in the
-                underlying API response. If page streaming is performed per-
-                resource, this parameter does not affect the return value. If page
-                streaming is performed per-page, this determines the maximum number
-                of resources in a page.
-            version_view (~google.cloud.kms_v1.types.CryptoKeyVersionView): The fields of the primary version to include in the response.
-            filter_ (str): Optional. Only include resources that match the filter in the response.
-                For more information, see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            order_by (str): Optional. Specify how the results should be sorted. If not specified,
-                the results will be sorted in the default order. For more information,
-                see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.api_core.page_iterator.PageIterator` instance.
-            An iterable of :class:`~google.cloud.kms_v1.types.CryptoKey` instances.
-            You can also iterate over the pages of the response
-            using its `pages` property.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "list_crypto_keys" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "list_crypto_keys"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.list_crypto_keys,
-                default_retry=self._method_configs["ListCryptoKeys"].retry,
-                default_timeout=self._method_configs["ListCryptoKeys"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.ListCryptoKeysRequest(
-            parent=parent,
-            page_size=page_size,
-            version_view=version_view,
-            filter=filter_,
-            order_by=order_by,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        iterator = google.api_core.page_iterator.GRPCIterator(
-            client=None,
-            method=functools.partial(
-                self._inner_api_calls["list_crypto_keys"],
-                retry=retry,
-                timeout=timeout,
-                metadata=metadata,
-            ),
-            request=request,
-            items_field="crypto_keys",
-            request_token_field="page_token",
-            response_token_field="next_page_token",
-        )
-        return iterator
-
-    def list_crypto_key_versions(
-        self,
-        parent,
-        page_size=None,
-        view=None,
-        filter_=None,
-        order_by=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Lists ``CryptoKeyVersions``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> # Iterate over all results
-            >>> for element in client.list_crypto_key_versions(parent):
-            ...     # process element
-            ...     pass
-            >>>
-            >>>
-            >>> # Alternatively:
-            >>>
-            >>> # Iterate over results one page at a time
-            >>> for page in client.list_crypto_key_versions(parent).pages:
-            ...     for element in page:
-            ...         # process element
-            ...         pass
-
-        Args:
-            parent (str): Required. The resource name of the ``CryptoKey`` to list, in the format
-                ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
-            page_size (int): The maximum number of resources contained in the
-                underlying API response. If page streaming is performed per-
-                resource, this parameter does not affect the return value. If page
-                streaming is performed per-page, this determines the maximum number
-                of resources in a page.
-            view (~google.cloud.kms_v1.types.CryptoKeyVersionView): The fields to include in the response.
-            filter_ (str): Optional. Only include resources that match the filter in the response.
-                For more information, see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            order_by (str): Optional. Specify how the results should be sorted. If not specified,
-                the results will be sorted in the default order. For more information,
-                see `Sorting and filtering list
-                results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.api_core.page_iterator.PageIterator` instance.
-            An iterable of :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instances.
-            You can also iterate over the pages of the response
-            using its `pages` property.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "list_crypto_key_versions" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "list_crypto_key_versions"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.list_crypto_key_versions,
-                default_retry=self._method_configs["ListCryptoKeyVersions"].retry,
-                default_timeout=self._method_configs["ListCryptoKeyVersions"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.ListCryptoKeyVersionsRequest(
-            parent=parent,
-            page_size=page_size,
-            view=view,
-            filter=filter_,
-            order_by=order_by,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        iterator = google.api_core.page_iterator.GRPCIterator(
-            client=None,
-            method=functools.partial(
-                self._inner_api_calls["list_crypto_key_versions"],
-                retry=retry,
-                timeout=timeout,
-                metadata=metadata,
-            ),
-            request=request,
-            items_field="crypto_key_versions",
-            request_token_field="page_token",
-            response_token_field="next_page_token",
-        )
-        return iterator
-
-    def get_key_ring(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns metadata for a given ``KeyRing``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
-            >>>
-            >>> response = client.get_key_ring(name)
-
-        Args:
-            name (str): Required. The ``name`` of the ``KeyRing`` to get.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.KeyRing` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_key_ring" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_key_ring"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_key_ring,
-                default_retry=self._method_configs["GetKeyRing"].retry,
-                default_timeout=self._method_configs["GetKeyRing"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.GetKeyRingRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_key_ring"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def get_import_job(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns metadata for a given ``ImportJob``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.import_job_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[IMPORT_JOB]')
-            >>>
-            >>> response = client.get_import_job(name)
-
-        Args:
-            name (str): Required. The ``name`` of the ``ImportJob`` to get.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.ImportJob` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_import_job" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_import_job"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_import_job,
-                default_retry=self._method_configs["GetImportJob"].retry,
-                default_timeout=self._method_configs["GetImportJob"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.GetImportJobRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_import_job"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def get_crypto_key(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns metadata for a given ``CryptoKey``, as well as its ``primary``
-        ``CryptoKeyVersion``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> response = client.get_crypto_key(name)
-
-        Args:
-            name (str): Required. The ``name`` of the ``CryptoKey`` to get.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKey` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_crypto_key" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_crypto_key"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_crypto_key,
-                default_retry=self._method_configs["GetCryptoKey"].retry,
-                default_timeout=self._method_configs["GetCryptoKey"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.GetCryptoKeyRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_crypto_key"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def get_crypto_key_version(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns metadata for a given ``CryptoKeyVersion``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> response = client.get_crypto_key_version(name)
-
-        Args:
-            name (str): Required. The ``name`` of the ``CryptoKeyVersion`` to get.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_crypto_key_version,
-                default_retry=self._method_configs["GetCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["GetCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.GetCryptoKeyVersionRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def create_key_ring(
-        self,
-        parent,
-        key_ring_id,
-        key_ring,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Create a new ``KeyRing`` in a given Project and Location.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.location_path('[PROJECT]', '[LOCATION]')
-            >>>
-            >>> # TODO: Initialize `key_ring_id`:
-            >>> key_ring_id = ''
-            >>>
-            >>> # TODO: Initialize `key_ring`:
-            >>> key_ring = {}
-            >>>
-            >>> response = client.create_key_ring(parent, key_ring_id, key_ring)
-
-        Args:
-            parent (str): Required. The resource name of the location associated with the
-                ``KeyRings``, in the format ``projects/*/locations/*``.
-            key_ring_id (str): Required. It must be unique within a location and match the regular
-                expression ``[a-zA-Z0-9_-]{1,63}``
-            key_ring (Union[dict, ~google.cloud.kms_v1.types.KeyRing]): Required. A ``KeyRing`` with initial field values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.KeyRing`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.KeyRing` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "create_key_ring" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "create_key_ring"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.create_key_ring,
-                default_retry=self._method_configs["CreateKeyRing"].retry,
-                default_timeout=self._method_configs["CreateKeyRing"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.CreateKeyRingRequest(
-            parent=parent, key_ring_id=key_ring_id, key_ring=key_ring
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["create_key_ring"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def create_import_job(
-        self,
-        parent,
-        import_job_id,
-        import_job,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Create a new ``ImportJob`` within a ``KeyRing``.
-
-        ``ImportJob.import_method`` is required.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>> from google.cloud.kms_v1 import enums
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
-            >>> import_job_id = 'my-import-job'
-            >>> import_method = enums.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
-            >>> protection_level = enums.ProtectionLevel.HSM
-            >>> import_job = {'import_method': import_method, 'protection_level': protection_level}
-            >>>
-            >>> response = client.create_import_job(parent, import_job_id, import_job)
-
-        Args:
-            parent (str): Required. The ``name`` of the ``KeyRing`` associated with the
-                ``ImportJobs``.
-            import_job_id (str): Required. It must be unique within a KeyRing and match the regular
-                expression ``[a-zA-Z0-9_-]{1,63}``
-            import_job (Union[dict, ~google.cloud.kms_v1.types.ImportJob]): Required. An ``ImportJob`` with initial field values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.ImportJob`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.ImportJob` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "create_import_job" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "create_import_job"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.create_import_job,
-                default_retry=self._method_configs["CreateImportJob"].retry,
-                default_timeout=self._method_configs["CreateImportJob"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.CreateImportJobRequest(
-            parent=parent, import_job_id=import_job_id, import_job=import_job
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["create_import_job"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def create_crypto_key(
-        self,
-        parent,
-        crypto_key_id,
-        crypto_key,
-        skip_initial_version_creation=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Create a new ``CryptoKey`` within a ``KeyRing``.
-
-        ``CryptoKey.purpose`` and ``CryptoKey.version_template.algorithm`` are
-        required.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>> from google.cloud.kms_v1 import enums
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
-            >>> crypto_key_id = 'my-app-key'
-            >>> purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-            >>> seconds = 2147483647
-            >>> next_rotation_time = {'seconds': seconds}
-            >>> seconds_2 = 604800
-            >>> rotation_period = {'seconds': seconds_2}
-            >>> crypto_key = {'purpose': purpose, 'next_rotation_time': next_rotation_time, 'rotation_period': rotation_period}
-            >>>
-            >>> response = client.create_crypto_key(parent, crypto_key_id, crypto_key)
-
-        Args:
-            parent (str): Required. The ``name`` of the KeyRing associated with the
-                ``CryptoKeys``.
-            crypto_key_id (str): Required. It must be unique within a KeyRing and match the regular
-                expression ``[a-zA-Z0-9_-]{1,63}``
-            crypto_key (Union[dict, ~google.cloud.kms_v1.types.CryptoKey]): Required. A ``CryptoKey`` with initial field values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.CryptoKey`
-            skip_initial_version_creation (bool): If set to true, the request will create a ``CryptoKey`` without any
-                ``CryptoKeyVersions``. You must manually call ``CreateCryptoKeyVersion``
-                or ``ImportCryptoKeyVersion`` before you can use this ``CryptoKey``.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKey` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "create_crypto_key" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "create_crypto_key"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.create_crypto_key,
-                default_retry=self._method_configs["CreateCryptoKey"].retry,
-                default_timeout=self._method_configs["CreateCryptoKey"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.CreateCryptoKeyRequest(
-            parent=parent,
-            crypto_key_id=crypto_key_id,
-            crypto_key=crypto_key,
-            skip_initial_version_creation=skip_initial_version_creation,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["create_crypto_key"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def create_crypto_key_version(
-        self,
-        parent,
-        crypto_key_version,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Create a new ``CryptoKeyVersion`` in a ``CryptoKey``.
-
-        The server will assign the next sequential id. If unset, ``state`` will
-        be set to ``ENABLED``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> # TODO: Initialize `crypto_key_version`:
-            >>> crypto_key_version = {}
-            >>>
-            >>> response = client.create_crypto_key_version(parent, crypto_key_version)
-
-        Args:
-            parent (str): Required. The ``name`` of the ``CryptoKey`` associated with the
-                ``CryptoKeyVersions``.
-            crypto_key_version (Union[dict, ~google.cloud.kms_v1.types.CryptoKeyVersion]): Required. A ``CryptoKeyVersion`` with initial field values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.CryptoKeyVersion`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "create_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "create_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.create_crypto_key_version,
-                default_retry=self._method_configs["CreateCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["CreateCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.CreateCryptoKeyVersionRequest(
-            parent=parent, crypto_key_version=crypto_key_version
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["create_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def import_crypto_key_version(
-        self,
-        parent,
-        algorithm,
-        import_job,
-        rsa_aes_wrapped_key=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Imports a new ``CryptoKeyVersion`` into an existing ``CryptoKey`` using
-        the wrapped key material provided in the request.
-
-        The version ID will be assigned the next sequential id within the
-        ``CryptoKey``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>> from google.cloud.kms_v1 import enums
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> parent = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> # TODO: Initialize `algorithm`:
-            >>> algorithm = enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
-            >>>
-            >>> # TODO: Initialize `import_job`:
-            >>> import_job = ''
-            >>>
-            >>> response = client.import_crypto_key_version(parent, algorithm, import_job)
-
-        Args:
-            parent (str): Required. The ``name`` of the ``CryptoKey`` to be imported into.
-            algorithm (~google.cloud.kms_v1.types.CryptoKeyVersionAlgorithm): Required. The ``algorithm`` of the key being imported. This does not
-                need to match the ``version_template`` of the ``CryptoKey`` this version
-                imports into.
-            import_job (str): Required. The ``name`` of the ``ImportJob`` that was used to wrap this
-                key material.
-            rsa_aes_wrapped_key (bytes): Wrapped key material produced with ``RSA_OAEP_3072_SHA1_AES_256`` or
-                ``RSA_OAEP_4096_SHA1_AES_256``.
-
-                This field contains the concatenation of two wrapped keys:
-
-                .. raw:: html
-
-                    <ol>
-                      <li>An ephemeral AES-256 wrapping key wrapped with the
-                          `public_key` using RSAES-OAEP with SHA-1,
-                          MGF1 with SHA-1, and an empty label.
-                      </li>
-                      <li>The key to be imported, wrapped with the ephemeral AES-256 key
-                          using AES-KWP (RFC 5649).
-                      </li>
-                    </ol>
-
-                If importing symmetric key material, it is expected that the unwrapped
-                key contains plain bytes. If importing asymmetric key material, it is
-                expected that the unwrapped key is in PKCS#8-encoded DER format (the
-                PrivateKeyInfo structure from RFC 5208).
-
-                This format is the same as the format produced by PKCS#11 mechanism
-                CKM\_RSA\_AES\_KEY\_WRAP.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "import_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "import_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.import_crypto_key_version,
-                default_retry=self._method_configs["ImportCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["ImportCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        # Sanity check: We have some fields which are mutually exclusive;
-        # raise ValueError if more than one is sent.
-        google.api_core.protobuf_helpers.check_oneof(
-            rsa_aes_wrapped_key=rsa_aes_wrapped_key
-        )
-
-        request = service_pb2.ImportCryptoKeyVersionRequest(
-            parent=parent,
-            algorithm=algorithm,
-            import_job=import_job,
-            rsa_aes_wrapped_key=rsa_aes_wrapped_key,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("parent", parent)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["import_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def update_crypto_key(
-        self,
-        crypto_key,
-        update_mask,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Update a ``CryptoKey``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `crypto_key`:
-            >>> crypto_key = {}
-            >>>
-            >>> # TODO: Initialize `update_mask`:
-            >>> update_mask = {}
-            >>>
-            >>> response = client.update_crypto_key(crypto_key, update_mask)
-
-        Args:
-            crypto_key (Union[dict, ~google.cloud.kms_v1.types.CryptoKey]): Required. ``CryptoKey`` with updated values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.CryptoKey`
-            update_mask (Union[dict, ~google.cloud.kms_v1.types.FieldMask]): Required. List of fields to be updated in this request.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.FieldMask`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKey` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "update_crypto_key" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "update_crypto_key"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.update_crypto_key,
-                default_retry=self._method_configs["UpdateCryptoKey"].retry,
-                default_timeout=self._method_configs["UpdateCryptoKey"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.UpdateCryptoKeyRequest(
-            crypto_key=crypto_key, update_mask=update_mask
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("crypto_key.name", crypto_key.name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["update_crypto_key"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def update_crypto_key_version(
-        self,
-        crypto_key_version,
-        update_mask,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Update a ``CryptoKeyVersion``'s metadata.
-
-        ``state`` may be changed between ``ENABLED`` and ``DISABLED`` using this
-        method. See ``DestroyCryptoKeyVersion`` and ``RestoreCryptoKeyVersion``
-        to move between other states.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `crypto_key_version`:
-            >>> crypto_key_version = {}
-            >>>
-            >>> # TODO: Initialize `update_mask`:
-            >>> update_mask = {}
-            >>>
-            >>> response = client.update_crypto_key_version(crypto_key_version, update_mask)
-
-        Args:
-            crypto_key_version (Union[dict, ~google.cloud.kms_v1.types.CryptoKeyVersion]): Required. ``CryptoKeyVersion`` with updated values.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.CryptoKeyVersion`
-            update_mask (Union[dict, ~google.cloud.kms_v1.types.FieldMask]): Required. List of fields to be updated in this request.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.FieldMask`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "update_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "update_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.update_crypto_key_version,
-                default_retry=self._method_configs["UpdateCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["UpdateCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.UpdateCryptoKeyVersionRequest(
-            crypto_key_version=crypto_key_version, update_mask=update_mask
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("crypto_key_version.name", crypto_key_version.name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["update_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def encrypt(
-        self,
-        name,
-        plaintext,
-        additional_authenticated_data=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Encrypts data, so that it can only be recovered by a call to
-        ``Decrypt``. The ``CryptoKey.purpose`` must be ``ENCRYPT_DECRYPT``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `name`:
-            >>> name = ''
-            >>>
-            >>> # TODO: Initialize `plaintext`:
-            >>> plaintext = b''
-            >>>
-            >>> response = client.encrypt(name, plaintext)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKey`` or ``CryptoKeyVersion``
-                to use for encryption.
-
-                If a ``CryptoKey`` is specified, the server will use its
-                ``primary version``.
-            plaintext (bytes): Required. The data to encrypt. Must be no larger than 64KiB.
-
-                The maximum size depends on the key version's ``protection_level``. For
-                ``SOFTWARE`` keys, the plaintext must be no larger than 64KiB. For
-                ``HSM`` keys, the combined length of the plaintext and
-                additional\_authenticated\_data fields must be no larger than 8KiB.
-            additional_authenticated_data (bytes): Optional. Optional data that, if specified, must also be provided during
-                decryption through ``DecryptRequest.additional_authenticated_data``.
-
-                The maximum size depends on the key version's ``protection_level``. For
-                ``SOFTWARE`` keys, the AAD must be no larger than 64KiB. For ``HSM``
-                keys, the combined length of the plaintext and
-                additional\_authenticated\_data fields must be no larger than 8KiB.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.EncryptResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "encrypt" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "encrypt"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.encrypt,
-                default_retry=self._method_configs["Encrypt"].retry,
-                default_timeout=self._method_configs["Encrypt"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.EncryptRequest(
-            name=name,
-            plaintext=plaintext,
-            additional_authenticated_data=additional_authenticated_data,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["encrypt"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def decrypt(
-        self,
-        name,
-        ciphertext,
-        additional_authenticated_data=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Decrypts data that was protected by ``Encrypt``. The
-        ``CryptoKey.purpose`` must be ``ENCRYPT_DECRYPT``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> # TODO: Initialize `ciphertext`:
-            >>> ciphertext = b''
-            >>>
-            >>> response = client.decrypt(name, ciphertext)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKey`` to use for decryption.
-                The server will choose the appropriate version.
-            ciphertext (bytes): Required. The encrypted data originally returned in
-                ``EncryptResponse.ciphertext``.
-            additional_authenticated_data (bytes): Optional. Optional data that must match the data originally supplied in
-                ``EncryptRequest.additional_authenticated_data``.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.DecryptResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "decrypt" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "decrypt"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.decrypt,
-                default_retry=self._method_configs["Decrypt"].retry,
-                default_timeout=self._method_configs["Decrypt"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.DecryptRequest(
-            name=name,
-            ciphertext=ciphertext,
-            additional_authenticated_data=additional_authenticated_data,
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["decrypt"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def update_crypto_key_primary_version(
-        self,
-        name,
-        crypto_key_version_id,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Update the version of a ``CryptoKey`` that will be used in ``Encrypt``.
-
-        Returns an error if called on an asymmetric key.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]')
-            >>>
-            >>> # TODO: Initialize `crypto_key_version_id`:
-            >>> crypto_key_version_id = ''
-            >>>
-            >>> response = client.update_crypto_key_primary_version(name, crypto_key_version_id)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKey`` to update.
-            crypto_key_version_id (str): Required. The id of the child ``CryptoKeyVersion`` to use as primary.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKey` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "update_crypto_key_primary_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "update_crypto_key_primary_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.update_crypto_key_primary_version,
-                default_retry=self._method_configs[
-                    "UpdateCryptoKeyPrimaryVersion"
-                ].retry,
-                default_timeout=self._method_configs[
-                    "UpdateCryptoKeyPrimaryVersion"
-                ].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.UpdateCryptoKeyPrimaryVersionRequest(
-            name=name, crypto_key_version_id=crypto_key_version_id
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["update_crypto_key_primary_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def destroy_crypto_key_version(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Schedule a ``CryptoKeyVersion`` for destruction.
-
-        Upon calling this method, ``CryptoKeyVersion.state`` will be set to
-        ``DESTROY_SCHEDULED`` and ``destroy_time`` will be set to a time 24
-        hours in the future, at which point the ``state`` will be changed to
-        ``DESTROYED``, and the key material will be irrevocably destroyed.
-
-        Before the ``destroy_time`` is reached, ``RestoreCryptoKeyVersion`` may
-        be called to reverse the process.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> response = client.destroy_crypto_key_version(name)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKeyVersion`` to destroy.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "destroy_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "destroy_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.destroy_crypto_key_version,
-                default_retry=self._method_configs["DestroyCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["DestroyCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.DestroyCryptoKeyVersionRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["destroy_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def restore_crypto_key_version(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Restore a ``CryptoKeyVersion`` in the ``DESTROY_SCHEDULED`` state.
-
-        Upon restoration of the CryptoKeyVersion, ``state`` will be set to
-        ``DISABLED``, and ``destroy_time`` will be cleared.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> response = client.restore_crypto_key_version(name)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKeyVersion`` to restore.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.CryptoKeyVersion` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "restore_crypto_key_version" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "restore_crypto_key_version"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.restore_crypto_key_version,
-                default_retry=self._method_configs["RestoreCryptoKeyVersion"].retry,
-                default_timeout=self._method_configs["RestoreCryptoKeyVersion"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.RestoreCryptoKeyVersionRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["restore_crypto_key_version"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def get_public_key(
-        self,
-        name,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns the public key for the given ``CryptoKeyVersion``. The
-        ``CryptoKey.purpose`` must be ``ASYMMETRIC_SIGN`` or
-        ``ASYMMETRIC_DECRYPT``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> response = client.get_public_key(name)
-
-        Args:
-            name (str): Required. The ``name`` of the ``CryptoKeyVersion`` public key to get.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.PublicKey` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_public_key" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_public_key"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_public_key,
-                default_retry=self._method_configs["GetPublicKey"].retry,
-                default_timeout=self._method_configs["GetPublicKey"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.GetPublicKeyRequest(name=name)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_public_key"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def asymmetric_decrypt(
-        self,
-        name,
-        ciphertext,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Decrypts data that was encrypted with a public key retrieved from
-        ``GetPublicKey`` corresponding to a ``CryptoKeyVersion`` with
-        ``CryptoKey.purpose`` ASYMMETRIC\_DECRYPT.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> # TODO: Initialize `ciphertext`:
-            >>> ciphertext = b''
-            >>>
-            >>> response = client.asymmetric_decrypt(name, ciphertext)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKeyVersion`` to use for
-                decryption.
-            ciphertext (bytes): Required. The data encrypted with the named ``CryptoKeyVersion``'s
-                public key using OAEP.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.AsymmetricDecryptResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "asymmetric_decrypt" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "asymmetric_decrypt"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.asymmetric_decrypt,
-                default_retry=self._method_configs["AsymmetricDecrypt"].retry,
-                default_timeout=self._method_configs["AsymmetricDecrypt"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.AsymmetricDecryptRequest(name=name, ciphertext=ciphertext)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["asymmetric_decrypt"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def asymmetric_sign(
-        self,
-        name,
-        digest,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Signs data using a ``CryptoKeyVersion`` with ``CryptoKey.purpose``
-        ASYMMETRIC\_SIGN, producing a signature that can be verified with the
-        public key retrieved from ``GetPublicKey``.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> name = client.crypto_key_version_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]')
-            >>>
-            >>> # TODO: Initialize `digest`:
-            >>> digest = {}
-            >>>
-            >>> response = client.asymmetric_sign(name, digest)
-
-        Args:
-            name (str): Required. The resource name of the ``CryptoKeyVersion`` to use for
-                signing.
-            digest (Union[dict, ~google.cloud.kms_v1.types.Digest]): Required. The digest of the data to sign. The digest must be produced
-                with the same digest algorithm as specified by the key version's
-                ``algorithm``.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.Digest`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.AsymmetricSignResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "asymmetric_sign" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "asymmetric_sign"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.asymmetric_sign,
-                default_retry=self._method_configs["AsymmetricSign"].retry,
-                default_timeout=self._method_configs["AsymmetricSign"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = service_pb2.AsymmetricSignRequest(name=name, digest=digest)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["asymmetric_sign"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def set_iam_policy(
-        self,
-        resource,
-        policy,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Sets the access control policy on the specified resource. Replaces
-        any existing policy.
-
-        Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and
-        PERMISSION_DENIED
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `resource`:
-            >>> resource = ''
-            >>>
-            >>> # TODO: Initialize `policy`:
-            >>> policy = {}
-            >>>
-            >>> response = client.set_iam_policy(resource, policy)
-
-        Args:
-            resource (str): REQUIRED: The resource for which the policy is being specified.
-                See the operation documentation for the appropriate value for this field.
-            policy (Union[dict, ~google.cloud.kms_v1.types.Policy]): REQUIRED: The complete policy to be applied to the ``resource``. The
-                size of the policy is limited to a few 10s of KB. An empty policy is a
-                valid policy but certain Cloud Platform services (such as Projects)
-                might reject them.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.Policy`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.Policy` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "set_iam_policy" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "set_iam_policy"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.set_iam_policy,
-                default_retry=self._method_configs["SetIamPolicy"].retry,
-                default_timeout=self._method_configs["SetIamPolicy"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = iam_policy_pb2.SetIamPolicyRequest(resource=resource, policy=policy)
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("resource", resource)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["set_iam_policy"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def get_iam_policy(
-        self,
-        resource,
-        options_=None,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Gets the access control policy for a resource. Returns an empty policy
-        if the resource exists and does not have a policy set.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `resource`:
-            >>> resource = ''
-            >>>
-            >>> response = client.get_iam_policy(resource)
-
-        Args:
-            resource (str): REQUIRED: The resource for which the policy is being requested.
-                See the operation documentation for the appropriate value for this field.
-            options_ (Union[dict, ~google.cloud.kms_v1.types.GetPolicyOptions]): OPTIONAL: A ``GetPolicyOptions`` object for specifying options to
-                ``GetIamPolicy``. This field is only used by Cloud IAM.
-
-                If a dict is provided, it must be of the same form as the protobuf
-                message :class:`~google.cloud.kms_v1.types.GetPolicyOptions`
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.Policy` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "get_iam_policy" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "get_iam_policy"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.get_iam_policy,
-                default_retry=self._method_configs["GetIamPolicy"].retry,
-                default_timeout=self._method_configs["GetIamPolicy"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = iam_policy_pb2.GetIamPolicyRequest(
-            resource=resource, options=options_
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("resource", resource)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["get_iam_policy"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
-
-    def test_iam_permissions(
-        self,
-        resource,
-        permissions,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Returns permissions that a caller has on the specified resource. If the
-        resource does not exist, this will return an empty set of
-        permissions, not a NOT_FOUND error.
-
-        Note: This operation is designed to be used for building
-        permission-aware UIs and command-line tools, not for authorization
-        checking. This operation may "fail open" without warning.
-
-        Example:
-            >>> from google.cloud import kms_v1
-            >>>
-            >>> client = kms_v1.KeyManagementServiceClient()
-            >>>
-            >>> # TODO: Initialize `resource`:
-            >>> resource = ''
-            >>>
-            >>> # TODO: Initialize `permissions`:
-            >>> permissions = []
-            >>>
-            >>> response = client.test_iam_permissions(resource, permissions)
-
-        Args:
-            resource (str): REQUIRED: The resource for which the policy detail is being requested.
-                See the operation documentation for the appropriate value for this field.
-            permissions (list[str]): The set of permissions to check for the ``resource``. Permissions with
-                wildcards (such as '*' or 'storage.*') are not allowed. For more
-                information see `IAM
-                Overview <https://cloud.google.com/iam/docs/overview#permissions>`__.
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will
-                be retried using a default configuration.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.kms_v1.types.TestIamPermissionsResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "test_iam_permissions" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "test_iam_permissions"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.test_iam_permissions,
-                default_retry=self._method_configs["TestIamPermissions"].retry,
-                default_timeout=self._method_configs["TestIamPermissions"].timeout,
-                client_info=self._client_info,
-            )
-
-        request = iam_policy_pb2.TestIamPermissionsRequest(
-            resource=resource, permissions=permissions
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("resource", resource)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["test_iam_permissions"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client_config.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client_config.py
deleted file mode 100644
index 0909a8a75eda..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/key_management_service_client_config.py
+++ /dev/null
@@ -1,155 +0,0 @@
-config = {
-    "interfaces": {
-        "google.cloud.kms.v1.KeyManagementService": {
-            "retry_codes": {
-                "retryable": ["DEADLINE_EXCEEDED", "INTERNAL", "UNAVAILABLE"],
-                "idempotent": ["DEADLINE_EXCEEDED", "UNAVAILABLE"],
-                "non_idempotent": [],
-                "non_retryable": [],
-            },
-            "retry_params": {
-                "default": {
-                    "initial_retry_delay_millis": 100,
-                    "retry_delay_multiplier": 1.3,
-                    "max_retry_delay_millis": 60000,
-                    "initial_rpc_timeout_millis": 20000,
-                    "rpc_timeout_multiplier": 1.0,
-                    "max_rpc_timeout_millis": 20000,
-                    "total_timeout_millis": 600000,
-                }
-            },
-            "methods": {
-                "ListKeyRings": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "ListImportJobs": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "ListCryptoKeys": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "ListCryptoKeyVersions": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetKeyRing": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetImportJob": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetCryptoKey": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "CreateKeyRing": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "CreateImportJob": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "CreateCryptoKey": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "CreateCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "non_retryable",
-                    "retry_params_name": "default",
-                },
-                "ImportCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "non_retryable",
-                    "retry_params_name": "default",
-                },
-                "UpdateCryptoKey": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "UpdateCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "Encrypt": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "Decrypt": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "UpdateCryptoKeyPrimaryVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "DestroyCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "RestoreCryptoKeyVersion": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetPublicKey": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "AsymmetricDecrypt": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "AsymmetricSign": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "SetIamPolicy": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "GetIamPolicy": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-                "TestIamPermissions": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "retryable",
-                    "retry_params_name": "default",
-                },
-            },
-        }
-    }
-}
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/__init__.py
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/key_management_service_grpc_transport.py b/packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/key_management_service_grpc_transport.py
deleted file mode 100644
index 4a03c3dcab5b..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/gapic/transports/key_management_service_grpc_transport.py
+++ /dev/null
@@ -1,502 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-import google.api_core.grpc_helpers
-
-from google.cloud.kms_v1.proto import service_pb2_grpc
-from google.iam.v1 import iam_policy_pb2_grpc as iam_policy_pb2_grpc
-
-
-class KeyManagementServiceGrpcTransport(object):
-    """gRPC transport class providing stubs for
-    google.cloud.kms.v1 KeyManagementService API.
-
-    The transport provides access to the raw gRPC stubs,
-    which can be used to take advantage of advanced
-    features of gRPC.
-    """
-
-    # The scopes needed to make gRPC calls to all of the methods defined
-    # in this service.
-    _OAUTH_SCOPES = (
-        "https://www.googleapis.com/auth/cloud-platform",
-        "https://www.googleapis.com/auth/cloudkms",
-    )
-
-    def __init__(
-        self, channel=None, credentials=None, address="cloudkms.googleapis.com:443"
-    ):
-        """Instantiate the transport class.
-
-        Args:
-            channel (grpc.Channel): A ``Channel`` instance through
-                which to make calls. This argument is mutually exclusive
-                with ``credentials``; providing both will raise an exception.
-            credentials (google.auth.credentials.Credentials): The
-                authorization credentials to attach to requests. These
-                credentials identify this application to the service. If none
-                are specified, the client will attempt to ascertain the
-                credentials from the environment.
-            address (str): The address where the service is hosted.
-        """
-        # If both `channel` and `credentials` are specified, raise an
-        # exception (channels come with credentials baked in already).
-        if channel is not None and credentials is not None:
-            raise ValueError(
-                "The `channel` and `credentials` arguments are mutually " "exclusive."
-            )
-
-        # Create the channel.
-        if channel is None:
-            channel = self.create_channel(
-                address=address,
-                credentials=credentials,
-                options={
-                    "grpc.max_send_message_length": -1,
-                    "grpc.max_receive_message_length": -1,
-                }.items(),
-            )
-
-        self._channel = channel
-
-        # gRPC uses objects called "stubs" that are bound to the
-        # channel and provide a basic method for each RPC.
-        self._stubs = {
-            "key_management_service_stub": service_pb2_grpc.KeyManagementServiceStub(
-                channel
-            ),
-            "iam_policy_stub": iam_policy_pb2_grpc.IAMPolicyStub(channel),
-        }
-
-    @classmethod
-    def create_channel(
-        cls, address="cloudkms.googleapis.com:443", credentials=None, **kwargs
-    ):
-        """Create and return a gRPC channel object.
-
-        Args:
-            address (str): The host for the channel to use.
-            credentials (~.Credentials): The
-                authorization credentials to attach to requests. These
-                credentials identify this application to the service. If
-                none are specified, the client will attempt to ascertain
-                the credentials from the environment.
-            kwargs (dict): Keyword arguments, which are passed to the
-                channel creation.
-
-        Returns:
-            grpc.Channel: A gRPC channel object.
-        """
-        return google.api_core.grpc_helpers.create_channel(
-            address, credentials=credentials, scopes=cls._OAUTH_SCOPES, **kwargs
-        )
-
-    @property
-    def channel(self):
-        """The gRPC channel used by the transport.
-
-        Returns:
-            grpc.Channel: A gRPC channel object.
-        """
-        return self._channel
-
-    @property
-    def list_key_rings(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.list_key_rings`.
-
-        Lists ``KeyRings``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].ListKeyRings
-
-    @property
-    def list_import_jobs(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.list_import_jobs`.
-
-        Lists ``ImportJobs``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].ListImportJobs
-
-    @property
-    def list_crypto_keys(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.list_crypto_keys`.
-
-        Lists ``CryptoKeys``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].ListCryptoKeys
-
-    @property
-    def list_crypto_key_versions(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.list_crypto_key_versions`.
-
-        Lists ``CryptoKeyVersions``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].ListCryptoKeyVersions
-
-    @property
-    def get_key_ring(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_key_ring`.
-
-        Returns metadata for a given ``KeyRing``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].GetKeyRing
-
-    @property
-    def get_import_job(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_import_job`.
-
-        Returns metadata for a given ``ImportJob``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].GetImportJob
-
-    @property
-    def get_crypto_key(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_crypto_key`.
-
-        Returns metadata for a given ``CryptoKey``, as well as its ``primary``
-        ``CryptoKeyVersion``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].GetCryptoKey
-
-    @property
-    def get_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_crypto_key_version`.
-
-        Returns metadata for a given ``CryptoKeyVersion``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].GetCryptoKeyVersion
-
-    @property
-    def create_key_ring(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.create_key_ring`.
-
-        Create a new ``KeyRing`` in a given Project and Location.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].CreateKeyRing
-
-    @property
-    def create_import_job(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.create_import_job`.
-
-        Create a new ``ImportJob`` within a ``KeyRing``.
-
-        ``ImportJob.import_method`` is required.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].CreateImportJob
-
-    @property
-    def create_crypto_key(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.create_crypto_key`.
-
-        Create a new ``CryptoKey`` within a ``KeyRing``.
-
-        ``CryptoKey.purpose`` and ``CryptoKey.version_template.algorithm`` are
-        required.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].CreateCryptoKey
-
-    @property
-    def create_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.create_crypto_key_version`.
-
-        Create a new ``CryptoKeyVersion`` in a ``CryptoKey``.
-
-        The server will assign the next sequential id. If unset, ``state`` will
-        be set to ``ENABLED``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].CreateCryptoKeyVersion
-
-    @property
-    def import_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.import_crypto_key_version`.
-
-        Imports a new ``CryptoKeyVersion`` into an existing ``CryptoKey`` using
-        the wrapped key material provided in the request.
-
-        The version ID will be assigned the next sequential id within the
-        ``CryptoKey``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].ImportCryptoKeyVersion
-
-    @property
-    def update_crypto_key(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.update_crypto_key`.
-
-        Update a ``CryptoKey``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].UpdateCryptoKey
-
-    @property
-    def update_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.update_crypto_key_version`.
-
-        Update a ``CryptoKeyVersion``'s metadata.
-
-        ``state`` may be changed between ``ENABLED`` and ``DISABLED`` using this
-        method. See ``DestroyCryptoKeyVersion`` and ``RestoreCryptoKeyVersion``
-        to move between other states.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].UpdateCryptoKeyVersion
-
-    @property
-    def encrypt(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.encrypt`.
-
-        Encrypts data, so that it can only be recovered by a call to
-        ``Decrypt``. The ``CryptoKey.purpose`` must be ``ENCRYPT_DECRYPT``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].Encrypt
-
-    @property
-    def decrypt(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.decrypt`.
-
-        Decrypts data that was protected by ``Encrypt``. The
-        ``CryptoKey.purpose`` must be ``ENCRYPT_DECRYPT``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].Decrypt
-
-    @property
-    def update_crypto_key_primary_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.update_crypto_key_primary_version`.
-
-        Update the version of a ``CryptoKey`` that will be used in ``Encrypt``.
-
-        Returns an error if called on an asymmetric key.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].UpdateCryptoKeyPrimaryVersion
-
-    @property
-    def destroy_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.destroy_crypto_key_version`.
-
-        Schedule a ``CryptoKeyVersion`` for destruction.
-
-        Upon calling this method, ``CryptoKeyVersion.state`` will be set to
-        ``DESTROY_SCHEDULED`` and ``destroy_time`` will be set to a time 24
-        hours in the future, at which point the ``state`` will be changed to
-        ``DESTROYED``, and the key material will be irrevocably destroyed.
-
-        Before the ``destroy_time`` is reached, ``RestoreCryptoKeyVersion`` may
-        be called to reverse the process.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].DestroyCryptoKeyVersion
-
-    @property
-    def restore_crypto_key_version(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.restore_crypto_key_version`.
-
-        Restore a ``CryptoKeyVersion`` in the ``DESTROY_SCHEDULED`` state.
-
-        Upon restoration of the CryptoKeyVersion, ``state`` will be set to
-        ``DISABLED``, and ``destroy_time`` will be cleared.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].RestoreCryptoKeyVersion
-
-    @property
-    def get_public_key(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_public_key`.
-
-        Returns the public key for the given ``CryptoKeyVersion``. The
-        ``CryptoKey.purpose`` must be ``ASYMMETRIC_SIGN`` or
-        ``ASYMMETRIC_DECRYPT``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].GetPublicKey
-
-    @property
-    def asymmetric_decrypt(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.asymmetric_decrypt`.
-
-        Decrypts data that was encrypted with a public key retrieved from
-        ``GetPublicKey`` corresponding to a ``CryptoKeyVersion`` with
-        ``CryptoKey.purpose`` ASYMMETRIC\_DECRYPT.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].AsymmetricDecrypt
-
-    @property
-    def asymmetric_sign(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.asymmetric_sign`.
-
-        Signs data using a ``CryptoKeyVersion`` with ``CryptoKey.purpose``
-        ASYMMETRIC\_SIGN, producing a signature that can be verified with the
-        public key retrieved from ``GetPublicKey``.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["key_management_service_stub"].AsymmetricSign
-
-    @property
-    def set_iam_policy(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.set_iam_policy`.
-
-        Sets the access control policy on the specified resource. Replaces
-        any existing policy.
-
-        Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and
-        PERMISSION_DENIED
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["iam_policy_stub"].SetIamPolicy
-
-    @property
-    def get_iam_policy(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.get_iam_policy`.
-
-        Gets the access control policy for a resource. Returns an empty policy
-        if the resource exists and does not have a policy set.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["iam_policy_stub"].GetIamPolicy
-
-    @property
-    def test_iam_permissions(self):
-        """Return the gRPC stub for :meth:`KeyManagementServiceClient.test_iam_permissions`.
-
-        Returns permissions that a caller has on the specified resource. If the
-        resource does not exist, this will return an empty set of
-        permissions, not a NOT_FOUND error.
-
-        Note: This operation is designed to be used for building
-        permission-aware UIs and command-line tools, not for authorization
-        checking. This operation may "fail open" without warning.
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["iam_policy_stub"].TestIamPermissions
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/proto/__init__.py
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources.proto b/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources.proto
index b2b7ab919fa1..e78b10cc27d3 100644
--- a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources.proto
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources.proto
@@ -138,7 +138,7 @@ message CryptoKey {
   CryptoKeyVersionTemplate version_template = 11;
 
   // Labels with user-defined metadata. For more information, see
-  // [Labeling Keys](/kms/docs/labeling-keys).
+  // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
   map<string, string> labels = 10;
 }
 
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2.py b/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2.py
deleted file mode 100644
index c72c1b5e594b..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2.py
+++ /dev/null
@@ -1,1997 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by the protocol buffer compiler.  DO NOT EDIT!
-# source: google/cloud/kms_v1/proto/resources.proto
-
-import sys
-
-_b = sys.version_info[0] < 3 and (lambda x: x) or (lambda x: x.encode("latin1"))
-from google.protobuf.internal import enum_type_wrapper
-from google.protobuf import descriptor as _descriptor
-from google.protobuf import message as _message
-from google.protobuf import reflection as _reflection
-from google.protobuf import symbol_database as _symbol_database
-
-# @@protoc_insertion_point(imports)
-
-_sym_db = _symbol_database.Default()
-
-
-from google.api import field_behavior_pb2 as google_dot_api_dot_field__behavior__pb2
-from google.api import resource_pb2 as google_dot_api_dot_resource__pb2
-from google.protobuf import duration_pb2 as google_dot_protobuf_dot_duration__pb2
-from google.protobuf import timestamp_pb2 as google_dot_protobuf_dot_timestamp__pb2
-from google.api import annotations_pb2 as google_dot_api_dot_annotations__pb2
-
-
-DESCRIPTOR = _descriptor.FileDescriptor(
-    name="google/cloud/kms_v1/proto/resources.proto",
-    package="google.cloud.kms.v1",
-    syntax="proto3",
-    serialized_options=_b(
-        "\n\027com.google.cloud.kms.v1B\021KmsResourcesProtoP\001Z6google.golang.org/genproto/googleapis/cloud/kms/v1;kms\370\001\001\252\002\023Google.Cloud.Kms.V1\312\002\023Google\\Cloud\\Kms\\V1"
-    ),
-    serialized_pb=_b(
-        '\n)google/cloud/kms_v1/proto/resources.proto\x12\x13google.cloud.kms.v1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x19google/api/resource.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1cgoogle/api/annotations.proto"\xb5\x01\n\x07KeyRing\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12\x34\n\x0b\x63reate_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03:a\xea\x41^\n\x1f\x63loudkms.googleapis.com/KeyRing\x12;projects/{project}/locations/{location}/keyRings/{key_ring}"\x86\x06\n\tCryptoKey\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12;\n\x07primary\x18\x02 \x01(\x0b\x32%.google.cloud.kms.v1.CryptoKeyVersionB\x03\xe0\x41\x03\x12\x45\n\x07purpose\x18\x03 \x01(\x0e\x32/.google.cloud.kms.v1.CryptoKey.CryptoKeyPurposeB\x03\xe0\x41\x05\x12\x34\n\x0b\x63reate_time\x18\x05 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x36\n\x12next_rotation_time\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x34\n\x0frotation_period\x18\x08 \x01(\x0b\x32\x19.google.protobuf.DurationH\x00\x12G\n\x10version_template\x18\x0b \x01(\x0b\x32-.google.cloud.kms.v1.CryptoKeyVersionTemplate\x12:\n\x06labels\x18\n \x03(\x0b\x32*.google.cloud.kms.v1.CryptoKey.LabelsEntry\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01"x\n\x10\x43ryptoKeyPurpose\x12"\n\x1e\x43RYPTO_KEY_PURPOSE_UNSPECIFIED\x10\x00\x12\x13\n\x0f\x45NCRYPT_DECRYPT\x10\x01\x12\x13\n\x0f\x41SYMMETRIC_SIGN\x10\x05\x12\x16\n\x12\x41SYMMETRIC_DECRYPT\x10\x06:{\xea\x41x\n!cloudkms.googleapis.com/CryptoKey\x12Sprojects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}B\x13\n\x11rotation_schedule"\xb3\x01\n\x18\x43ryptoKeyVersionTemplate\x12>\n\x10protection_level\x18\x01 \x01(\x0e\x32$.google.cloud.kms.v1.ProtectionLevel\x12W\n\talgorithm\x18\x03 \x01(\x0e\x32?.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithmB\x03\xe0\x41\x02"\xf1\x01\n\x17KeyOperationAttestation\x12S\n\x06\x66ormat\x18\x04 \x01(\x0e\x32>.google.cloud.kms.v1.KeyOperationAttestation.AttestationFormatB\x03\xe0\x41\x03\x12\x14\n\x07\x63ontent\x18\x05 \x01(\x0c\x42\x03\xe0\x41\x03"k\n\x11\x41ttestationFormat\x12"\n\x1e\x41TTESTATION_FORMAT_UNSPECIFIED\x10\x00\x12\x18\n\x14\x43\x41VIUM_V1_COMPRESSED\x10\x03\x12\x18\n\x14\x43\x41VIUM_V2_COMPRESSED\x10\x04"\x8a\x0e\n\x10\x43ryptoKeyVersion\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12J\n\x05state\x18\x03 \x01(\x0e\x32;.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState\x12\x43\n\x10protection_level\x18\x07 \x01(\x0e\x32$.google.cloud.kms.v1.ProtectionLevelB\x03\xe0\x41\x03\x12W\n\talgorithm\x18\n \x01(\x0e\x32?.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithmB\x03\xe0\x41\x03\x12\x46\n\x0b\x61ttestation\x18\x08 \x01(\x0b\x32,.google.cloud.kms.v1.KeyOperationAttestationB\x03\xe0\x41\x03\x12\x34\n\x0b\x63reate_time\x18\x04 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x36\n\rgenerate_time\x18\x0b \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x35\n\x0c\x64\x65stroy_time\x18\x05 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12;\n\x12\x64\x65stroy_event_time\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x17\n\nimport_job\x18\x0e \x01(\tB\x03\xe0\x41\x03\x12\x34\n\x0bimport_time\x18\x0f \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12"\n\x15import_failure_reason\x18\x10 \x01(\tB\x03\xe0\x41\x03\x12^\n!external_protection_level_options\x18\x11 \x01(\x0b\x32\x33.google.cloud.kms.v1.ExternalProtectionLevelOptions"\xbf\x04\n\x19\x43ryptoKeyVersionAlgorithm\x12,\n(CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED\x10\x00\x12\x1f\n\x1bGOOGLE_SYMMETRIC_ENCRYPTION\x10\x01\x12\x1c\n\x18RSA_SIGN_PSS_2048_SHA256\x10\x02\x12\x1c\n\x18RSA_SIGN_PSS_3072_SHA256\x10\x03\x12\x1c\n\x18RSA_SIGN_PSS_4096_SHA256\x10\x04\x12\x1c\n\x18RSA_SIGN_PSS_4096_SHA512\x10\x0f\x12\x1e\n\x1aRSA_SIGN_PKCS1_2048_SHA256\x10\x05\x12\x1e\n\x1aRSA_SIGN_PKCS1_3072_SHA256\x10\x06\x12\x1e\n\x1aRSA_SIGN_PKCS1_4096_SHA256\x10\x07\x12\x1e\n\x1aRSA_SIGN_PKCS1_4096_SHA512\x10\x10\x12 \n\x1cRSA_DECRYPT_OAEP_2048_SHA256\x10\x08\x12 \n\x1cRSA_DECRYPT_OAEP_3072_SHA256\x10\t\x12 \n\x1cRSA_DECRYPT_OAEP_4096_SHA256\x10\n\x12 \n\x1cRSA_DECRYPT_OAEP_4096_SHA512\x10\x11\x12\x17\n\x13\x45\x43_SIGN_P256_SHA256\x10\x0c\x12\x17\n\x13\x45\x43_SIGN_P384_SHA384\x10\r\x12!\n\x1d\x45XTERNAL_SYMMETRIC_ENCRYPTION\x10\x12"\xc1\x01\n\x15\x43ryptoKeyVersionState\x12(\n$CRYPTO_KEY_VERSION_STATE_UNSPECIFIED\x10\x00\x12\x16\n\x12PENDING_GENERATION\x10\x05\x12\x0b\n\x07\x45NABLED\x10\x01\x12\x0c\n\x08\x44ISABLED\x10\x02\x12\r\n\tDESTROYED\x10\x03\x12\x15\n\x11\x44\x45STROY_SCHEDULED\x10\x04\x12\x12\n\x0ePENDING_IMPORT\x10\x06\x12\x11\n\rIMPORT_FAILED\x10\x07"I\n\x14\x43ryptoKeyVersionView\x12\'\n#CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED\x10\x00\x12\x08\n\x04\x46ULL\x10\x01:\xaa\x01\xea\x41\xa6\x01\n(cloudkms.googleapis.com/CryptoKeyVersion\x12zprojects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}"\x9d\x02\n\tPublicKey\x12\x0b\n\x03pem\x18\x01 \x01(\t\x12R\n\talgorithm\x18\x02 \x01(\x0e\x32?.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm:\xae\x01\xea\x41\xaa\x01\n!cloudkms.googleapis.com/PublicKey\x12\x84\x01projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey"\xdb\x07\n\tImportJob\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12J\n\rimport_method\x18\x02 \x01(\x0e\x32+.google.cloud.kms.v1.ImportJob.ImportMethodB\x06\xe0\x41\x02\xe0\x41\x05\x12\x46\n\x10protection_level\x18\t \x01(\x0e\x32$.google.cloud.kms.v1.ProtectionLevelB\x06\xe0\x41\x02\xe0\x41\x05\x12\x34\n\x0b\x63reate_time\x18\x03 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x36\n\rgenerate_time\x18\x04 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x34\n\x0b\x65xpire_time\x18\x05 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12:\n\x11\x65xpire_event_time\x18\n \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x41\n\x05state\x18\x06 \x01(\x0e\x32-.google.cloud.kms.v1.ImportJob.ImportJobStateB\x03\xe0\x41\x03\x12I\n\npublic_key\x18\x07 \x01(\x0b\x32\x30.google.cloud.kms.v1.ImportJob.WrappingPublicKeyB\x03\xe0\x41\x03\x12\x46\n\x0b\x61ttestation\x18\x08 \x01(\x0b\x32,.google.cloud.kms.v1.KeyOperationAttestationB\x03\xe0\x41\x03\x1a \n\x11WrappingPublicKey\x12\x0b\n\x03pem\x18\x01 \x01(\t"m\n\x0cImportMethod\x12\x1d\n\x19IMPORT_METHOD_UNSPECIFIED\x10\x00\x12\x1e\n\x1aRSA_OAEP_3072_SHA1_AES_256\x10\x01\x12\x1e\n\x1aRSA_OAEP_4096_SHA1_AES_256\x10\x02"c\n\x0eImportJobState\x12 \n\x1cIMPORT_JOB_STATE_UNSPECIFIED\x10\x00\x12\x16\n\x12PENDING_GENERATION\x10\x01\x12\n\n\x06\x41\x43TIVE\x10\x02\x12\x0b\n\x07\x45XPIRED\x10\x03:{\xea\x41x\n!cloudkms.googleapis.com/ImportJob\x12Sprojects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}":\n\x1e\x45xternalProtectionLevelOptions\x12\x18\n\x10\x65xternal_key_uri\x18\x01 \x01(\t*X\n\x0fProtectionLevel\x12 \n\x1cPROTECTION_LEVEL_UNSPECIFIED\x10\x00\x12\x0c\n\x08SOFTWARE\x10\x01\x12\x07\n\x03HSM\x10\x02\x12\x0c\n\x08\x45XTERNAL\x10\x03\x42\x95\x01\n\x17\x63om.google.cloud.kms.v1B\x11KmsResourcesProtoP\x01Z6google.golang.org/genproto/googleapis/cloud/kms/v1;kms\xf8\x01\x01\xaa\x02\x13Google.Cloud.Kms.V1\xca\x02\x13Google\\Cloud\\Kms\\V1b\x06proto3'
-    ),
-    dependencies=[
-        google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,
-        google_dot_api_dot_resource__pb2.DESCRIPTOR,
-        google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,
-        google_dot_protobuf_dot_timestamp__pb2.DESCRIPTOR,
-        google_dot_api_dot_annotations__pb2.DESCRIPTOR,
-    ],
-)
-
-_PROTECTIONLEVEL = _descriptor.EnumDescriptor(
-    name="ProtectionLevel",
-    full_name="google.cloud.kms.v1.ProtectionLevel",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="PROTECTION_LEVEL_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="SOFTWARE", index=1, number=1, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="HSM", index=2, number=2, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="EXTERNAL", index=3, number=3, serialized_options=None, type=None
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=4751,
-    serialized_end=4839,
-)
-_sym_db.RegisterEnumDescriptor(_PROTECTIONLEVEL)
-
-ProtectionLevel = enum_type_wrapper.EnumTypeWrapper(_PROTECTIONLEVEL)
-PROTECTION_LEVEL_UNSPECIFIED = 0
-SOFTWARE = 1
-HSM = 2
-EXTERNAL = 3
-
-
-_CRYPTOKEY_CRYPTOKEYPURPOSE = _descriptor.EnumDescriptor(
-    name="CryptoKeyPurpose",
-    full_name="google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="CRYPTO_KEY_PURPOSE_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="ENCRYPT_DECRYPT",
-            index=1,
-            number=1,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="ASYMMETRIC_SIGN",
-            index=2,
-            number=5,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="ASYMMETRIC_DECRYPT",
-            index=3,
-            number=6,
-            serialized_options=None,
-            type=None,
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=914,
-    serialized_end=1034,
-)
-_sym_db.RegisterEnumDescriptor(_CRYPTOKEY_CRYPTOKEYPURPOSE)
-
-_KEYOPERATIONATTESTATION_ATTESTATIONFORMAT = _descriptor.EnumDescriptor(
-    name="AttestationFormat",
-    full_name="google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="ATTESTATION_FORMAT_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="CAVIUM_V1_COMPRESSED",
-            index=1,
-            number=3,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="CAVIUM_V2_COMPRESSED",
-            index=2,
-            number=4,
-            serialized_options=None,
-            type=None,
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=1499,
-    serialized_end=1606,
-)
-_sym_db.RegisterEnumDescriptor(_KEYOPERATIONATTESTATION_ATTESTATIONFORMAT)
-
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM = _descriptor.EnumDescriptor(
-    name="CryptoKeyVersionAlgorithm",
-    full_name="google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="GOOGLE_SYMMETRIC_ENCRYPTION",
-            index=1,
-            number=1,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PSS_2048_SHA256",
-            index=2,
-            number=2,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PSS_3072_SHA256",
-            index=3,
-            number=3,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PSS_4096_SHA256",
-            index=4,
-            number=4,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PSS_4096_SHA512",
-            index=5,
-            number=15,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PKCS1_2048_SHA256",
-            index=6,
-            number=5,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PKCS1_3072_SHA256",
-            index=7,
-            number=6,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PKCS1_4096_SHA256",
-            index=8,
-            number=7,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_SIGN_PKCS1_4096_SHA512",
-            index=9,
-            number=16,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_DECRYPT_OAEP_2048_SHA256",
-            index=10,
-            number=8,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_DECRYPT_OAEP_3072_SHA256",
-            index=11,
-            number=9,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_DECRYPT_OAEP_4096_SHA256",
-            index=12,
-            number=10,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_DECRYPT_OAEP_4096_SHA512",
-            index=13,
-            number=17,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="EC_SIGN_P256_SHA256",
-            index=14,
-            number=12,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="EC_SIGN_P384_SHA384",
-            index=15,
-            number=13,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="EXTERNAL_SYMMETRIC_ENCRYPTION",
-            index=16,
-            number=18,
-            serialized_options=None,
-            type=None,
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=2392,
-    serialized_end=2967,
-)
-_sym_db.RegisterEnumDescriptor(_CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM)
-
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONSTATE = _descriptor.EnumDescriptor(
-    name="CryptoKeyVersionState",
-    full_name="google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="CRYPTO_KEY_VERSION_STATE_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="PENDING_GENERATION",
-            index=1,
-            number=5,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="ENABLED", index=2, number=1, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="DISABLED", index=3, number=2, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="DESTROYED", index=4, number=3, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="DESTROY_SCHEDULED",
-            index=5,
-            number=4,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="PENDING_IMPORT", index=6, number=6, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="IMPORT_FAILED", index=7, number=7, serialized_options=None, type=None
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=2970,
-    serialized_end=3163,
-)
-_sym_db.RegisterEnumDescriptor(_CRYPTOKEYVERSION_CRYPTOKEYVERSIONSTATE)
-
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW = _descriptor.EnumDescriptor(
-    name="CryptoKeyVersionView",
-    full_name="google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="FULL", index=1, number=1, serialized_options=None, type=None
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=3165,
-    serialized_end=3238,
-)
-_sym_db.RegisterEnumDescriptor(_CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW)
-
-_IMPORTJOB_IMPORTMETHOD = _descriptor.EnumDescriptor(
-    name="ImportMethod",
-    full_name="google.cloud.kms.v1.ImportJob.ImportMethod",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="IMPORT_METHOD_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_OAEP_3072_SHA1_AES_256",
-            index=1,
-            number=1,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="RSA_OAEP_4096_SHA1_AES_256",
-            index=2,
-            number=2,
-            serialized_options=None,
-            type=None,
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=4354,
-    serialized_end=4463,
-)
-_sym_db.RegisterEnumDescriptor(_IMPORTJOB_IMPORTMETHOD)
-
-_IMPORTJOB_IMPORTJOBSTATE = _descriptor.EnumDescriptor(
-    name="ImportJobState",
-    full_name="google.cloud.kms.v1.ImportJob.ImportJobState",
-    filename=None,
-    file=DESCRIPTOR,
-    values=[
-        _descriptor.EnumValueDescriptor(
-            name="IMPORT_JOB_STATE_UNSPECIFIED",
-            index=0,
-            number=0,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="PENDING_GENERATION",
-            index=1,
-            number=1,
-            serialized_options=None,
-            type=None,
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="ACTIVE", index=2, number=2, serialized_options=None, type=None
-        ),
-        _descriptor.EnumValueDescriptor(
-            name="EXPIRED", index=3, number=3, serialized_options=None, type=None
-        ),
-    ],
-    containing_type=None,
-    serialized_options=None,
-    serialized_start=4465,
-    serialized_end=4564,
-)
-_sym_db.RegisterEnumDescriptor(_IMPORTJOB_IMPORTJOBSTATE)
-
-
-_KEYRING = _descriptor.Descriptor(
-    name="KeyRing",
-    full_name="google.cloud.kms.v1.KeyRing",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.KeyRing.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="create_time",
-            full_name="google.cloud.kms.v1.KeyRing.create_time",
-            index=1,
-            number=2,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=_b(
-        "\352A^\n\037cloudkms.googleapis.com/KeyRing\022;projects/{project}/locations/{location}/keyRings/{key_ring}"
-    ),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=222,
-    serialized_end=403,
-)
-
-
-_CRYPTOKEY_LABELSENTRY = _descriptor.Descriptor(
-    name="LabelsEntry",
-    full_name="google.cloud.kms.v1.CryptoKey.LabelsEntry",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="key",
-            full_name="google.cloud.kms.v1.CryptoKey.LabelsEntry.key",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="value",
-            full_name="google.cloud.kms.v1.CryptoKey.LabelsEntry.value",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=_b("8\001"),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=867,
-    serialized_end=912,
-)
-
-_CRYPTOKEY = _descriptor.Descriptor(
-    name="CryptoKey",
-    full_name="google.cloud.kms.v1.CryptoKey",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.CryptoKey.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="primary",
-            full_name="google.cloud.kms.v1.CryptoKey.primary",
-            index=1,
-            number=2,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="purpose",
-            full_name="google.cloud.kms.v1.CryptoKey.purpose",
-            index=2,
-            number=3,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\005"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="create_time",
-            full_name="google.cloud.kms.v1.CryptoKey.create_time",
-            index=3,
-            number=5,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="next_rotation_time",
-            full_name="google.cloud.kms.v1.CryptoKey.next_rotation_time",
-            index=4,
-            number=7,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="rotation_period",
-            full_name="google.cloud.kms.v1.CryptoKey.rotation_period",
-            index=5,
-            number=8,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="version_template",
-            full_name="google.cloud.kms.v1.CryptoKey.version_template",
-            index=6,
-            number=11,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="labels",
-            full_name="google.cloud.kms.v1.CryptoKey.labels",
-            index=7,
-            number=10,
-            type=11,
-            cpp_type=10,
-            label=3,
-            has_default_value=False,
-            default_value=[],
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[_CRYPTOKEY_LABELSENTRY],
-    enum_types=[_CRYPTOKEY_CRYPTOKEYPURPOSE],
-    serialized_options=_b(
-        "\352Ax\n!cloudkms.googleapis.com/CryptoKey\022Sprojects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}"
-    ),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[
-        _descriptor.OneofDescriptor(
-            name="rotation_schedule",
-            full_name="google.cloud.kms.v1.CryptoKey.rotation_schedule",
-            index=0,
-            containing_type=None,
-            fields=[],
-        )
-    ],
-    serialized_start=406,
-    serialized_end=1180,
-)
-
-
-_CRYPTOKEYVERSIONTEMPLATE = _descriptor.Descriptor(
-    name="CryptoKeyVersionTemplate",
-    full_name="google.cloud.kms.v1.CryptoKeyVersionTemplate",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="protection_level",
-            full_name="google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level",
-            index=0,
-            number=1,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="algorithm",
-            full_name="google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm",
-            index=1,
-            number=3,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1183,
-    serialized_end=1362,
-)
-
-
-_KEYOPERATIONATTESTATION = _descriptor.Descriptor(
-    name="KeyOperationAttestation",
-    full_name="google.cloud.kms.v1.KeyOperationAttestation",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="format",
-            full_name="google.cloud.kms.v1.KeyOperationAttestation.format",
-            index=0,
-            number=4,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="content",
-            full_name="google.cloud.kms.v1.KeyOperationAttestation.content",
-            index=1,
-            number=5,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[_KEYOPERATIONATTESTATION_ATTESTATIONFORMAT],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1365,
-    serialized_end=1606,
-)
-
-
-_CRYPTOKEYVERSION = _descriptor.Descriptor(
-    name="CryptoKeyVersion",
-    full_name="google.cloud.kms.v1.CryptoKeyVersion",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="state",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.state",
-            index=1,
-            number=3,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="protection_level",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.protection_level",
-            index=2,
-            number=7,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="algorithm",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.algorithm",
-            index=3,
-            number=10,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="attestation",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.attestation",
-            index=4,
-            number=8,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="create_time",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.create_time",
-            index=5,
-            number=4,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="generate_time",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.generate_time",
-            index=6,
-            number=11,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="destroy_time",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.destroy_time",
-            index=7,
-            number=5,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="destroy_event_time",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.destroy_event_time",
-            index=8,
-            number=6,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_job",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.import_job",
-            index=9,
-            number=14,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_time",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.import_time",
-            index=10,
-            number=15,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_failure_reason",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason",
-            index=11,
-            number=16,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="external_protection_level_options",
-            full_name="google.cloud.kms.v1.CryptoKeyVersion.external_protection_level_options",
-            index=12,
-            number=17,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[
-        _CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM,
-        _CRYPTOKEYVERSION_CRYPTOKEYVERSIONSTATE,
-        _CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW,
-    ],
-    serialized_options=_b(
-        "\352A\246\001\n(cloudkms.googleapis.com/CryptoKeyVersion\022zprojects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}"
-    ),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1609,
-    serialized_end=3411,
-)
-
-
-_PUBLICKEY = _descriptor.Descriptor(
-    name="PublicKey",
-    full_name="google.cloud.kms.v1.PublicKey",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="pem",
-            full_name="google.cloud.kms.v1.PublicKey.pem",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="algorithm",
-            full_name="google.cloud.kms.v1.PublicKey.algorithm",
-            index=1,
-            number=2,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=_b(
-        "\352A\252\001\n!cloudkms.googleapis.com/PublicKey\022\204\001projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey"
-    ),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3414,
-    serialized_end=3699,
-)
-
-
-_IMPORTJOB_WRAPPINGPUBLICKEY = _descriptor.Descriptor(
-    name="WrappingPublicKey",
-    full_name="google.cloud.kms.v1.ImportJob.WrappingPublicKey",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="pem",
-            full_name="google.cloud.kms.v1.ImportJob.WrappingPublicKey.pem",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4320,
-    serialized_end=4352,
-)
-
-_IMPORTJOB = _descriptor.Descriptor(
-    name="ImportJob",
-    full_name="google.cloud.kms.v1.ImportJob",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.ImportJob.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_method",
-            full_name="google.cloud.kms.v1.ImportJob.import_method",
-            index=1,
-            number=2,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002\340A\005"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="protection_level",
-            full_name="google.cloud.kms.v1.ImportJob.protection_level",
-            index=2,
-            number=9,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002\340A\005"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="create_time",
-            full_name="google.cloud.kms.v1.ImportJob.create_time",
-            index=3,
-            number=3,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="generate_time",
-            full_name="google.cloud.kms.v1.ImportJob.generate_time",
-            index=4,
-            number=4,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="expire_time",
-            full_name="google.cloud.kms.v1.ImportJob.expire_time",
-            index=5,
-            number=5,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="expire_event_time",
-            full_name="google.cloud.kms.v1.ImportJob.expire_event_time",
-            index=6,
-            number=10,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="state",
-            full_name="google.cloud.kms.v1.ImportJob.state",
-            index=7,
-            number=6,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="public_key",
-            full_name="google.cloud.kms.v1.ImportJob.public_key",
-            index=8,
-            number=7,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="attestation",
-            full_name="google.cloud.kms.v1.ImportJob.attestation",
-            index=9,
-            number=8,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\003"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[_IMPORTJOB_WRAPPINGPUBLICKEY],
-    enum_types=[_IMPORTJOB_IMPORTMETHOD, _IMPORTJOB_IMPORTJOBSTATE],
-    serialized_options=_b(
-        "\352Ax\n!cloudkms.googleapis.com/ImportJob\022Sprojects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}"
-    ),
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3702,
-    serialized_end=4689,
-)
-
-
-_EXTERNALPROTECTIONLEVELOPTIONS = _descriptor.Descriptor(
-    name="ExternalProtectionLevelOptions",
-    full_name="google.cloud.kms.v1.ExternalProtectionLevelOptions",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="external_key_uri",
-            full_name="google.cloud.kms.v1.ExternalProtectionLevelOptions.external_key_uri",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4691,
-    serialized_end=4749,
-)
-
-_KEYRING.fields_by_name[
-    "create_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEY_LABELSENTRY.containing_type = _CRYPTOKEY
-_CRYPTOKEY.fields_by_name["primary"].message_type = _CRYPTOKEYVERSION
-_CRYPTOKEY.fields_by_name["purpose"].enum_type = _CRYPTOKEY_CRYPTOKEYPURPOSE
-_CRYPTOKEY.fields_by_name[
-    "create_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEY.fields_by_name[
-    "next_rotation_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEY.fields_by_name[
-    "rotation_period"
-].message_type = google_dot_protobuf_dot_duration__pb2._DURATION
-_CRYPTOKEY.fields_by_name["version_template"].message_type = _CRYPTOKEYVERSIONTEMPLATE
-_CRYPTOKEY.fields_by_name["labels"].message_type = _CRYPTOKEY_LABELSENTRY
-_CRYPTOKEY_CRYPTOKEYPURPOSE.containing_type = _CRYPTOKEY
-_CRYPTOKEY.oneofs_by_name["rotation_schedule"].fields.append(
-    _CRYPTOKEY.fields_by_name["rotation_period"]
-)
-_CRYPTOKEY.fields_by_name[
-    "rotation_period"
-].containing_oneof = _CRYPTOKEY.oneofs_by_name["rotation_schedule"]
-_CRYPTOKEYVERSIONTEMPLATE.fields_by_name[
-    "protection_level"
-].enum_type = _PROTECTIONLEVEL
-_CRYPTOKEYVERSIONTEMPLATE.fields_by_name[
-    "algorithm"
-].enum_type = _CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM
-_KEYOPERATIONATTESTATION.fields_by_name[
-    "format"
-].enum_type = _KEYOPERATIONATTESTATION_ATTESTATIONFORMAT
-_KEYOPERATIONATTESTATION_ATTESTATIONFORMAT.containing_type = _KEYOPERATIONATTESTATION
-_CRYPTOKEYVERSION.fields_by_name[
-    "state"
-].enum_type = _CRYPTOKEYVERSION_CRYPTOKEYVERSIONSTATE
-_CRYPTOKEYVERSION.fields_by_name["protection_level"].enum_type = _PROTECTIONLEVEL
-_CRYPTOKEYVERSION.fields_by_name[
-    "algorithm"
-].enum_type = _CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM
-_CRYPTOKEYVERSION.fields_by_name["attestation"].message_type = _KEYOPERATIONATTESTATION
-_CRYPTOKEYVERSION.fields_by_name[
-    "create_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEYVERSION.fields_by_name[
-    "generate_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEYVERSION.fields_by_name[
-    "destroy_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEYVERSION.fields_by_name[
-    "destroy_event_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEYVERSION.fields_by_name[
-    "import_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_CRYPTOKEYVERSION.fields_by_name[
-    "external_protection_level_options"
-].message_type = _EXTERNALPROTECTIONLEVELOPTIONS
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM.containing_type = _CRYPTOKEYVERSION
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONSTATE.containing_type = _CRYPTOKEYVERSION
-_CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW.containing_type = _CRYPTOKEYVERSION
-_PUBLICKEY.fields_by_name[
-    "algorithm"
-].enum_type = _CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM
-_IMPORTJOB_WRAPPINGPUBLICKEY.containing_type = _IMPORTJOB
-_IMPORTJOB.fields_by_name["import_method"].enum_type = _IMPORTJOB_IMPORTMETHOD
-_IMPORTJOB.fields_by_name["protection_level"].enum_type = _PROTECTIONLEVEL
-_IMPORTJOB.fields_by_name[
-    "create_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_IMPORTJOB.fields_by_name[
-    "generate_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_IMPORTJOB.fields_by_name[
-    "expire_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_IMPORTJOB.fields_by_name[
-    "expire_event_time"
-].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
-_IMPORTJOB.fields_by_name["state"].enum_type = _IMPORTJOB_IMPORTJOBSTATE
-_IMPORTJOB.fields_by_name["public_key"].message_type = _IMPORTJOB_WRAPPINGPUBLICKEY
-_IMPORTJOB.fields_by_name["attestation"].message_type = _KEYOPERATIONATTESTATION
-_IMPORTJOB_IMPORTMETHOD.containing_type = _IMPORTJOB
-_IMPORTJOB_IMPORTJOBSTATE.containing_type = _IMPORTJOB
-DESCRIPTOR.message_types_by_name["KeyRing"] = _KEYRING
-DESCRIPTOR.message_types_by_name["CryptoKey"] = _CRYPTOKEY
-DESCRIPTOR.message_types_by_name["CryptoKeyVersionTemplate"] = _CRYPTOKEYVERSIONTEMPLATE
-DESCRIPTOR.message_types_by_name["KeyOperationAttestation"] = _KEYOPERATIONATTESTATION
-DESCRIPTOR.message_types_by_name["CryptoKeyVersion"] = _CRYPTOKEYVERSION
-DESCRIPTOR.message_types_by_name["PublicKey"] = _PUBLICKEY
-DESCRIPTOR.message_types_by_name["ImportJob"] = _IMPORTJOB
-DESCRIPTOR.message_types_by_name[
-    "ExternalProtectionLevelOptions"
-] = _EXTERNALPROTECTIONLEVELOPTIONS
-DESCRIPTOR.enum_types_by_name["ProtectionLevel"] = _PROTECTIONLEVEL
-_sym_db.RegisterFileDescriptor(DESCRIPTOR)
-
-KeyRing = _reflection.GeneratedProtocolMessageType(
-    "KeyRing",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_KEYRING,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical
-  grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-  Attributes:
-      name:
-          Output only. The resource name for the
-          [KeyRing][google.cloud.kms.v1.KeyRing] in the format
-          ``projects/*/locations/*/keyRings/*``.
-      create_time:
-          Output only. The time at which this
-          [KeyRing][google.cloud.kms.v1.KeyRing] was created.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.KeyRing)
-    ),
-)
-_sym_db.RegisterMessage(KeyRing)
-
-CryptoKey = _reflection.GeneratedProtocolMessageType(
-    "CryptoKey",
-    (_message.Message,),
-    dict(
-        LabelsEntry=_reflection.GeneratedProtocolMessageType(
-            "LabelsEntry",
-            (_message.Message,),
-            dict(
-                DESCRIPTOR=_CRYPTOKEY_LABELSENTRY,
-                __module__="google.cloud.kms_v1.proto.resources_pb2"
-                # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CryptoKey.LabelsEntry)
-            ),
-        ),
-        DESCRIPTOR=_CRYPTOKEY,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key
-  that can be used for cryptographic operations.  A
-  [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more
-  [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the
-  actual key material used in cryptographic operations.
-  Attributes:
-      name:
-          Output only. The resource name for this
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
-          ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
-      primary:
-          Output only. A copy of the "primary"
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
-          will be used by
-          [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]
-          when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given
-          in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.na
-          me].  The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary
-          version can be updated via [UpdateCryptoKeyPrimaryVersion][goo
-          gle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVe
-          rsion].  Keys with
-          [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT\_DEC
-          RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT\_
-          DECRYPT] may have a primary. For other keys, this field will
-          be omitted.
-      purpose:
-          Immutable. The immutable purpose of this
-          [CryptoKey][google.cloud.kms.v1.CryptoKey].
-      create_time:
-          Output only. The time at which this
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
-      next_rotation_time:
-          At [next\_rotation\_time][google.cloud.kms.v1.CryptoKey.next\_
-          rotation\_time], the Key Management Service will
-          automatically:  1. Create a new version of this
-          [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new
-          version as primary.  Key rotations performed manually via [Cre
-          ateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.
-          CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][go
-          ogle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryV
-          ersion] do not affect [next\_rotation\_time][google.cloud.kms.
-          v1.CryptoKey.next\_rotation\_time].  Keys with
-          [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT\_DEC
-          RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT\_
-          DECRYPT] support automatic rotation. For other keys, this
-          field must be omitted.
-      rotation_schedule:
-          Controls the rate of automatic rotation.
-      rotation_period:
-          [next\_rotation\_time][google.cloud.kms.v1.CryptoKey.next\_rot
-          ation\_time] will be advanced by this period when the service
-          automatically rotates a key. Must be at least 24 hours and at
-          most 876,000 hours.  If [rotation\_period][google.cloud.kms.v1
-          .CryptoKey.rotation\_period] is set, [next\_rotation\_time][go
-          ogle.cloud.kms.v1.CryptoKey.next\_rotation\_time] must also be
-          set.  Keys with
-          [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT\_DEC
-          RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT\_
-          DECRYPT] support automatic rotation. For other keys, this
-          field must be omitted.
-      version_template:
-          A template describing settings for new
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-          instances. The properties of new
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-          instances created by either [CreateCryptoKeyVersion][google.cl
-          oud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
-          auto-rotation are controlled by this template.
-      labels:
-          Labels with user-defined metadata. For more information, see
-          `Labeling Keys </kms/docs/labeling-keys>`__.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CryptoKey)
-    ),
-)
-_sym_db.RegisterMessage(CryptoKey)
-_sym_db.RegisterMessage(CryptoKey.LabelsEntry)
-
-CryptoKeyVersionTemplate = _reflection.GeneratedProtocolMessageType(
-    "CryptoKeyVersionTemplate",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CRYPTOKEYVERSIONTEMPLATE,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTempl
-  ate] specifies the properties to use when creating a new
-  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either
-  manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManageme
-  ntService.CreateCryptoKeyVersion] or automatically as a result of
-  auto-rotation.
-  Attributes:
-      protection_level:
-          [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use
-          when creating a
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based
-          on this template. Immutable. Defaults to
-          [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
-      algorithm:
-          Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.Cry
-          ptoKeyVersionAlgorithm] to use when creating a
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based
-          on this template.  For backwards compatibility,
-          GOOGLE\_SYMMETRIC\_ENCRYPTION is implied if both this field is
-          omitted and
-          [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is 
-          [ENCRYPT\_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurp
-          ose.ENCRYPT\_DECRYPT].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CryptoKeyVersionTemplate)
-    ),
-)
-_sym_db.RegisterMessage(CryptoKeyVersionTemplate)
-
-KeyOperationAttestation = _reflection.GeneratedProtocolMessageType(
-    "KeyOperationAttestation",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_KEYOPERATIONATTESTATION,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""Contains an HSM-generated attestation about a key operation. For more
-  information, see [Verifying attestations]
-  (https://cloud.google.com/kms/docs/attest-key).
-  Attributes:
-      format:
-          Output only. The format of the attestation data.
-      content:
-          Output only. The attestation data provided by the HSM when the
-          key operation was performed.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.KeyOperationAttestation)
-    ),
-)
-_sym_db.RegisterMessage(KeyOperationAttestation)
-
-CryptoKeyVersion = _reflection.GeneratedProtocolMessageType(
-    "CryptoKeyVersion",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CRYPTOKEYVERSION,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents
-  an individual cryptographic key, and the associated key material.  An 
-  [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.E
-  NABLED] version can be used for cryptographic operations.  For
-  security reasons, the raw cryptographic key material represented by a
-  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be
-  viewed or exported. It can only be used to encrypt, decrypt, or sign
-  data when an authorized user or application invokes Cloud KMS.
-  Attributes:
-      name:
-          Output only. The resource name for this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in
-          the format ``projects/*/locations/*/keyRings/*/cryptoKeys/*/cr
-          yptoKeyVersions/*``.
-      state:
-          The current state of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-      protection_level:
-          Output only. The
-          [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
-          describing how crypto operations are performed with this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-      algorithm:
-          Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.
-          v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-          supports.
-      attestation:
-          Output only. Statement that was generated and signed by the
-          HSM at key creation time. Use this statement to verify
-          attributes of the key as stored on the HSM, independently of
-          Google. Only provided for key versions with [protection\_level
-          ][google.cloud.kms.v1.CryptoKeyVersion.protection\_level]
-          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
-      create_time:
-          Output only. The time at which this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was
-          created.
-      generate_time:
-          Output only. The time this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key
-          material was generated.
-      destroy_time:
-          Output only. The time this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key
-          material is scheduled for destruction. Only present if
-          [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO
-          Y\_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVe
-          rsionState.DESTROY\_SCHEDULED].
-      destroy_event_time:
-          Output only. The time this CryptoKeyVersion's key material was
-          destroyed. Only present if
-          [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO
-          YED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionStat
-          e.DESTROYED].
-      import_job:
-          Output only. The name of the
-          [ImportJob][google.cloud.kms.v1.ImportJob] used to import this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only
-          present if the underlying key material was imported.
-      import_time:
-          Output only. The time at which this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key
-          material was imported.
-      import_failure_reason:
-          Output only. The root cause of an import failure. Only present
-          if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [IMP
-          ORT\_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVer
-          sionState.IMPORT\_FAILED].
-      external_protection_level_options:
-          ExternalProtectionLevelOptions stores a group of additional
-          fields for configuring a
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
-          are specific to the
-          [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL]
-          protection level.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CryptoKeyVersion)
-    ),
-)
-_sym_db.RegisterMessage(CryptoKeyVersion)
-
-PublicKey = _reflection.GeneratedProtocolMessageType(
-    "PublicKey",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_PUBLICKEY,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""The public key for a given
-  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
-  [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
-  Attributes:
-      pem:
-          The public key, encoded in PEM format. For more information,
-          see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__
-          sections for `General Considerations
-          <https://tools.ietf.org/html/rfc7468#section-2>`__ and
-          [Textual Encoding of Subject Public Key Info]
-          (https://tools.ietf.org/html/rfc7468#section-13).
-      algorithm:
-          The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKey
-          VersionAlgorithm] associated with this key.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.PublicKey)
-    ),
-)
-_sym_db.RegisterMessage(PublicKey)
-
-ImportJob = _reflection.GeneratedProtocolMessageType(
-    "ImportJob",
-    (_message.Message,),
-    dict(
-        WrappingPublicKey=_reflection.GeneratedProtocolMessageType(
-            "WrappingPublicKey",
-            (_message.Message,),
-            dict(
-                DESCRIPTOR=_IMPORTJOB_WRAPPINGPUBLICKEY,
-                __module__="google.cloud.kms_v1.proto.resources_pb2",
-                __doc__="""The public key component of the wrapping key. For details of the type
-    of key this public key corresponds to, see the
-    [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
-    Attributes:
-        pem:
-            The public key, encoded in PEM format. For more information,
-            see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__
-            sections for `General Considerations
-            <https://tools.ietf.org/html/rfc7468#section-2>`__ and
-            [Textual Encoding of Subject Public Key Info]
-            (https://tools.ietf.org/html/rfc7468#section-13).
-    """,
-                # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ImportJob.WrappingPublicKey)
-            ),
-        ),
-        DESCRIPTOR=_IMPORTJOB,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create
-  [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
-  [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-
-  existing key material, generated outside of Cloud KMS.  When an
-  [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will
-  generate a "wrapping key", which is a public/private key pair. You use
-  the wrapping key to encrypt (also known as wrap) the pre-existing key
-  material to protect it during the import process. The nature of the
-  wrapping key depends on the choice of
-  [import\_method][google.cloud.kms.v1.ImportJob.import\_method]. When
-  the wrapping key generation is complete, the
-  [state][google.cloud.kms.v1.ImportJob.state] will be set to
-  [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the
-  [public\_key][google.cloud.kms.v1.ImportJob.public\_key] can be
-  fetched. The fetched public key can then be used to wrap your pre-
-  existing key material.  Once the key material is wrapped, it can be
-  imported into a new
-  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an
-  existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [Import
-  CryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCrypt
-  oKeyVersion]. Multiple
-  [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be
-  imported with a single [ImportJob][google.cloud.kms.v1.ImportJob].
-  Cloud KMS uses the private key portion of the wrapping key to unwrap
-  the key material. Only Cloud KMS has access to the private key.  An
-  [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is
-  created. Once expired, Cloud KMS will no longer be able to import or
-  unwrap any key material that was wrapped with the
-  [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.  For more
-  information, see `Importing a key
-  <https://cloud.google.com/kms/docs/importing-a-key>`__.
-  Attributes:
-      name:
-          Output only. The resource name for this
-          [ImportJob][google.cloud.kms.v1.ImportJob] in the format
-          ``projects/*/locations/*/keyRings/*/importJobs/*``.
-      import_method:
-          Required. Immutable. The wrapping method to be used for
-          incoming key material.
-      protection_level:
-          Required. Immutable. The protection level of the
-          [ImportJob][google.cloud.kms.v1.ImportJob]. This must match
-          the [protection\_level][google.cloud.kms.v1.CryptoKeyVersionTe
-          mplate.protection\_level] of the [version\_template][google.cl
-          oud.kms.v1.CryptoKey.version\_template] on the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to
-          import into.
-      create_time:
-          Output only. The time at which this
-          [ImportJob][google.cloud.kms.v1.ImportJob] was created.
-      generate_time:
-          Output only. The time this
-          [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was
-          generated.
-      expire_time:
-          Output only. The time at which this
-          [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for
-          expiration and can no longer be used to import key material.
-      expire_event_time:
-          Output only. The time this
-          [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only
-          present if [state][google.cloud.kms.v1.ImportJob.state] is [EX
-          PIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
-      state:
-          Output only. The current state of the
-          [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it
-          can be used.
-      public_key:
-          Output only. The public key with which to wrap key material
-          prior to import. Only returned if
-          [state][google.cloud.kms.v1.ImportJob.state] is
-          [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
-      attestation:
-          Output only. Statement that was generated and signed by the
-          key creator (for example, an HSM) at key creation time. Use
-          this statement to verify attributes of the key as stored on
-          the HSM, independently of Google. Only present if the chosen
-          [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is
-          one with a protection level of
-          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ImportJob)
-    ),
-)
-_sym_db.RegisterMessage(ImportJob)
-_sym_db.RegisterMessage(ImportJob.WrappingPublicKey)
-
-ExternalProtectionLevelOptions = _reflection.GeneratedProtocolMessageType(
-    "ExternalProtectionLevelOptions",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_EXTERNALPROTECTIONLEVELOPTIONS,
-        __module__="google.cloud.kms_v1.proto.resources_pb2",
-        __doc__="""ExternalProtectionLevelOptions stores a group of additional fields for
-  configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-  that are specific to the
-  [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection
-  level.
-  Attributes:
-      external_key_uri:
-          The URI for an external resource that this
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-          represents.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ExternalProtectionLevelOptions)
-    ),
-)
-_sym_db.RegisterMessage(ExternalProtectionLevelOptions)
-
-
-DESCRIPTOR._options = None
-_KEYRING.fields_by_name["name"]._options = None
-_KEYRING.fields_by_name["create_time"]._options = None
-_KEYRING._options = None
-_CRYPTOKEY_LABELSENTRY._options = None
-_CRYPTOKEY.fields_by_name["name"]._options = None
-_CRYPTOKEY.fields_by_name["primary"]._options = None
-_CRYPTOKEY.fields_by_name["purpose"]._options = None
-_CRYPTOKEY.fields_by_name["create_time"]._options = None
-_CRYPTOKEY._options = None
-_CRYPTOKEYVERSIONTEMPLATE.fields_by_name["algorithm"]._options = None
-_KEYOPERATIONATTESTATION.fields_by_name["format"]._options = None
-_KEYOPERATIONATTESTATION.fields_by_name["content"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["name"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["protection_level"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["algorithm"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["attestation"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["create_time"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["generate_time"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["destroy_time"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["destroy_event_time"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["import_job"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["import_time"]._options = None
-_CRYPTOKEYVERSION.fields_by_name["import_failure_reason"]._options = None
-_CRYPTOKEYVERSION._options = None
-_PUBLICKEY._options = None
-_IMPORTJOB.fields_by_name["name"]._options = None
-_IMPORTJOB.fields_by_name["import_method"]._options = None
-_IMPORTJOB.fields_by_name["protection_level"]._options = None
-_IMPORTJOB.fields_by_name["create_time"]._options = None
-_IMPORTJOB.fields_by_name["generate_time"]._options = None
-_IMPORTJOB.fields_by_name["expire_time"]._options = None
-_IMPORTJOB.fields_by_name["expire_event_time"]._options = None
-_IMPORTJOB.fields_by_name["state"]._options = None
-_IMPORTJOB.fields_by_name["public_key"]._options = None
-_IMPORTJOB.fields_by_name["attestation"]._options = None
-_IMPORTJOB._options = None
-# @@protoc_insertion_point(module_scope)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2_grpc.py b/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2_grpc.py
deleted file mode 100644
index 07cb78fe03a9..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/proto/resources_pb2_grpc.py
+++ /dev/null
@@ -1,2 +0,0 @@
-# Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT!
-import grpc
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2.py b/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2.py
deleted file mode 100644
index 0ae5724a142a..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2.py
+++ /dev/null
@@ -1,3624 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by the protocol buffer compiler.  DO NOT EDIT!
-# source: google/cloud/kms_v1/proto/service.proto
-
-import sys
-
-_b = sys.version_info[0] < 3 and (lambda x: x) or (lambda x: x.encode("latin1"))
-from google.protobuf import descriptor as _descriptor
-from google.protobuf import message as _message
-from google.protobuf import reflection as _reflection
-from google.protobuf import symbol_database as _symbol_database
-
-# @@protoc_insertion_point(imports)
-
-_sym_db = _symbol_database.Default()
-
-
-from google.api import annotations_pb2 as google_dot_api_dot_annotations__pb2
-from google.api import client_pb2 as google_dot_api_dot_client__pb2
-from google.api import field_behavior_pb2 as google_dot_api_dot_field__behavior__pb2
-from google.api import resource_pb2 as google_dot_api_dot_resource__pb2
-from google.cloud.kms_v1.proto import (
-    resources_pb2 as google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2,
-)
-from google.protobuf import field_mask_pb2 as google_dot_protobuf_dot_field__mask__pb2
-
-
-DESCRIPTOR = _descriptor.FileDescriptor(
-    name="google/cloud/kms_v1/proto/service.proto",
-    package="google.cloud.kms.v1",
-    syntax="proto3",
-    serialized_options=_b(
-        "\n\027com.google.cloud.kms.v1B\010KmsProtoP\001Z6google.golang.org/genproto/googleapis/cloud/kms/v1;kms\370\001\001\252\002\023Google.Cloud.Kms.V1\312\002\023Google\\Cloud\\Kms\\V1"
-    ),
-    serialized_pb=_b(
-        '\n\'google/cloud/kms_v1/proto/service.proto\x12\x13google.cloud.kms.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17google/api/client.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x19google/api/resource.proto\x1a)google/cloud/kms_v1/proto/resources.proto\x1a google/protobuf/field_mask.proto"\xad\x01\n\x13ListKeyRingsRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!locations.googleapis.com/Location\x12\x16\n\tpage_size\x18\x02 \x01(\x05\x42\x03\xe0\x41\x01\x12\x17\n\npage_token\x18\x03 \x01(\tB\x03\xe0\x41\x01\x12\x13\n\x06\x66ilter\x18\x04 \x01(\tB\x03\xe0\x41\x01\x12\x15\n\x08order_by\x18\x05 \x01(\tB\x03\xe0\x41\x01"\xff\x01\n\x15ListCryptoKeysRequest\x12\x37\n\x06parent\x18\x01 \x01(\tB\'\xe0\x41\x02\xfa\x41!\n\x1f\x63loudkms.googleapis.com/KeyRing\x12\x16\n\tpage_size\x18\x02 \x01(\x05\x42\x03\xe0\x41\x01\x12\x17\n\npage_token\x18\x03 \x01(\tB\x03\xe0\x41\x01\x12P\n\x0cversion_view\x18\x04 \x01(\x0e\x32:.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView\x12\x13\n\x06\x66ilter\x18\x05 \x01(\tB\x03\xe0\x41\x01\x12\x15\n\x08order_by\x18\x06 \x01(\tB\x03\xe0\x41\x01"\x80\x02\n\x1cListCryptoKeyVersionsRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey\x12\x16\n\tpage_size\x18\x02 \x01(\x05\x42\x03\xe0\x41\x01\x12\x17\n\npage_token\x18\x03 \x01(\tB\x03\xe0\x41\x01\x12H\n\x04view\x18\x04 \x01(\x0e\x32:.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView\x12\x13\n\x06\x66ilter\x18\x05 \x01(\tB\x03\xe0\x41\x01\x12\x15\n\x08order_by\x18\x06 \x01(\tB\x03\xe0\x41\x01"\xad\x01\n\x15ListImportJobsRequest\x12\x37\n\x06parent\x18\x01 \x01(\tB\'\xe0\x41\x02\xfa\x41!\n\x1f\x63loudkms.googleapis.com/KeyRing\x12\x16\n\tpage_size\x18\x02 \x01(\x05\x42\x03\xe0\x41\x01\x12\x17\n\npage_token\x18\x03 \x01(\tB\x03\xe0\x41\x01\x12\x13\n\x06\x66ilter\x18\x04 \x01(\tB\x03\xe0\x41\x01\x12\x15\n\x08order_by\x18\x05 \x01(\tB\x03\xe0\x41\x01"t\n\x14ListKeyRingsResponse\x12/\n\tkey_rings\x18\x01 \x03(\x0b\x32\x1c.google.cloud.kms.v1.KeyRing\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t\x12\x12\n\ntotal_size\x18\x03 \x01(\x05"z\n\x16ListCryptoKeysResponse\x12\x33\n\x0b\x63rypto_keys\x18\x01 \x03(\x0b\x32\x1e.google.cloud.kms.v1.CryptoKey\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t\x12\x12\n\ntotal_size\x18\x03 \x01(\x05"\x90\x01\n\x1dListCryptoKeyVersionsResponse\x12\x42\n\x13\x63rypto_key_versions\x18\x01 \x03(\x0b\x32%.google.cloud.kms.v1.CryptoKeyVersion\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t\x12\x12\n\ntotal_size\x18\x03 \x01(\x05"z\n\x16ListImportJobsResponse\x12\x33\n\x0bimport_jobs\x18\x01 \x03(\x0b\x32\x1e.google.cloud.kms.v1.ImportJob\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t\x12\x12\n\ntotal_size\x18\x03 \x01(\x05"J\n\x11GetKeyRingRequest\x12\x35\n\x04name\x18\x01 \x01(\tB\'\xe0\x41\x02\xfa\x41!\n\x1f\x63loudkms.googleapis.com/KeyRing"N\n\x13GetCryptoKeyRequest\x12\x37\n\x04name\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey"\\\n\x1aGetCryptoKeyVersionRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion"U\n\x13GetPublicKeyRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion"N\n\x13GetImportJobRequest\x12\x37\n\x04name\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/ImportJob"\xa0\x01\n\x14\x43reateKeyRingRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!locations.googleapis.com/Location\x12\x18\n\x0bkey_ring_id\x18\x02 \x01(\tB\x03\xe0\x41\x02\x12\x33\n\x08key_ring\x18\x03 \x01(\x0b\x32\x1c.google.cloud.kms.v1.KeyRingB\x03\xe0\x41\x02"\xcd\x01\n\x16\x43reateCryptoKeyRequest\x12\x37\n\x06parent\x18\x01 \x01(\tB\'\xe0\x41\x02\xfa\x41!\n\x1f\x63loudkms.googleapis.com/KeyRing\x12\x1a\n\rcrypto_key_id\x18\x02 \x01(\tB\x03\xe0\x41\x02\x12\x37\n\ncrypto_key\x18\x03 \x01(\x0b\x32\x1e.google.cloud.kms.v1.CryptoKeyB\x03\xe0\x41\x02\x12%\n\x1dskip_initial_version_creation\x18\x05 \x01(\x08"\xa2\x01\n\x1d\x43reateCryptoKeyVersionRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey\x12\x46\n\x12\x63rypto_key_version\x18\x02 \x01(\x0b\x32%.google.cloud.kms.v1.CryptoKeyVersionB\x03\xe0\x41\x02"\x83\x02\n\x1dImportCryptoKeyVersionRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey\x12W\n\talgorithm\x18\x02 \x01(\x0e\x32?.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithmB\x03\xe0\x41\x02\x12\x17\n\nimport_job\x18\x04 \x01(\tB\x03\xe0\x41\x02\x12\x1d\n\x13rsa_aes_wrapped_key\x18\x05 \x01(\x0cH\x00\x42\x16\n\x14wrapped_key_material"\xa6\x01\n\x16\x43reateImportJobRequest\x12\x37\n\x06parent\x18\x01 \x01(\tB\'\xe0\x41\x02\xfa\x41!\n\x1f\x63loudkms.googleapis.com/KeyRing\x12\x1a\n\rimport_job_id\x18\x02 \x01(\tB\x03\xe0\x41\x02\x12\x37\n\nimport_job\x18\x03 \x01(\x0b\x32\x1e.google.cloud.kms.v1.ImportJobB\x03\xe0\x41\x02"\x87\x01\n\x16UpdateCryptoKeyRequest\x12\x37\n\ncrypto_key\x18\x01 \x01(\x0b\x32\x1e.google.cloud.kms.v1.CryptoKeyB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"\x9d\x01\n\x1dUpdateCryptoKeyVersionRequest\x12\x46\n\x12\x63rypto_key_version\x18\x01 \x01(\x0b\x32%.google.cloud.kms.v1.CryptoKeyVersionB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"m\n\x0e\x45ncryptRequest\x12\x17\n\x04name\x18\x01 \x01(\tB\t\xe0\x41\x02\xfa\x41\x03\n\x01*\x12\x16\n\tplaintext\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x02\x12*\n\x1d\x61\x64\x64itional_authenticated_data\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01"\x8e\x01\n\x0e\x44\x65\x63ryptRequest\x12\x37\n\x04name\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey\x12\x17\n\nciphertext\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x02\x12*\n\x1d\x61\x64\x64itional_authenticated_data\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01"\x89\x01\n\x15\x41symmetricSignRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion\x12\x30\n\x06\x64igest\x18\x03 \x01(\x0b\x32\x1b.google.cloud.kms.v1.DigestB\x03\xe0\x41\x02"s\n\x18\x41symmetricDecryptRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion\x12\x17\n\nciphertext\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x02"$\n\x0f\x44\x65\x63ryptResponse\x12\x11\n\tplaintext\x18\x01 \x01(\x0c"3\n\x0f\x45ncryptResponse\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x12\n\nciphertext\x18\x02 \x01(\x0c"+\n\x16\x41symmetricSignResponse\x12\x11\n\tsignature\x18\x01 \x01(\x0c".\n\x19\x41symmetricDecryptResponse\x12\x11\n\tplaintext\x18\x01 \x01(\x0c"\x83\x01\n$UpdateCryptoKeyPrimaryVersionRequest\x12\x37\n\x04name\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!cloudkms.googleapis.com/CryptoKey\x12"\n\x15\x63rypto_key_version_id\x18\x02 \x01(\tB\x03\xe0\x41\x02"`\n\x1e\x44\x65stroyCryptoKeyVersionRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion"`\n\x1eRestoreCryptoKeyVersionRequest\x12>\n\x04name\x18\x01 \x01(\tB0\xe0\x41\x02\xfa\x41*\n(cloudkms.googleapis.com/CryptoKeyVersion"H\n\x06\x44igest\x12\x10\n\x06sha256\x18\x01 \x01(\x0cH\x00\x12\x10\n\x06sha384\x18\x02 \x01(\x0cH\x00\x12\x10\n\x06sha512\x18\x03 \x01(\x0cH\x00\x42\x08\n\x06\x64igest"@\n\x10LocationMetadata\x12\x15\n\rhsm_available\x18\x01 \x01(\x08\x12\x15\n\rekm_available\x18\x02 \x01(\x08\x32\x86&\n\x14KeyManagementService\x12\xa2\x01\n\x0cListKeyRings\x12(.google.cloud.kms.v1.ListKeyRingsRequest\x1a).google.cloud.kms.v1.ListKeyRingsResponse"=\x82\xd3\xe4\x93\x02.\x12,/v1/{parent=projects/*/locations/*}/keyRings\xda\x41\x06parent\x12\xb5\x01\n\x0eListCryptoKeys\x12*.google.cloud.kms.v1.ListCryptoKeysRequest\x1a+.google.cloud.kms.v1.ListCryptoKeysResponse"J\x82\xd3\xe4\x93\x02;\x12\x39/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys\xda\x41\x06parent\x12\xde\x01\n\x15ListCryptoKeyVersions\x12\x31.google.cloud.kms.v1.ListCryptoKeyVersionsRequest\x1a\x32.google.cloud.kms.v1.ListCryptoKeyVersionsResponse"^\x82\xd3\xe4\x93\x02O\x12M/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions\xda\x41\x06parent\x12\xb5\x01\n\x0eListImportJobs\x12*.google.cloud.kms.v1.ListImportJobsRequest\x1a+.google.cloud.kms.v1.ListImportJobsResponse"J\x82\xd3\xe4\x93\x02;\x12\x39/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs\xda\x41\x06parent\x12\x8f\x01\n\nGetKeyRing\x12&.google.cloud.kms.v1.GetKeyRingRequest\x1a\x1c.google.cloud.kms.v1.KeyRing";\x82\xd3\xe4\x93\x02.\x12,/v1/{name=projects/*/locations/*/keyRings/*}\xda\x41\x04name\x12\xa2\x01\n\x0cGetCryptoKey\x12(.google.cloud.kms.v1.GetCryptoKeyRequest\x1a\x1e.google.cloud.kms.v1.CryptoKey"H\x82\xd3\xe4\x93\x02;\x12\x39/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}\xda\x41\x04name\x12\xcb\x01\n\x13GetCryptoKeyVersion\x12/.google.cloud.kms.v1.GetCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"\\\x82\xd3\xe4\x93\x02O\x12M/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}\xda\x41\x04name\x12\xc0\x01\n\x0cGetPublicKey\x12(.google.cloud.kms.v1.GetPublicKeyRequest\x1a\x1e.google.cloud.kms.v1.PublicKey"f\x82\xd3\xe4\x93\x02Y\x12W/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey\xda\x41\x04name\x12\xa2\x01\n\x0cGetImportJob\x12(.google.cloud.kms.v1.GetImportJobRequest\x1a\x1e.google.cloud.kms.v1.ImportJob"H\x82\xd3\xe4\x93\x02;\x12\x39/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}\xda\x41\x04name\x12\xb6\x01\n\rCreateKeyRing\x12).google.cloud.kms.v1.CreateKeyRingRequest\x1a\x1c.google.cloud.kms.v1.KeyRing"\\\x82\xd3\xe4\x93\x02\x38",/v1/{parent=projects/*/locations/*}/keyRings:\x08key_ring\xda\x41\x1bparent,key_ring_id,key_ring\x12\xcf\x01\n\x0f\x43reateCryptoKey\x12+.google.cloud.kms.v1.CreateCryptoKeyRequest\x1a\x1e.google.cloud.kms.v1.CryptoKey"o\x82\xd3\xe4\x93\x02G"9/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys:\ncrypto_key\xda\x41\x1fparent,crypto_key_id,crypto_key\x12\xfb\x01\n\x16\x43reateCryptoKeyVersion\x12\x32.google.cloud.kms.v1.CreateCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"\x85\x01\x82\xd3\xe4\x93\x02\x63"M/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:\x12\x63rypto_key_version\xda\x41\x19parent,crypto_key_version\x12\xd4\x01\n\x16ImportCryptoKeyVersion\x12\x32.google.cloud.kms.v1.ImportCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"_\x82\xd3\xe4\x93\x02Y"T/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import:\x01*\x12\xcf\x01\n\x0f\x43reateImportJob\x12+.google.cloud.kms.v1.CreateImportJobRequest\x1a\x1e.google.cloud.kms.v1.ImportJob"o\x82\xd3\xe4\x93\x02G"9/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs:\nimport_job\xda\x41\x1fparent,import_job_id,import_job\x12\xd1\x01\n\x0fUpdateCryptoKey\x12+.google.cloud.kms.v1.UpdateCryptoKeyRequest\x1a\x1e.google.cloud.kms.v1.CryptoKey"q\x82\xd3\xe4\x93\x02R2D/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:\ncrypto_key\xda\x41\x16\x63rypto_key,update_mask\x12\x93\x02\n\x16UpdateCryptoKeyVersion\x12\x32.google.cloud.kms.v1.UpdateCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"\x9d\x01\x82\xd3\xe4\x93\x02v2`/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:\x12\x63rypto_key_version\xda\x41\x1e\x63rypto_key_version,update_mask\x12\xb4\x01\n\x07\x45ncrypt\x12#.google.cloud.kms.v1.EncryptRequest\x1a$.google.cloud.kms.v1.EncryptResponse"^\x82\xd3\xe4\x93\x02G"B/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt:\x01*\xda\x41\x0ename,plaintext\x12\xb4\x01\n\x07\x44\x65\x63rypt\x12#.google.cloud.kms.v1.DecryptRequest\x1a$.google.cloud.kms.v1.DecryptResponse"^\x82\xd3\xe4\x93\x02\x46"A/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt:\x01*\xda\x41\x0fname,ciphertext\x12\xe0\x01\n\x0e\x41symmetricSign\x12*.google.cloud.kms.v1.AsymmetricSignRequest\x1a+.google.cloud.kms.v1.AsymmetricSignResponse"u\x82\xd3\xe4\x93\x02\x61"\\/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign:\x01*\xda\x41\x0bname,digest\x12\xf0\x01\n\x11\x41symmetricDecrypt\x12-.google.cloud.kms.v1.AsymmetricDecryptRequest\x1a..google.cloud.kms.v1.AsymmetricDecryptResponse"|\x82\xd3\xe4\x93\x02\x64"_/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt:\x01*\xda\x41\x0fname,ciphertext\x12\xf2\x01\n\x1dUpdateCryptoKeyPrimaryVersion\x12\x39.google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest\x1a\x1e.google.cloud.kms.v1.CryptoKey"v\x82\xd3\xe4\x93\x02S"N/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion:\x01*\xda\x41\x1aname,crypto_key_version_id\x12\xde\x01\n\x17\x44\x65stroyCryptoKeyVersion\x12\x33.google.cloud.kms.v1.DestroyCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"g\x82\xd3\xe4\x93\x02Z"U/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy:\x01*\xda\x41\x04name\x12\xde\x01\n\x17RestoreCryptoKeyVersion\x12\x33.google.cloud.kms.v1.RestoreCryptoKeyVersionRequest\x1a%.google.cloud.kms.v1.CryptoKeyVersion"g\x82\xd3\xe4\x93\x02Z"U/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore:\x01*\xda\x41\x04name\x1at\xca\x41\x17\x63loudkms.googleapis.com\xd2\x41Whttps://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkmsB\x8c\x01\n\x17\x63om.google.cloud.kms.v1B\x08KmsProtoP\x01Z6google.golang.org/genproto/googleapis/cloud/kms/v1;kms\xf8\x01\x01\xaa\x02\x13Google.Cloud.Kms.V1\xca\x02\x13Google\\Cloud\\Kms\\V1b\x06proto3'
-    ),
-    dependencies=[
-        google_dot_api_dot_annotations__pb2.DESCRIPTOR,
-        google_dot_api_dot_client__pb2.DESCRIPTOR,
-        google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,
-        google_dot_api_dot_resource__pb2.DESCRIPTOR,
-        google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.DESCRIPTOR,
-        google_dot_protobuf_dot_field__mask__pb2.DESCRIPTOR,
-    ],
-)
-
-
-_LISTKEYRINGSREQUEST = _descriptor.Descriptor(
-    name="ListKeyRingsRequest",
-    full_name="google.cloud.kms.v1.ListKeyRingsRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.ListKeyRingsRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!locations.googleapis.com/Location"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_size",
-            full_name="google.cloud.kms.v1.ListKeyRingsRequest.page_size",
-            index=1,
-            number=2,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_token",
-            full_name="google.cloud.kms.v1.ListKeyRingsRequest.page_token",
-            index=2,
-            number=3,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="filter",
-            full_name="google.cloud.kms.v1.ListKeyRingsRequest.filter",
-            index=3,
-            number=4,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="order_by",
-            full_name="google.cloud.kms.v1.ListKeyRingsRequest.order_by",
-            index=4,
-            number=5,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=257,
-    serialized_end=430,
-)
-
-
-_LISTCRYPTOKEYSREQUEST = _descriptor.Descriptor(
-    name="ListCryptoKeysRequest",
-    full_name="google.cloud.kms.v1.ListCryptoKeysRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A!\n\037cloudkms.googleapis.com/KeyRing"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_size",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.page_size",
-            index=1,
-            number=2,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_token",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.page_token",
-            index=2,
-            number=3,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="version_view",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.version_view",
-            index=3,
-            number=4,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="filter",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.filter",
-            index=4,
-            number=5,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="order_by",
-            full_name="google.cloud.kms.v1.ListCryptoKeysRequest.order_by",
-            index=5,
-            number=6,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=433,
-    serialized_end=688,
-)
-
-
-_LISTCRYPTOKEYVERSIONSREQUEST = _descriptor.Descriptor(
-    name="ListCryptoKeyVersionsRequest",
-    full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_size",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_size",
-            index=1,
-            number=2,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_token",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token",
-            index=2,
-            number=3,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="view",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.view",
-            index=3,
-            number=4,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="filter",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.filter",
-            index=4,
-            number=5,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="order_by",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsRequest.order_by",
-            index=5,
-            number=6,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=691,
-    serialized_end=947,
-)
-
-
-_LISTIMPORTJOBSREQUEST = _descriptor.Descriptor(
-    name="ListImportJobsRequest",
-    full_name="google.cloud.kms.v1.ListImportJobsRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.ListImportJobsRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A!\n\037cloudkms.googleapis.com/KeyRing"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_size",
-            full_name="google.cloud.kms.v1.ListImportJobsRequest.page_size",
-            index=1,
-            number=2,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="page_token",
-            full_name="google.cloud.kms.v1.ListImportJobsRequest.page_token",
-            index=2,
-            number=3,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="filter",
-            full_name="google.cloud.kms.v1.ListImportJobsRequest.filter",
-            index=3,
-            number=4,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="order_by",
-            full_name="google.cloud.kms.v1.ListImportJobsRequest.order_by",
-            index=4,
-            number=5,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=950,
-    serialized_end=1123,
-)
-
-
-_LISTKEYRINGSRESPONSE = _descriptor.Descriptor(
-    name="ListKeyRingsResponse",
-    full_name="google.cloud.kms.v1.ListKeyRingsResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="key_rings",
-            full_name="google.cloud.kms.v1.ListKeyRingsResponse.key_rings",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=3,
-            has_default_value=False,
-            default_value=[],
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="next_page_token",
-            full_name="google.cloud.kms.v1.ListKeyRingsResponse.next_page_token",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="total_size",
-            full_name="google.cloud.kms.v1.ListKeyRingsResponse.total_size",
-            index=2,
-            number=3,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1125,
-    serialized_end=1241,
-)
-
-
-_LISTCRYPTOKEYSRESPONSE = _descriptor.Descriptor(
-    name="ListCryptoKeysResponse",
-    full_name="google.cloud.kms.v1.ListCryptoKeysResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="crypto_keys",
-            full_name="google.cloud.kms.v1.ListCryptoKeysResponse.crypto_keys",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=3,
-            has_default_value=False,
-            default_value=[],
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="next_page_token",
-            full_name="google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="total_size",
-            full_name="google.cloud.kms.v1.ListCryptoKeysResponse.total_size",
-            index=2,
-            number=3,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1243,
-    serialized_end=1365,
-)
-
-
-_LISTCRYPTOKEYVERSIONSRESPONSE = _descriptor.Descriptor(
-    name="ListCryptoKeyVersionsResponse",
-    full_name="google.cloud.kms.v1.ListCryptoKeyVersionsResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="crypto_key_versions",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsResponse.crypto_key_versions",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=3,
-            has_default_value=False,
-            default_value=[],
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="next_page_token",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="total_size",
-            full_name="google.cloud.kms.v1.ListCryptoKeyVersionsResponse.total_size",
-            index=2,
-            number=3,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1368,
-    serialized_end=1512,
-)
-
-
-_LISTIMPORTJOBSRESPONSE = _descriptor.Descriptor(
-    name="ListImportJobsResponse",
-    full_name="google.cloud.kms.v1.ListImportJobsResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="import_jobs",
-            full_name="google.cloud.kms.v1.ListImportJobsResponse.import_jobs",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=3,
-            has_default_value=False,
-            default_value=[],
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="next_page_token",
-            full_name="google.cloud.kms.v1.ListImportJobsResponse.next_page_token",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="total_size",
-            full_name="google.cloud.kms.v1.ListImportJobsResponse.total_size",
-            index=2,
-            number=3,
-            type=5,
-            cpp_type=1,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1514,
-    serialized_end=1636,
-)
-
-
-_GETKEYRINGREQUEST = _descriptor.Descriptor(
-    name="GetKeyRingRequest",
-    full_name="google.cloud.kms.v1.GetKeyRingRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.GetKeyRingRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A!\n\037cloudkms.googleapis.com/KeyRing"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1638,
-    serialized_end=1712,
-)
-
-
-_GETCRYPTOKEYREQUEST = _descriptor.Descriptor(
-    name="GetCryptoKeyRequest",
-    full_name="google.cloud.kms.v1.GetCryptoKeyRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.GetCryptoKeyRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1714,
-    serialized_end=1792,
-)
-
-
-_GETCRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="GetCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.GetCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.GetCryptoKeyVersionRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1794,
-    serialized_end=1886,
-)
-
-
-_GETPUBLICKEYREQUEST = _descriptor.Descriptor(
-    name="GetPublicKeyRequest",
-    full_name="google.cloud.kms.v1.GetPublicKeyRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.GetPublicKeyRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1888,
-    serialized_end=1973,
-)
-
-
-_GETIMPORTJOBREQUEST = _descriptor.Descriptor(
-    name="GetImportJobRequest",
-    full_name="google.cloud.kms.v1.GetImportJobRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.GetImportJobRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/ImportJob"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=1975,
-    serialized_end=2053,
-)
-
-
-_CREATEKEYRINGREQUEST = _descriptor.Descriptor(
-    name="CreateKeyRingRequest",
-    full_name="google.cloud.kms.v1.CreateKeyRingRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.CreateKeyRingRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!locations.googleapis.com/Location"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="key_ring_id",
-            full_name="google.cloud.kms.v1.CreateKeyRingRequest.key_ring_id",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="key_ring",
-            full_name="google.cloud.kms.v1.CreateKeyRingRequest.key_ring",
-            index=2,
-            number=3,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=2056,
-    serialized_end=2216,
-)
-
-
-_CREATECRYPTOKEYREQUEST = _descriptor.Descriptor(
-    name="CreateCryptoKeyRequest",
-    full_name="google.cloud.kms.v1.CreateCryptoKeyRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A!\n\037cloudkms.googleapis.com/KeyRing"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="crypto_key_id",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key_id",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="crypto_key",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key",
-            index=2,
-            number=3,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="skip_initial_version_creation",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyRequest.skip_initial_version_creation",
-            index=3,
-            number=5,
-            type=8,
-            cpp_type=7,
-            label=1,
-            has_default_value=False,
-            default_value=False,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=2219,
-    serialized_end=2424,
-)
-
-
-_CREATECRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="CreateCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.CreateCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyVersionRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="crypto_key_version",
-            full_name="google.cloud.kms.v1.CreateCryptoKeyVersionRequest.crypto_key_version",
-            index=1,
-            number=2,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=2427,
-    serialized_end=2589,
-)
-
-
-_IMPORTCRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="ImportCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="algorithm",
-            full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest.algorithm",
-            index=1,
-            number=2,
-            type=14,
-            cpp_type=8,
-            label=1,
-            has_default_value=False,
-            default_value=0,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_job",
-            full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest.import_job",
-            index=2,
-            number=4,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="rsa_aes_wrapped_key",
-            full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest.rsa_aes_wrapped_key",
-            index=3,
-            number=5,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[
-        _descriptor.OneofDescriptor(
-            name="wrapped_key_material",
-            full_name="google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key_material",
-            index=0,
-            containing_type=None,
-            fields=[],
-        )
-    ],
-    serialized_start=2592,
-    serialized_end=2851,
-)
-
-
-_CREATEIMPORTJOBREQUEST = _descriptor.Descriptor(
-    name="CreateImportJobRequest",
-    full_name="google.cloud.kms.v1.CreateImportJobRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="parent",
-            full_name="google.cloud.kms.v1.CreateImportJobRequest.parent",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A!\n\037cloudkms.googleapis.com/KeyRing"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_job_id",
-            full_name="google.cloud.kms.v1.CreateImportJobRequest.import_job_id",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="import_job",
-            full_name="google.cloud.kms.v1.CreateImportJobRequest.import_job",
-            index=2,
-            number=3,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=2854,
-    serialized_end=3020,
-)
-
-
-_UPDATECRYPTOKEYREQUEST = _descriptor.Descriptor(
-    name="UpdateCryptoKeyRequest",
-    full_name="google.cloud.kms.v1.UpdateCryptoKeyRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="crypto_key",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyRequest.crypto_key",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="update_mask",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyRequest.update_mask",
-            index=1,
-            number=2,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3023,
-    serialized_end=3158,
-)
-
-
-_UPDATECRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="UpdateCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.UpdateCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="crypto_key_version",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.crypto_key_version",
-            index=0,
-            number=1,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="update_mask",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.update_mask",
-            index=1,
-            number=2,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3161,
-    serialized_end=3318,
-)
-
-
-_ENCRYPTREQUEST = _descriptor.Descriptor(
-    name="EncryptRequest",
-    full_name="google.cloud.kms.v1.EncryptRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.EncryptRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002\372A\003\n\001*"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="plaintext",
-            full_name="google.cloud.kms.v1.EncryptRequest.plaintext",
-            index=1,
-            number=2,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="additional_authenticated_data",
-            full_name="google.cloud.kms.v1.EncryptRequest.additional_authenticated_data",
-            index=2,
-            number=3,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3320,
-    serialized_end=3429,
-)
-
-
-_DECRYPTREQUEST = _descriptor.Descriptor(
-    name="DecryptRequest",
-    full_name="google.cloud.kms.v1.DecryptRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.DecryptRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="ciphertext",
-            full_name="google.cloud.kms.v1.DecryptRequest.ciphertext",
-            index=1,
-            number=2,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="additional_authenticated_data",
-            full_name="google.cloud.kms.v1.DecryptRequest.additional_authenticated_data",
-            index=2,
-            number=3,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\001"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3432,
-    serialized_end=3574,
-)
-
-
-_ASYMMETRICSIGNREQUEST = _descriptor.Descriptor(
-    name="AsymmetricSignRequest",
-    full_name="google.cloud.kms.v1.AsymmetricSignRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.AsymmetricSignRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="digest",
-            full_name="google.cloud.kms.v1.AsymmetricSignRequest.digest",
-            index=1,
-            number=3,
-            type=11,
-            cpp_type=10,
-            label=1,
-            has_default_value=False,
-            default_value=None,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3577,
-    serialized_end=3714,
-)
-
-
-_ASYMMETRICDECRYPTREQUEST = _descriptor.Descriptor(
-    name="AsymmetricDecryptRequest",
-    full_name="google.cloud.kms.v1.AsymmetricDecryptRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.AsymmetricDecryptRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="ciphertext",
-            full_name="google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext",
-            index=1,
-            number=3,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3716,
-    serialized_end=3831,
-)
-
-
-_DECRYPTRESPONSE = _descriptor.Descriptor(
-    name="DecryptResponse",
-    full_name="google.cloud.kms.v1.DecryptResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="plaintext",
-            full_name="google.cloud.kms.v1.DecryptResponse.plaintext",
-            index=0,
-            number=1,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3833,
-    serialized_end=3869,
-)
-
-
-_ENCRYPTRESPONSE = _descriptor.Descriptor(
-    name="EncryptResponse",
-    full_name="google.cloud.kms.v1.EncryptResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.EncryptResponse.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="ciphertext",
-            full_name="google.cloud.kms.v1.EncryptResponse.ciphertext",
-            index=1,
-            number=2,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3871,
-    serialized_end=3922,
-)
-
-
-_ASYMMETRICSIGNRESPONSE = _descriptor.Descriptor(
-    name="AsymmetricSignResponse",
-    full_name="google.cloud.kms.v1.AsymmetricSignResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="signature",
-            full_name="google.cloud.kms.v1.AsymmetricSignResponse.signature",
-            index=0,
-            number=1,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3924,
-    serialized_end=3967,
-)
-
-
-_ASYMMETRICDECRYPTRESPONSE = _descriptor.Descriptor(
-    name="AsymmetricDecryptResponse",
-    full_name="google.cloud.kms.v1.AsymmetricDecryptResponse",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="plaintext",
-            full_name="google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext",
-            index=0,
-            number=1,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=3969,
-    serialized_end=4015,
-)
-
-
-_UPDATECRYPTOKEYPRIMARYVERSIONREQUEST = _descriptor.Descriptor(
-    name="UpdateCryptoKeyPrimaryVersionRequest",
-    full_name="google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A#\n!cloudkms.googleapis.com/CryptoKey"
-            ),
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="crypto_key_version_id",
-            full_name="google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.crypto_key_version_id",
-            index=1,
-            number=2,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b("\340A\002"),
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4018,
-    serialized_end=4149,
-)
-
-
-_DESTROYCRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="DestroyCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.DestroyCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.DestroyCryptoKeyVersionRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4151,
-    serialized_end=4247,
-)
-
-
-_RESTORECRYPTOKEYVERSIONREQUEST = _descriptor.Descriptor(
-    name="RestoreCryptoKeyVersionRequest",
-    full_name="google.cloud.kms.v1.RestoreCryptoKeyVersionRequest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="name",
-            full_name="google.cloud.kms.v1.RestoreCryptoKeyVersionRequest.name",
-            index=0,
-            number=1,
-            type=9,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b("").decode("utf-8"),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=_b(
-                "\340A\002\372A*\n(cloudkms.googleapis.com/CryptoKeyVersion"
-            ),
-            file=DESCRIPTOR,
-        )
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4249,
-    serialized_end=4345,
-)
-
-
-_DIGEST = _descriptor.Descriptor(
-    name="Digest",
-    full_name="google.cloud.kms.v1.Digest",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="sha256",
-            full_name="google.cloud.kms.v1.Digest.sha256",
-            index=0,
-            number=1,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="sha384",
-            full_name="google.cloud.kms.v1.Digest.sha384",
-            index=1,
-            number=2,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="sha512",
-            full_name="google.cloud.kms.v1.Digest.sha512",
-            index=2,
-            number=3,
-            type=12,
-            cpp_type=9,
-            label=1,
-            has_default_value=False,
-            default_value=_b(""),
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[
-        _descriptor.OneofDescriptor(
-            name="digest",
-            full_name="google.cloud.kms.v1.Digest.digest",
-            index=0,
-            containing_type=None,
-            fields=[],
-        )
-    ],
-    serialized_start=4347,
-    serialized_end=4419,
-)
-
-
-_LOCATIONMETADATA = _descriptor.Descriptor(
-    name="LocationMetadata",
-    full_name="google.cloud.kms.v1.LocationMetadata",
-    filename=None,
-    file=DESCRIPTOR,
-    containing_type=None,
-    fields=[
-        _descriptor.FieldDescriptor(
-            name="hsm_available",
-            full_name="google.cloud.kms.v1.LocationMetadata.hsm_available",
-            index=0,
-            number=1,
-            type=8,
-            cpp_type=7,
-            label=1,
-            has_default_value=False,
-            default_value=False,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-        _descriptor.FieldDescriptor(
-            name="ekm_available",
-            full_name="google.cloud.kms.v1.LocationMetadata.ekm_available",
-            index=1,
-            number=2,
-            type=8,
-            cpp_type=7,
-            label=1,
-            has_default_value=False,
-            default_value=False,
-            message_type=None,
-            enum_type=None,
-            containing_type=None,
-            is_extension=False,
-            extension_scope=None,
-            serialized_options=None,
-            file=DESCRIPTOR,
-        ),
-    ],
-    extensions=[],
-    nested_types=[],
-    enum_types=[],
-    serialized_options=None,
-    is_extendable=False,
-    syntax="proto3",
-    extension_ranges=[],
-    oneofs=[],
-    serialized_start=4421,
-    serialized_end=4485,
-)
-
-_LISTCRYPTOKEYSREQUEST.fields_by_name[
-    "version_view"
-].enum_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW
-)
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name[
-    "view"
-].enum_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION_CRYPTOKEYVERSIONVIEW
-)
-_LISTKEYRINGSRESPONSE.fields_by_name[
-    "key_rings"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._KEYRING
-_LISTCRYPTOKEYSRESPONSE.fields_by_name[
-    "crypto_keys"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY
-_LISTCRYPTOKEYVERSIONSRESPONSE.fields_by_name[
-    "crypto_key_versions"
-].message_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION
-)
-_LISTIMPORTJOBSRESPONSE.fields_by_name[
-    "import_jobs"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._IMPORTJOB
-_CREATEKEYRINGREQUEST.fields_by_name[
-    "key_ring"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._KEYRING
-_CREATECRYPTOKEYREQUEST.fields_by_name[
-    "crypto_key"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY
-_CREATECRYPTOKEYVERSIONREQUEST.fields_by_name[
-    "crypto_key_version"
-].message_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION
-)
-_IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name[
-    "algorithm"
-].enum_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION_CRYPTOKEYVERSIONALGORITHM
-)
-_IMPORTCRYPTOKEYVERSIONREQUEST.oneofs_by_name["wrapped_key_material"].fields.append(
-    _IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name["rsa_aes_wrapped_key"]
-)
-_IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name[
-    "rsa_aes_wrapped_key"
-].containing_oneof = _IMPORTCRYPTOKEYVERSIONREQUEST.oneofs_by_name[
-    "wrapped_key_material"
-]
-_CREATEIMPORTJOBREQUEST.fields_by_name[
-    "import_job"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._IMPORTJOB
-_UPDATECRYPTOKEYREQUEST.fields_by_name[
-    "crypto_key"
-].message_type = google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY
-_UPDATECRYPTOKEYREQUEST.fields_by_name[
-    "update_mask"
-].message_type = google_dot_protobuf_dot_field__mask__pb2._FIELDMASK
-_UPDATECRYPTOKEYVERSIONREQUEST.fields_by_name[
-    "crypto_key_version"
-].message_type = (
-    google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION
-)
-_UPDATECRYPTOKEYVERSIONREQUEST.fields_by_name[
-    "update_mask"
-].message_type = google_dot_protobuf_dot_field__mask__pb2._FIELDMASK
-_ASYMMETRICSIGNREQUEST.fields_by_name["digest"].message_type = _DIGEST
-_DIGEST.oneofs_by_name["digest"].fields.append(_DIGEST.fields_by_name["sha256"])
-_DIGEST.fields_by_name["sha256"].containing_oneof = _DIGEST.oneofs_by_name["digest"]
-_DIGEST.oneofs_by_name["digest"].fields.append(_DIGEST.fields_by_name["sha384"])
-_DIGEST.fields_by_name["sha384"].containing_oneof = _DIGEST.oneofs_by_name["digest"]
-_DIGEST.oneofs_by_name["digest"].fields.append(_DIGEST.fields_by_name["sha512"])
-_DIGEST.fields_by_name["sha512"].containing_oneof = _DIGEST.oneofs_by_name["digest"]
-DESCRIPTOR.message_types_by_name["ListKeyRingsRequest"] = _LISTKEYRINGSREQUEST
-DESCRIPTOR.message_types_by_name["ListCryptoKeysRequest"] = _LISTCRYPTOKEYSREQUEST
-DESCRIPTOR.message_types_by_name[
-    "ListCryptoKeyVersionsRequest"
-] = _LISTCRYPTOKEYVERSIONSREQUEST
-DESCRIPTOR.message_types_by_name["ListImportJobsRequest"] = _LISTIMPORTJOBSREQUEST
-DESCRIPTOR.message_types_by_name["ListKeyRingsResponse"] = _LISTKEYRINGSRESPONSE
-DESCRIPTOR.message_types_by_name["ListCryptoKeysResponse"] = _LISTCRYPTOKEYSRESPONSE
-DESCRIPTOR.message_types_by_name[
-    "ListCryptoKeyVersionsResponse"
-] = _LISTCRYPTOKEYVERSIONSRESPONSE
-DESCRIPTOR.message_types_by_name["ListImportJobsResponse"] = _LISTIMPORTJOBSRESPONSE
-DESCRIPTOR.message_types_by_name["GetKeyRingRequest"] = _GETKEYRINGREQUEST
-DESCRIPTOR.message_types_by_name["GetCryptoKeyRequest"] = _GETCRYPTOKEYREQUEST
-DESCRIPTOR.message_types_by_name[
-    "GetCryptoKeyVersionRequest"
-] = _GETCRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name["GetPublicKeyRequest"] = _GETPUBLICKEYREQUEST
-DESCRIPTOR.message_types_by_name["GetImportJobRequest"] = _GETIMPORTJOBREQUEST
-DESCRIPTOR.message_types_by_name["CreateKeyRingRequest"] = _CREATEKEYRINGREQUEST
-DESCRIPTOR.message_types_by_name["CreateCryptoKeyRequest"] = _CREATECRYPTOKEYREQUEST
-DESCRIPTOR.message_types_by_name[
-    "CreateCryptoKeyVersionRequest"
-] = _CREATECRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name[
-    "ImportCryptoKeyVersionRequest"
-] = _IMPORTCRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name["CreateImportJobRequest"] = _CREATEIMPORTJOBREQUEST
-DESCRIPTOR.message_types_by_name["UpdateCryptoKeyRequest"] = _UPDATECRYPTOKEYREQUEST
-DESCRIPTOR.message_types_by_name[
-    "UpdateCryptoKeyVersionRequest"
-] = _UPDATECRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name["EncryptRequest"] = _ENCRYPTREQUEST
-DESCRIPTOR.message_types_by_name["DecryptRequest"] = _DECRYPTREQUEST
-DESCRIPTOR.message_types_by_name["AsymmetricSignRequest"] = _ASYMMETRICSIGNREQUEST
-DESCRIPTOR.message_types_by_name["AsymmetricDecryptRequest"] = _ASYMMETRICDECRYPTREQUEST
-DESCRIPTOR.message_types_by_name["DecryptResponse"] = _DECRYPTRESPONSE
-DESCRIPTOR.message_types_by_name["EncryptResponse"] = _ENCRYPTRESPONSE
-DESCRIPTOR.message_types_by_name["AsymmetricSignResponse"] = _ASYMMETRICSIGNRESPONSE
-DESCRIPTOR.message_types_by_name[
-    "AsymmetricDecryptResponse"
-] = _ASYMMETRICDECRYPTRESPONSE
-DESCRIPTOR.message_types_by_name[
-    "UpdateCryptoKeyPrimaryVersionRequest"
-] = _UPDATECRYPTOKEYPRIMARYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name[
-    "DestroyCryptoKeyVersionRequest"
-] = _DESTROYCRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name[
-    "RestoreCryptoKeyVersionRequest"
-] = _RESTORECRYPTOKEYVERSIONREQUEST
-DESCRIPTOR.message_types_by_name["Digest"] = _DIGEST
-DESCRIPTOR.message_types_by_name["LocationMetadata"] = _LOCATIONMETADATA
-_sym_db.RegisterFileDescriptor(DESCRIPTOR)
-
-ListKeyRingsRequest = _reflection.GeneratedProtocolMessageType(
-    "ListKeyRingsRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTKEYRINGSREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.ListKeyRings][google.cloud.k
-  ms.v1.KeyManagementService.ListKeyRings].
-  Attributes:
-      parent:
-          Required. The resource name of the location associated with
-          the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
-          ``projects/*/locations/*``.
-      page_size:
-          Optional. Optional limit on the number of
-          [KeyRings][google.cloud.kms.v1.KeyRing] to include in the
-          response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can
-          subsequently be obtained by including the [ListKeyRingsRespons
-          e.next\_page\_token][google.cloud.kms.v1.ListKeyRingsResponse.
-          next\_page\_token] in a subsequent request. If unspecified,
-          the server will pick an appropriate default.
-      page_token:
-          Optional. Optional pagination token, returned earlier via [Lis
-          tKeyRingsResponse.next\_page\_token][google.cloud.kms.v1.ListK
-          eyRingsResponse.next\_page\_token].
-      filter:
-          Optional. Only include resources that match the filter in the
-          response. For more information, see `Sorting and filtering
-          list results <https://cloud.google.com/kms/docs/sorting-and-
-          filtering>`__.
-      order_by:
-          Optional. Specify how the results should be sorted. If not
-          specified, the results will be sorted in the default order.
-          For more information, see `Sorting and filtering list results
-          <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListKeyRingsRequest)
-    ),
-)
-_sym_db.RegisterMessage(ListKeyRingsRequest)
-
-ListCryptoKeysRequest = _reflection.GeneratedProtocolMessageType(
-    "ListCryptoKeysRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTCRYPTOKEYSREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.ListCryptoKeys][google.cloud
-  .kms.v1.KeyManagementService.ListCryptoKeys].
-  Attributes:
-      parent:
-          Required. The resource name of the
-          [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
-          ``projects/*/locations/*/keyRings/*``.
-      page_size:
-          Optional. Optional limit on the number of
-          [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the
-          response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey]
-          can subsequently be obtained by including the [ListCryptoKeysR
-          esponse.next\_page\_token][google.cloud.kms.v1.ListCryptoKeysR
-          esponse.next\_page\_token] in a subsequent request. If
-          unspecified, the server will pick an appropriate default.
-      page_token:
-          Optional. Optional pagination token, returned earlier via [Lis
-          tCryptoKeysResponse.next\_page\_token][google.cloud.kms.v1.Lis
-          tCryptoKeysResponse.next\_page\_token].
-      version_view:
-          The fields of the primary version to include in the response.
-      filter:
-          Optional. Only include resources that match the filter in the
-          response. For more information, see `Sorting and filtering
-          list results <https://cloud.google.com/kms/docs/sorting-and-
-          filtering>`__.
-      order_by:
-          Optional. Specify how the results should be sorted. If not
-          specified, the results will be sorted in the default order.
-          For more information, see `Sorting and filtering list results
-          <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListCryptoKeysRequest)
-    ),
-)
-_sym_db.RegisterMessage(ListCryptoKeysRequest)
-
-ListCryptoKeyVersionsRequest = _reflection.GeneratedProtocolMessageType(
-    "ListCryptoKeyVersionsRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTCRYPTOKEYVERSIONSREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.ListCryptoKeyVersions][googl
-  e.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
-  Attributes:
-      parent:
-          Required. The resource name of the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the
-          format ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
-      page_size:
-          Optional. Optional limit on the number of
-          [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to
-          include in the response. Further
-          [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can
-          subsequently be obtained by including the [ListCryptoKeyVersio
-          nsResponse.next\_page\_token][google.cloud.kms.v1.ListCryptoKe
-          yVersionsResponse.next\_page\_token] in a subsequent request.
-          If unspecified, the server will pick an appropriate default.
-      page_token:
-          Optional. Optional pagination token, returned earlier via [Lis
-          tCryptoKeyVersionsResponse.next\_page\_token][google.cloud.kms
-          .v1.ListCryptoKeyVersionsResponse.next\_page\_token].
-      view:
-          The fields to include in the response.
-      filter:
-          Optional. Only include resources that match the filter in the
-          response. For more information, see `Sorting and filtering
-          list results <https://cloud.google.com/kms/docs/sorting-and-
-          filtering>`__.
-      order_by:
-          Optional. Specify how the results should be sorted. If not
-          specified, the results will be sorted in the default order.
-          For more information, see `Sorting and filtering list results
-          <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListCryptoKeyVersionsRequest)
-    ),
-)
-_sym_db.RegisterMessage(ListCryptoKeyVersionsRequest)
-
-ListImportJobsRequest = _reflection.GeneratedProtocolMessageType(
-    "ListImportJobsRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTIMPORTJOBSREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.ListImportJobs][google.cloud
-  .kms.v1.KeyManagementService.ListImportJobs].
-  Attributes:
-      parent:
-          Required. The resource name of the
-          [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
-          ``projects/*/locations/*/keyRings/*``.
-      page_size:
-          Optional. Optional limit on the number of
-          [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the
-          response. Further [ImportJobs][google.cloud.kms.v1.ImportJob]
-          can subsequently be obtained by including the [ListImportJobsR
-          esponse.next\_page\_token][google.cloud.kms.v1.ListImportJobsR
-          esponse.next\_page\_token] in a subsequent request. If
-          unspecified, the server will pick an appropriate default.
-      page_token:
-          Optional. Optional pagination token, returned earlier via [Lis
-          tImportJobsResponse.next\_page\_token][google.cloud.kms.v1.Lis
-          tImportJobsResponse.next\_page\_token].
-      filter:
-          Optional. Only include resources that match the filter in the
-          response. For more information, see `Sorting and filtering
-          list results <https://cloud.google.com/kms/docs/sorting-and-
-          filtering>`__.
-      order_by:
-          Optional. Specify how the results should be sorted. If not
-          specified, the results will be sorted in the default order.
-          For more information, see `Sorting and filtering list results
-          <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListImportJobsRequest)
-    ),
-)
-_sym_db.RegisterMessage(ListImportJobsRequest)
-
-ListKeyRingsResponse = _reflection.GeneratedProtocolMessageType(
-    "ListKeyRingsResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTKEYRINGSRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.ListKeyRings][google.cloud.
-  kms.v1.KeyManagementService.ListKeyRings].
-  Attributes:
-      key_rings:
-          The list of [KeyRings][google.cloud.kms.v1.KeyRing].
-      next_page_token:
-          A token to retrieve next page of results. Pass this value in [
-          ListKeyRingsRequest.page\_token][google.cloud.kms.v1.ListKeyRi
-          ngsRequest.page\_token] to retrieve the next page of results.
-      total_size:
-          The total number of [KeyRings][google.cloud.kms.v1.KeyRing]
-          that matched the query.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListKeyRingsResponse)
-    ),
-)
-_sym_db.RegisterMessage(ListKeyRingsResponse)
-
-ListCryptoKeysResponse = _reflection.GeneratedProtocolMessageType(
-    "ListCryptoKeysResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTCRYPTOKEYSRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.ListCryptoKeys][google.clou
-  d.kms.v1.KeyManagementService.ListCryptoKeys].
-  Attributes:
-      crypto_keys:
-          The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-      next_page_token:
-          A token to retrieve next page of results. Pass this value in [
-          ListCryptoKeysRequest.page\_token][google.cloud.kms.v1.ListCry
-          ptoKeysRequest.page\_token] to retrieve the next page of
-          results.
-      total_size:
-          The total number of
-          [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the
-          query.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListCryptoKeysResponse)
-    ),
-)
-_sym_db.RegisterMessage(ListCryptoKeysResponse)
-
-ListCryptoKeyVersionsResponse = _reflection.GeneratedProtocolMessageType(
-    "ListCryptoKeyVersionsResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTCRYPTOKEYVERSIONSRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.ListCryptoKeyVersions][goog
-  le.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
-  Attributes:
-      crypto_key_versions:
-          The list of
-          [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
-      next_page_token:
-          A token to retrieve next page of results. Pass this value in [
-          ListCryptoKeyVersionsRequest.page\_token][google.cloud.kms.v1.
-          ListCryptoKeyVersionsRequest.page\_token] to retrieve the next
-          page of results.
-      total_size:
-          The total number of
-          [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that
-          matched the query.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListCryptoKeyVersionsResponse)
-    ),
-)
-_sym_db.RegisterMessage(ListCryptoKeyVersionsResponse)
-
-ListImportJobsResponse = _reflection.GeneratedProtocolMessageType(
-    "ListImportJobsResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LISTIMPORTJOBSRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.ListImportJobs][google.clou
-  d.kms.v1.KeyManagementService.ListImportJobs].
-  Attributes:
-      import_jobs:
-          The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
-      next_page_token:
-          A token to retrieve next page of results. Pass this value in [
-          ListImportJobsRequest.page\_token][google.cloud.kms.v1.ListImp
-          ortJobsRequest.page\_token] to retrieve the next page of
-          results.
-      total_size:
-          The total number of
-          [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the
-          query.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ListImportJobsResponse)
-    ),
-)
-_sym_db.RegisterMessage(ListImportJobsResponse)
-
-GetKeyRingRequest = _reflection.GeneratedProtocolMessageType(
-    "GetKeyRingRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_GETKEYRINGREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.GetKeyRing][google.cloud.kms
-  .v1.KeyManagementService.GetKeyRing].
-  Attributes:
-      name:
-          Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
-          [KeyRing][google.cloud.kms.v1.KeyRing] to get.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.GetKeyRingRequest)
-    ),
-)
-_sym_db.RegisterMessage(GetKeyRingRequest)
-
-GetCryptoKeyRequest = _reflection.GeneratedProtocolMessageType(
-    "GetCryptoKeyRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_GETCRYPTOKEYREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.GetCryptoKey][google.cloud.k
-  ms.v1.KeyManagementService.GetCryptoKey].
-  Attributes:
-      name:
-          Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
-          the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.GetCryptoKeyRequest)
-    ),
-)
-_sym_db.RegisterMessage(GetCryptoKeyRequest)
-
-GetCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "GetCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_GETCRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.GetCryptoKeyVersion][google.
-  cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
-  Attributes:
-      name:
-          Required. The
-          [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          get.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.GetCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(GetCryptoKeyVersionRequest)
-
-GetPublicKeyRequest = _reflection.GeneratedProtocolMessageType(
-    "GetPublicKeyRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_GETPUBLICKEYREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.GetPublicKey][google.cloud.k
-  ms.v1.KeyManagementService.GetPublicKey].
-  Attributes:
-      name:
-          Required. The
-          [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-          public key to get.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.GetPublicKeyRequest)
-    ),
-)
-_sym_db.RegisterMessage(GetPublicKeyRequest)
-
-GetImportJobRequest = _reflection.GeneratedProtocolMessageType(
-    "GetImportJobRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_GETIMPORTJOBREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.GetImportJob][google.cloud.k
-  ms.v1.KeyManagementService.GetImportJob].
-  Attributes:
-      name:
-          Required. The [name][google.cloud.kms.v1.ImportJob.name] of
-          the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.GetImportJobRequest)
-    ),
-)
-_sym_db.RegisterMessage(GetImportJobRequest)
-
-CreateKeyRingRequest = _reflection.GeneratedProtocolMessageType(
-    "CreateKeyRingRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CREATEKEYRINGREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.CreateKeyRing][google.cloud.
-  kms.v1.KeyManagementService.CreateKeyRing].
-  Attributes:
-      parent:
-          Required. The resource name of the location associated with
-          the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
-          ``projects/*/locations/*``.
-      key_ring_id:
-          Required. It must be unique within a location and match the
-          regular expression ``[a-zA-Z0-9_-]{1,63}``
-      key_ring:
-          Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with
-          initial field values.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CreateKeyRingRequest)
-    ),
-)
-_sym_db.RegisterMessage(CreateKeyRingRequest)
-
-CreateCryptoKeyRequest = _reflection.GeneratedProtocolMessageType(
-    "CreateCryptoKeyRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CREATECRYPTOKEYREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.CreateCryptoKey][google.clou
-  d.kms.v1.KeyManagementService.CreateCryptoKey].
-  Attributes:
-      parent:
-          Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
-          KeyRing associated with the
-          [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-      crypto_key_id:
-          Required. It must be unique within a KeyRing and match the
-          regular expression ``[a-zA-Z0-9_-]{1,63}``
-      crypto_key:
-          Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with
-          initial field values.
-      skip_initial_version_creation:
-          If set to true, the request will create a
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
-          [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You
-          must manually call [CreateCryptoKeyVersion][google.cloud.kms.v
-          1.KeyManagementService.CreateCryptoKeyVersion] or [ImportCrypt
-          oKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCr
-          yptoKeyVersion] before you can use this
-          [CryptoKey][google.cloud.kms.v1.CryptoKey].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CreateCryptoKeyRequest)
-    ),
-)
-_sym_db.RegisterMessage(CreateCryptoKeyRequest)
-
-CreateCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "CreateCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CREATECRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.CreateCryptoKeyVersion][goog
-  le.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
-  Attributes:
-      parent:
-          Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
-          the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with
-          the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
-      crypto_key_version:
-          Required. A
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
-          initial field values.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CreateCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(CreateCryptoKeyVersionRequest)
-
-ImportCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "ImportCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_IMPORTCRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.ImportCryptoKeyVersion][goog
-  le.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
-  Attributes:
-      parent:
-          Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
-          the [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported
-          into.
-      algorithm:
-          Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion
-          .CryptoKeyVersionAlgorithm] of the key being imported. This
-          does not need to match the [version\_template][google.cloud.km
-          s.v1.CryptoKey.version\_template] of the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] this version
-          imports into.
-      import_job:
-          Required. The [name][google.cloud.kms.v1.ImportJob.name] of
-          the [ImportJob][google.cloud.kms.v1.ImportJob] that was used
-          to wrap this key material.
-      wrapped_key_material:
-          Required. The incoming wrapped key material that is to be
-          imported.
-      rsa_aes_wrapped_key:
-          Wrapped key material produced with [RSA\_OAEP\_3072\_SHA1\_AES
-          \_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA\_OAEP\_3
-          072\_SHA1\_AES\_256] or [RSA\_OAEP\_4096\_SHA1\_AES\_256][goog
-          le.cloud.kms.v1.ImportJob.ImportMethod.RSA\_OAEP\_4096\_SHA1\_
-          AES\_256].  This field contains the concatenation of two
-          wrapped keys:  .. raw:: html     <ol>  .. raw:: html     <li>
-          An ephemeral AES-256 wrapping key wrapped with the
-          [public\_key][google.cloud.kms.v1.ImportJob.public\_key] using
-          RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label.
-          .. raw:: html     </li>  .. raw:: html     <li>  The key to be
-          imported, wrapped with the ephemeral AES-256 key using AES-KWP
-          (RFC 5649).  .. raw:: html     </li>  .. raw:: html     </ol>
-          If importing symmetric key material, it is expected that the
-          unwrapped key contains plain bytes. If importing asymmetric
-          key material, it is expected that the unwrapped key is in
-          PKCS#8-encoded DER format (the PrivateKeyInfo structure from
-          RFC 5208).  This format is the same as the format produced by
-          PKCS#11 mechanism CKM\_RSA\_AES\_KEY\_WRAP.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.ImportCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(ImportCryptoKeyVersionRequest)
-
-CreateImportJobRequest = _reflection.GeneratedProtocolMessageType(
-    "CreateImportJobRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_CREATEIMPORTJOBREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.CreateImportJob][google.clou
-  d.kms.v1.KeyManagementService.CreateImportJob].
-  Attributes:
-      parent:
-          Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
-          [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
-          [ImportJobs][google.cloud.kms.v1.ImportJob].
-      import_job_id:
-          Required. It must be unique within a KeyRing and match the
-          regular expression ``[a-zA-Z0-9_-]{1,63}``
-      import_job:
-          Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with
-          initial field values.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.CreateImportJobRequest)
-    ),
-)
-_sym_db.RegisterMessage(CreateImportJobRequest)
-
-UpdateCryptoKeyRequest = _reflection.GeneratedProtocolMessageType(
-    "UpdateCryptoKeyRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_UPDATECRYPTOKEYREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.UpdateCryptoKey][google.clou
-  d.kms.v1.KeyManagementService.UpdateCryptoKey].
-  Attributes:
-      crypto_key:
-          Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with
-          updated values.
-      update_mask:
-          Required. List of fields to be updated in this request.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.UpdateCryptoKeyRequest)
-    ),
-)
-_sym_db.RegisterMessage(UpdateCryptoKeyRequest)
-
-UpdateCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "UpdateCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_UPDATECRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.UpdateCryptoKeyVersion][goog
-  le.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
-  Attributes:
-      crypto_key_version:
-          Required.
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
-          updated values.
-      update_mask:
-          Required. List of fields to be updated in this request.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.UpdateCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(UpdateCryptoKeyVersionRequest)
-
-EncryptRequest = _reflection.GeneratedProtocolMessageType(
-    "EncryptRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ENCRYPTREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1
-  .KeyManagementService.Encrypt].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] or
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          use for encryption.  If a
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the
-          server will use its [primary
-          version][google.cloud.kms.v1.CryptoKey.primary].
-      plaintext:
-          Required. The data to encrypt. Must be no larger than 64KiB.
-          The maximum size depends on the key version's [protection\_lev
-          el][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection\_l
-          evel]. For
-          [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys,
-          the plaintext must be no larger than 64KiB. For
-          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
-          combined length of the plaintext and
-          additional\_authenticated\_data fields must be no larger than
-          8KiB.
-      additional_authenticated_data:
-          Optional. Optional data that, if specified, must also be
-          provided during decryption through [DecryptRequest.additional\
-          _authenticated\_data][google.cloud.kms.v1.DecryptRequest.addit
-          ional\_authenticated\_data].  The maximum size depends on the
-          key version's [protection\_level][google.cloud.kms.v1.CryptoKe
-          yVersionTemplate.protection\_level]. For
-          [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys,
-          the AAD must be no larger than 64KiB. For
-          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
-          combined length of the plaintext and
-          additional\_authenticated\_data fields must be no larger than
-          8KiB.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.EncryptRequest)
-    ),
-)
-_sym_db.RegisterMessage(EncryptRequest)
-
-DecryptRequest = _reflection.GeneratedProtocolMessageType(
-    "DecryptRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_DECRYPTREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1
-  .KeyManagementService.Decrypt].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for
-          decryption. The server will choose the appropriate version.
-      ciphertext:
-          Required. The encrypted data originally returned in [EncryptRe
-          sponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphert
-          ext].
-      additional_authenticated_data:
-          Optional. Optional data that must match the data originally
-          supplied in [EncryptRequest.additional\_authenticated\_data][g
-          oogle.cloud.kms.v1.EncryptRequest.additional\_authenticated\_d
-          ata].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.DecryptRequest)
-    ),
-)
-_sym_db.RegisterMessage(DecryptRequest)
-
-AsymmetricSignRequest = _reflection.GeneratedProtocolMessageType(
-    "AsymmetricSignRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ASYMMETRICSIGNREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.AsymmetricSign][google.cloud
-  .kms.v1.KeyManagementService.AsymmetricSign].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          use for signing.
-      digest:
-          Required. The digest of the data to sign. The digest must be
-          produced with the same digest algorithm as specified by the
-          key version's
-          [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.AsymmetricSignRequest)
-    ),
-)
-_sym_db.RegisterMessage(AsymmetricSignRequest)
-
-AsymmetricDecryptRequest = _reflection.GeneratedProtocolMessageType(
-    "AsymmetricDecryptRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ASYMMETRICDECRYPTREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.AsymmetricDecrypt][google.cl
-  oud.kms.v1.KeyManagementService.AsymmetricDecrypt].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          use for decryption.
-      ciphertext:
-          Required. The data encrypted with the named
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
-          public key using OAEP.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.AsymmetricDecryptRequest)
-    ),
-)
-_sym_db.RegisterMessage(AsymmetricDecryptRequest)
-
-DecryptResponse = _reflection.GeneratedProtocolMessageType(
-    "DecryptResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_DECRYPTRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.Decrypt][google.cloud.kms.v
-  1.KeyManagementService.Decrypt].
-  Attributes:
-      plaintext:
-          The decrypted data originally supplied in [EncryptRequest.plai
-          ntext][google.cloud.kms.v1.EncryptRequest.plaintext].
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.DecryptResponse)
-    ),
-)
-_sym_db.RegisterMessage(DecryptResponse)
-
-EncryptResponse = _reflection.GeneratedProtocolMessageType(
-    "EncryptResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ENCRYPTRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.Encrypt][google.cloud.kms.v
-  1.KeyManagementService.Encrypt].
-  Attributes:
-      name:
-          The resource name of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used
-          in encryption. Check this field to verify that the intended
-          resource was used for encryption.
-      ciphertext:
-          The encrypted data.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.EncryptResponse)
-    ),
-)
-_sym_db.RegisterMessage(EncryptResponse)
-
-AsymmetricSignResponse = _reflection.GeneratedProtocolMessageType(
-    "AsymmetricSignResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ASYMMETRICSIGNRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.AsymmetricSign][google.clou
-  d.kms.v1.KeyManagementService.AsymmetricSign].
-  Attributes:
-      signature:
-          The created signature.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.AsymmetricSignResponse)
-    ),
-)
-_sym_db.RegisterMessage(AsymmetricSignResponse)
-
-AsymmetricDecryptResponse = _reflection.GeneratedProtocolMessageType(
-    "AsymmetricDecryptResponse",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_ASYMMETRICDECRYPTRESPONSE,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Response message for [KeyManagementService.AsymmetricDecrypt][google.c
-  loud.kms.v1.KeyManagementService.AsymmetricDecrypt].
-  Attributes:
-      plaintext:
-          The decrypted data originally encrypted with the matching
-          public key.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.AsymmetricDecryptResponse)
-    ),
-)
-_sym_db.RegisterMessage(AsymmetricDecryptResponse)
-
-UpdateCryptoKeyPrimaryVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "UpdateCryptoKeyPrimaryVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_UPDATECRYPTOKEYPRIMARYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersio
-  n][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVers
-  ion].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
-      crypto_key_version_id:
-          Required. The id of the child
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          use as primary.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(UpdateCryptoKeyPrimaryVersionRequest)
-
-DestroyCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "DestroyCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_DESTROYCRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.DestroyCryptoKeyVersion][goo
-  gle.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          destroy.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.DestroyCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(DestroyCryptoKeyVersionRequest)
-
-RestoreCryptoKeyVersionRequest = _reflection.GeneratedProtocolMessageType(
-    "RestoreCryptoKeyVersionRequest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_RESTORECRYPTOKEYVERSIONREQUEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Request message for [KeyManagementService.RestoreCryptoKeyVersion][goo
-  gle.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
-  Attributes:
-      name:
-          Required. The resource name of the
-          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
-          restore.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.RestoreCryptoKeyVersionRequest)
-    ),
-)
-_sym_db.RegisterMessage(RestoreCryptoKeyVersionRequest)
-
-Digest = _reflection.GeneratedProtocolMessageType(
-    "Digest",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_DIGEST,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message
-  digest.
-  Attributes:
-      digest:
-          Required. The message digest.
-      sha256:
-          A message digest produced with the SHA-256 algorithm.
-      sha384:
-          A message digest produced with the SHA-384 algorithm.
-      sha512:
-          A message digest produced with the SHA-512 algorithm.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.Digest)
-    ),
-)
-_sym_db.RegisterMessage(Digest)
-
-LocationMetadata = _reflection.GeneratedProtocolMessageType(
-    "LocationMetadata",
-    (_message.Message,),
-    dict(
-        DESCRIPTOR=_LOCATIONMETADATA,
-        __module__="google.cloud.kms_v1.proto.service_pb2",
-        __doc__="""Cloud KMS metadata for the given
-  [google.cloud.location.Location][google.cloud.location.Location].
-  Attributes:
-      hsm_available:
-          Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey]
-          with [protection\_level][google.cloud.kms.v1.CryptoKeyVersionT
-          emplate.protection\_level]
-          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created
-          in this location.
-      ekm_available:
-          Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey]
-          with [protection\_level][google.cloud.kms.v1.CryptoKeyVersionT
-          emplate.protection\_level]
-          [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can
-          be created in this location.
-  """,
-        # @@protoc_insertion_point(class_scope:google.cloud.kms.v1.LocationMetadata)
-    ),
-)
-_sym_db.RegisterMessage(LocationMetadata)
-
-
-DESCRIPTOR._options = None
-_LISTKEYRINGSREQUEST.fields_by_name["parent"]._options = None
-_LISTKEYRINGSREQUEST.fields_by_name["page_size"]._options = None
-_LISTKEYRINGSREQUEST.fields_by_name["page_token"]._options = None
-_LISTKEYRINGSREQUEST.fields_by_name["filter"]._options = None
-_LISTKEYRINGSREQUEST.fields_by_name["order_by"]._options = None
-_LISTCRYPTOKEYSREQUEST.fields_by_name["parent"]._options = None
-_LISTCRYPTOKEYSREQUEST.fields_by_name["page_size"]._options = None
-_LISTCRYPTOKEYSREQUEST.fields_by_name["page_token"]._options = None
-_LISTCRYPTOKEYSREQUEST.fields_by_name["filter"]._options = None
-_LISTCRYPTOKEYSREQUEST.fields_by_name["order_by"]._options = None
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name["parent"]._options = None
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name["page_size"]._options = None
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name["page_token"]._options = None
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name["filter"]._options = None
-_LISTCRYPTOKEYVERSIONSREQUEST.fields_by_name["order_by"]._options = None
-_LISTIMPORTJOBSREQUEST.fields_by_name["parent"]._options = None
-_LISTIMPORTJOBSREQUEST.fields_by_name["page_size"]._options = None
-_LISTIMPORTJOBSREQUEST.fields_by_name["page_token"]._options = None
-_LISTIMPORTJOBSREQUEST.fields_by_name["filter"]._options = None
-_LISTIMPORTJOBSREQUEST.fields_by_name["order_by"]._options = None
-_GETKEYRINGREQUEST.fields_by_name["name"]._options = None
-_GETCRYPTOKEYREQUEST.fields_by_name["name"]._options = None
-_GETCRYPTOKEYVERSIONREQUEST.fields_by_name["name"]._options = None
-_GETPUBLICKEYREQUEST.fields_by_name["name"]._options = None
-_GETIMPORTJOBREQUEST.fields_by_name["name"]._options = None
-_CREATEKEYRINGREQUEST.fields_by_name["parent"]._options = None
-_CREATEKEYRINGREQUEST.fields_by_name["key_ring_id"]._options = None
-_CREATEKEYRINGREQUEST.fields_by_name["key_ring"]._options = None
-_CREATECRYPTOKEYREQUEST.fields_by_name["parent"]._options = None
-_CREATECRYPTOKEYREQUEST.fields_by_name["crypto_key_id"]._options = None
-_CREATECRYPTOKEYREQUEST.fields_by_name["crypto_key"]._options = None
-_CREATECRYPTOKEYVERSIONREQUEST.fields_by_name["parent"]._options = None
-_CREATECRYPTOKEYVERSIONREQUEST.fields_by_name["crypto_key_version"]._options = None
-_IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name["parent"]._options = None
-_IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name["algorithm"]._options = None
-_IMPORTCRYPTOKEYVERSIONREQUEST.fields_by_name["import_job"]._options = None
-_CREATEIMPORTJOBREQUEST.fields_by_name["parent"]._options = None
-_CREATEIMPORTJOBREQUEST.fields_by_name["import_job_id"]._options = None
-_CREATEIMPORTJOBREQUEST.fields_by_name["import_job"]._options = None
-_UPDATECRYPTOKEYREQUEST.fields_by_name["crypto_key"]._options = None
-_UPDATECRYPTOKEYREQUEST.fields_by_name["update_mask"]._options = None
-_UPDATECRYPTOKEYVERSIONREQUEST.fields_by_name["crypto_key_version"]._options = None
-_UPDATECRYPTOKEYVERSIONREQUEST.fields_by_name["update_mask"]._options = None
-_ENCRYPTREQUEST.fields_by_name["name"]._options = None
-_ENCRYPTREQUEST.fields_by_name["plaintext"]._options = None
-_ENCRYPTREQUEST.fields_by_name["additional_authenticated_data"]._options = None
-_DECRYPTREQUEST.fields_by_name["name"]._options = None
-_DECRYPTREQUEST.fields_by_name["ciphertext"]._options = None
-_DECRYPTREQUEST.fields_by_name["additional_authenticated_data"]._options = None
-_ASYMMETRICSIGNREQUEST.fields_by_name["name"]._options = None
-_ASYMMETRICSIGNREQUEST.fields_by_name["digest"]._options = None
-_ASYMMETRICDECRYPTREQUEST.fields_by_name["name"]._options = None
-_ASYMMETRICDECRYPTREQUEST.fields_by_name["ciphertext"]._options = None
-_UPDATECRYPTOKEYPRIMARYVERSIONREQUEST.fields_by_name["name"]._options = None
-_UPDATECRYPTOKEYPRIMARYVERSIONREQUEST.fields_by_name[
-    "crypto_key_version_id"
-]._options = None
-_DESTROYCRYPTOKEYVERSIONREQUEST.fields_by_name["name"]._options = None
-_RESTORECRYPTOKEYVERSIONREQUEST.fields_by_name["name"]._options = None
-
-_KEYMANAGEMENTSERVICE = _descriptor.ServiceDescriptor(
-    name="KeyManagementService",
-    full_name="google.cloud.kms.v1.KeyManagementService",
-    file=DESCRIPTOR,
-    index=0,
-    serialized_options=_b(
-        "\312A\027cloudkms.googleapis.com\322AWhttps://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkms"
-    ),
-    serialized_start=4488,
-    serialized_end=9358,
-    methods=[
-        _descriptor.MethodDescriptor(
-            name="ListKeyRings",
-            full_name="google.cloud.kms.v1.KeyManagementService.ListKeyRings",
-            index=0,
-            containing_service=None,
-            input_type=_LISTKEYRINGSREQUEST,
-            output_type=_LISTKEYRINGSRESPONSE,
-            serialized_options=_b(
-                "\202\323\344\223\002.\022,/v1/{parent=projects/*/locations/*}/keyRings\332A\006parent"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="ListCryptoKeys",
-            full_name="google.cloud.kms.v1.KeyManagementService.ListCryptoKeys",
-            index=1,
-            containing_service=None,
-            input_type=_LISTCRYPTOKEYSREQUEST,
-            output_type=_LISTCRYPTOKEYSRESPONSE,
-            serialized_options=_b(
-                "\202\323\344\223\002;\0229/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys\332A\006parent"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="ListCryptoKeyVersions",
-            full_name="google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions",
-            index=2,
-            containing_service=None,
-            input_type=_LISTCRYPTOKEYVERSIONSREQUEST,
-            output_type=_LISTCRYPTOKEYVERSIONSRESPONSE,
-            serialized_options=_b(
-                "\202\323\344\223\002O\022M/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions\332A\006parent"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="ListImportJobs",
-            full_name="google.cloud.kms.v1.KeyManagementService.ListImportJobs",
-            index=3,
-            containing_service=None,
-            input_type=_LISTIMPORTJOBSREQUEST,
-            output_type=_LISTIMPORTJOBSRESPONSE,
-            serialized_options=_b(
-                "\202\323\344\223\002;\0229/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs\332A\006parent"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="GetKeyRing",
-            full_name="google.cloud.kms.v1.KeyManagementService.GetKeyRing",
-            index=4,
-            containing_service=None,
-            input_type=_GETKEYRINGREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._KEYRING,
-            serialized_options=_b(
-                "\202\323\344\223\002.\022,/v1/{name=projects/*/locations/*/keyRings/*}\332A\004name"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="GetCryptoKey",
-            full_name="google.cloud.kms.v1.KeyManagementService.GetCryptoKey",
-            index=5,
-            containing_service=None,
-            input_type=_GETCRYPTOKEYREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY,
-            serialized_options=_b(
-                "\202\323\344\223\002;\0229/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}\332A\004name"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="GetCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion",
-            index=6,
-            containing_service=None,
-            input_type=_GETCRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                "\202\323\344\223\002O\022M/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}\332A\004name"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="GetPublicKey",
-            full_name="google.cloud.kms.v1.KeyManagementService.GetPublicKey",
-            index=7,
-            containing_service=None,
-            input_type=_GETPUBLICKEYREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._PUBLICKEY,
-            serialized_options=_b(
-                "\202\323\344\223\002Y\022W/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey\332A\004name"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="GetImportJob",
-            full_name="google.cloud.kms.v1.KeyManagementService.GetImportJob",
-            index=8,
-            containing_service=None,
-            input_type=_GETIMPORTJOBREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._IMPORTJOB,
-            serialized_options=_b(
-                "\202\323\344\223\002;\0229/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}\332A\004name"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="CreateKeyRing",
-            full_name="google.cloud.kms.v1.KeyManagementService.CreateKeyRing",
-            index=9,
-            containing_service=None,
-            input_type=_CREATEKEYRINGREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._KEYRING,
-            serialized_options=_b(
-                '\202\323\344\223\0028",/v1/{parent=projects/*/locations/*}/keyRings:\010key_ring\332A\033parent,key_ring_id,key_ring'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="CreateCryptoKey",
-            full_name="google.cloud.kms.v1.KeyManagementService.CreateCryptoKey",
-            index=10,
-            containing_service=None,
-            input_type=_CREATECRYPTOKEYREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY,
-            serialized_options=_b(
-                '\202\323\344\223\002G"9/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys:\ncrypto_key\332A\037parent,crypto_key_id,crypto_key'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="CreateCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion",
-            index=11,
-            containing_service=None,
-            input_type=_CREATECRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                '\202\323\344\223\002c"M/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:\022crypto_key_version\332A\031parent,crypto_key_version'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="ImportCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion",
-            index=12,
-            containing_service=None,
-            input_type=_IMPORTCRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                '\202\323\344\223\002Y"T/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import:\001*'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="CreateImportJob",
-            full_name="google.cloud.kms.v1.KeyManagementService.CreateImportJob",
-            index=13,
-            containing_service=None,
-            input_type=_CREATEIMPORTJOBREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._IMPORTJOB,
-            serialized_options=_b(
-                '\202\323\344\223\002G"9/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs:\nimport_job\332A\037parent,import_job_id,import_job'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="UpdateCryptoKey",
-            full_name="google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey",
-            index=14,
-            containing_service=None,
-            input_type=_UPDATECRYPTOKEYREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY,
-            serialized_options=_b(
-                "\202\323\344\223\002R2D/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:\ncrypto_key\332A\026crypto_key,update_mask"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="UpdateCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion",
-            index=15,
-            containing_service=None,
-            input_type=_UPDATECRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                "\202\323\344\223\002v2`/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:\022crypto_key_version\332A\036crypto_key_version,update_mask"
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="Encrypt",
-            full_name="google.cloud.kms.v1.KeyManagementService.Encrypt",
-            index=16,
-            containing_service=None,
-            input_type=_ENCRYPTREQUEST,
-            output_type=_ENCRYPTRESPONSE,
-            serialized_options=_b(
-                '\202\323\344\223\002G"B/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt:\001*\332A\016name,plaintext'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="Decrypt",
-            full_name="google.cloud.kms.v1.KeyManagementService.Decrypt",
-            index=17,
-            containing_service=None,
-            input_type=_DECRYPTREQUEST,
-            output_type=_DECRYPTRESPONSE,
-            serialized_options=_b(
-                '\202\323\344\223\002F"A/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt:\001*\332A\017name,ciphertext'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="AsymmetricSign",
-            full_name="google.cloud.kms.v1.KeyManagementService.AsymmetricSign",
-            index=18,
-            containing_service=None,
-            input_type=_ASYMMETRICSIGNREQUEST,
-            output_type=_ASYMMETRICSIGNRESPONSE,
-            serialized_options=_b(
-                '\202\323\344\223\002a"\\/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign:\001*\332A\013name,digest'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="AsymmetricDecrypt",
-            full_name="google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt",
-            index=19,
-            containing_service=None,
-            input_type=_ASYMMETRICDECRYPTREQUEST,
-            output_type=_ASYMMETRICDECRYPTRESPONSE,
-            serialized_options=_b(
-                '\202\323\344\223\002d"_/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt:\001*\332A\017name,ciphertext'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="UpdateCryptoKeyPrimaryVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion",
-            index=20,
-            containing_service=None,
-            input_type=_UPDATECRYPTOKEYPRIMARYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEY,
-            serialized_options=_b(
-                '\202\323\344\223\002S"N/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion:\001*\332A\032name,crypto_key_version_id'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="DestroyCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion",
-            index=21,
-            containing_service=None,
-            input_type=_DESTROYCRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                '\202\323\344\223\002Z"U/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy:\001*\332A\004name'
-            ),
-        ),
-        _descriptor.MethodDescriptor(
-            name="RestoreCryptoKeyVersion",
-            full_name="google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion",
-            index=22,
-            containing_service=None,
-            input_type=_RESTORECRYPTOKEYVERSIONREQUEST,
-            output_type=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2._CRYPTOKEYVERSION,
-            serialized_options=_b(
-                '\202\323\344\223\002Z"U/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore:\001*\332A\004name'
-            ),
-        ),
-    ],
-)
-_sym_db.RegisterServiceDescriptor(_KEYMANAGEMENTSERVICE)
-
-DESCRIPTOR.services_by_name["KeyManagementService"] = _KEYMANAGEMENTSERVICE
-
-# @@protoc_insertion_point(module_scope)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2_grpc.py b/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2_grpc.py
deleted file mode 100644
index 2e701424fb97..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/proto/service_pb2_grpc.py
+++ /dev/null
@@ -1,498 +0,0 @@
-# Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT!
-import grpc
-
-from google.cloud.kms_v1.proto import (
-    resources_pb2 as google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2,
-)
-from google.cloud.kms_v1.proto import (
-    service_pb2 as google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2,
-)
-
-
-class KeyManagementServiceStub(object):
-    """Google Cloud Key Management Service
-
-  Manages cryptographic keys and operations using those keys. Implements a REST
-  model with the following objects:
-
-  * [KeyRing][google.cloud.kms.v1.KeyRing]
-  * [CryptoKey][google.cloud.kms.v1.CryptoKey]
-  * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-  * [ImportJob][google.cloud.kms.v1.ImportJob]
-
-  If you are using manual gRPC libraries, see
-  [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
-  """
-
-    def __init__(self, channel):
-        """Constructor.
-
-    Args:
-      channel: A grpc.Channel.
-    """
-        self.ListKeyRings = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/ListKeyRings",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListKeyRingsRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListKeyRingsResponse.FromString,
-        )
-        self.ListCryptoKeys = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeys",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeysRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeysResponse.FromString,
-        )
-        self.ListCryptoKeyVersions = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeyVersions",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeyVersionsRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeyVersionsResponse.FromString,
-        )
-        self.ListImportJobs = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/ListImportJobs",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListImportJobsRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListImportJobsResponse.FromString,
-        )
-        self.GetKeyRing = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/GetKeyRing",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetKeyRingRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.KeyRing.FromString,
-        )
-        self.GetCryptoKey = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/GetCryptoKey",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetCryptoKeyRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.FromString,
-        )
-        self.GetCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/GetCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-        self.GetPublicKey = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/GetPublicKey",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetPublicKeyRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.PublicKey.FromString,
-        )
-        self.GetImportJob = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/GetImportJob",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetImportJobRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.ImportJob.FromString,
-        )
-        self.CreateKeyRing = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/CreateKeyRing",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateKeyRingRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.KeyRing.FromString,
-        )
-        self.CreateCryptoKey = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKey",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateCryptoKeyRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.FromString,
-        )
-        self.CreateCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-        self.ImportCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/ImportCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ImportCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-        self.CreateImportJob = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/CreateImportJob",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateImportJobRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.ImportJob.FromString,
-        )
-        self.UpdateCryptoKey = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKey",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.FromString,
-        )
-        self.UpdateCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-        self.Encrypt = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/Encrypt",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.EncryptRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.EncryptResponse.FromString,
-        )
-        self.Decrypt = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/Decrypt",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DecryptRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DecryptResponse.FromString,
-        )
-        self.AsymmetricSign = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/AsymmetricSign",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricSignRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricSignResponse.FromString,
-        )
-        self.AsymmetricDecrypt = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/AsymmetricDecrypt",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricDecryptRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricDecryptResponse.FromString,
-        )
-        self.UpdateCryptoKeyPrimaryVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyPrimaryVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.FromString,
-        )
-        self.DestroyCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DestroyCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-        self.RestoreCryptoKeyVersion = channel.unary_unary(
-            "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion",
-            request_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.RestoreCryptoKeyVersionRequest.SerializeToString,
-            response_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.FromString,
-        )
-
-
-class KeyManagementServiceServicer(object):
-    """Google Cloud Key Management Service
-
-  Manages cryptographic keys and operations using those keys. Implements a REST
-  model with the following objects:
-
-  * [KeyRing][google.cloud.kms.v1.KeyRing]
-  * [CryptoKey][google.cloud.kms.v1.CryptoKey]
-  * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
-  * [ImportJob][google.cloud.kms.v1.ImportJob]
-
-  If you are using manual gRPC libraries, see
-  [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
-  """
-
-    def ListKeyRings(self, request, context):
-        """Lists [KeyRings][google.cloud.kms.v1.KeyRing].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def ListCryptoKeys(self, request, context):
-        """Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def ListCryptoKeyVersions(self, request, context):
-        """Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def ListImportJobs(self, request, context):
-        """Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def GetKeyRing(self, request, context):
-        """Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def GetCryptoKey(self, request, context):
-        """Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
-    [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def GetCryptoKeyVersion(self, request, context):
-        """Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def GetPublicKey(self, request, context):
-        """Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
-    [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
-    [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or
-    [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def GetImportJob(self, request, context):
-        """Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def CreateKeyRing(self, request, context):
-        """Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def CreateCryptoKey(self, request, context):
-        """Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
-
-    [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
-    [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
-    are required.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def CreateCryptoKeyVersion(self, request, context):
-        """Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
-
-    The server will assign the next sequential id. If unset,
-    [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
-    [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def ImportCryptoKeyVersion(self, request, context):
-        """Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
-    wrapped key material provided in the request.
-
-    The version ID will be assigned the next sequential id within the
-    [CryptoKey][google.cloud.kms.v1.CryptoKey].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def CreateImportJob(self, request, context):
-        """Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
-
-    [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def UpdateCryptoKey(self, request, context):
-        """Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def UpdateCryptoKeyVersion(self, request, context):
-        """Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata.
-
-    [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
-    [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and
-    [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this
-    method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to
-    move between other states.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def Encrypt(self, request, context):
-        """Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
-    The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
-    [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def Decrypt(self, request, context):
-        """Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
-    must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def AsymmetricSign(self, request, context):
-        """Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
-    ASYMMETRIC_SIGN, producing a signature that can be verified with the public
-    key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def AsymmetricDecrypt(self, request, context):
-        """Decrypts data that was encrypted with a public key retrieved from
-    [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
-    [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def UpdateCryptoKeyPrimaryVersion(self, request, context):
-        """Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
-
-    Returns an error if called on an asymmetric key.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def DestroyCryptoKeyVersion(self, request, context):
-        """Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
-
-    Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
-    [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
-    and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24
-    hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state]
-    will be changed to
-    [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key
-    material will be irrevocably destroyed.
-
-    Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached,
-    [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-    def RestoreCryptoKeyVersion(self, request, context):
-        """Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
-    [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
-    state.
-
-    Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state]
-    will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
-    and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
-    """
-        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
-        context.set_details("Method not implemented!")
-        raise NotImplementedError("Method not implemented!")
-
-
-def add_KeyManagementServiceServicer_to_server(servicer, server):
-    rpc_method_handlers = {
-        "ListKeyRings": grpc.unary_unary_rpc_method_handler(
-            servicer.ListKeyRings,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListKeyRingsRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListKeyRingsResponse.SerializeToString,
-        ),
-        "ListCryptoKeys": grpc.unary_unary_rpc_method_handler(
-            servicer.ListCryptoKeys,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeysRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeysResponse.SerializeToString,
-        ),
-        "ListCryptoKeyVersions": grpc.unary_unary_rpc_method_handler(
-            servicer.ListCryptoKeyVersions,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeyVersionsRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListCryptoKeyVersionsResponse.SerializeToString,
-        ),
-        "ListImportJobs": grpc.unary_unary_rpc_method_handler(
-            servicer.ListImportJobs,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListImportJobsRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ListImportJobsResponse.SerializeToString,
-        ),
-        "GetKeyRing": grpc.unary_unary_rpc_method_handler(
-            servicer.GetKeyRing,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetKeyRingRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.KeyRing.SerializeToString,
-        ),
-        "GetCryptoKey": grpc.unary_unary_rpc_method_handler(
-            servicer.GetCryptoKey,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetCryptoKeyRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.SerializeToString,
-        ),
-        "GetCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.GetCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-        "GetPublicKey": grpc.unary_unary_rpc_method_handler(
-            servicer.GetPublicKey,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetPublicKeyRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.PublicKey.SerializeToString,
-        ),
-        "GetImportJob": grpc.unary_unary_rpc_method_handler(
-            servicer.GetImportJob,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.GetImportJobRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.ImportJob.SerializeToString,
-        ),
-        "CreateKeyRing": grpc.unary_unary_rpc_method_handler(
-            servicer.CreateKeyRing,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateKeyRingRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.KeyRing.SerializeToString,
-        ),
-        "CreateCryptoKey": grpc.unary_unary_rpc_method_handler(
-            servicer.CreateCryptoKey,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateCryptoKeyRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.SerializeToString,
-        ),
-        "CreateCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.CreateCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-        "ImportCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.ImportCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.ImportCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-        "CreateImportJob": grpc.unary_unary_rpc_method_handler(
-            servicer.CreateImportJob,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.CreateImportJobRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.ImportJob.SerializeToString,
-        ),
-        "UpdateCryptoKey": grpc.unary_unary_rpc_method_handler(
-            servicer.UpdateCryptoKey,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.SerializeToString,
-        ),
-        "UpdateCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.UpdateCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-        "Encrypt": grpc.unary_unary_rpc_method_handler(
-            servicer.Encrypt,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.EncryptRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.EncryptResponse.SerializeToString,
-        ),
-        "Decrypt": grpc.unary_unary_rpc_method_handler(
-            servicer.Decrypt,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DecryptRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DecryptResponse.SerializeToString,
-        ),
-        "AsymmetricSign": grpc.unary_unary_rpc_method_handler(
-            servicer.AsymmetricSign,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricSignRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricSignResponse.SerializeToString,
-        ),
-        "AsymmetricDecrypt": grpc.unary_unary_rpc_method_handler(
-            servicer.AsymmetricDecrypt,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricDecryptRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.AsymmetricDecryptResponse.SerializeToString,
-        ),
-        "UpdateCryptoKeyPrimaryVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.UpdateCryptoKeyPrimaryVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.UpdateCryptoKeyPrimaryVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKey.SerializeToString,
-        ),
-        "DestroyCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.DestroyCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.DestroyCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-        "RestoreCryptoKeyVersion": grpc.unary_unary_rpc_method_handler(
-            servicer.RestoreCryptoKeyVersion,
-            request_deserializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_service__pb2.RestoreCryptoKeyVersionRequest.FromString,
-            response_serializer=google_dot_cloud_dot_kms__v1_dot_proto_dot_resources__pb2.CryptoKeyVersion.SerializeToString,
-        ),
-    }
-    generic_handler = grpc.method_handlers_generic_handler(
-        "google.cloud.kms.v1.KeyManagementService", rpc_method_handlers
-    )
-    server.add_generic_rpc_handlers((generic_handler,))
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/py.typed b/packages/google-cloud-kms/google/cloud/kms_v1/py.typed
new file mode 100644
index 000000000000..3720b5f23ae9
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/py.typed
@@ -0,0 +1,2 @@
+# Marker file for PEP 561.
+# The google-cloud-kms package uses inline types.
diff --git a/packages/google-cloud-kms/google/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/__init__.py
similarity index 71%
rename from packages/google-cloud-kms/google/__init__.py
rename to packages/google-cloud-kms/google/cloud/kms_v1/services/__init__.py
index 9a1b64a6d586..42ffdf2bc43d 100644
--- a/packages/google-cloud-kms/google/__init__.py
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/__init__.py
@@ -1,24 +1,16 @@
 # -*- coding: utf-8 -*-
-#
+
 # Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     https://www.apache.org/licenses/LICENSE-2.0
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-try:
-    import pkg_resources
-
-    pkg_resources.declare_namespace(__name__)
-except ImportError:
-    import pkgutil
-
-    __path__ = pkgutil.extend_path(__path__, __name__)
+#
diff --git a/packages/google-cloud-kms/google/cloud/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/__init__.py
similarity index 69%
rename from packages/google-cloud-kms/google/cloud/__init__.py
rename to packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/__init__.py
index 9a1b64a6d586..7fce2cde7e30 100644
--- a/packages/google-cloud-kms/google/cloud/__init__.py
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/__init__.py
@@ -1,24 +1,24 @@
 # -*- coding: utf-8 -*-
-#
+
 # Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     https://www.apache.org/licenses/LICENSE-2.0
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+#
 
-try:
-    import pkg_resources
-
-    pkg_resources.declare_namespace(__name__)
-except ImportError:
-    import pkgutil
+from .client import KeyManagementServiceClient
+from .async_client import KeyManagementServiceAsyncClient
 
-    __path__ = pkgutil.extend_path(__path__, __name__)
+__all__ = (
+    "KeyManagementServiceClient",
+    "KeyManagementServiceAsyncClient",
+)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py
new file mode 100644
index 000000000000..02826dbb0ee7
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py
@@ -0,0 +1,2761 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from collections import OrderedDict
+import functools
+import re
+from typing import Dict, Sequence, Tuple, Type, Union
+import pkg_resources
+
+import google.api_core.client_options as ClientOptions  # type: ignore
+from google.api_core import exceptions  # type: ignore
+from google.api_core import gapic_v1  # type: ignore
+from google.api_core import retry as retries  # type: ignore
+from google.auth import credentials  # type: ignore
+from google.oauth2 import service_account  # type: ignore
+
+from google.cloud.kms_v1.services.key_management_service import pagers
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+from google.protobuf import duration_pb2 as duration  # type: ignore
+from google.protobuf import field_mask_pb2 as field_mask  # type: ignore
+from google.protobuf import timestamp_pb2 as timestamp  # type: ignore
+
+from .transports.base import KeyManagementServiceTransport
+from .transports.grpc_asyncio import KeyManagementServiceGrpcAsyncIOTransport
+from .client import KeyManagementServiceClient
+
+
+class KeyManagementServiceAsyncClient:
+    """Google Cloud Key Management Service
+
+    Manages cryptographic keys and operations using those keys.
+    Implements a REST model with the following objects:
+
+    -  [KeyRing][google.cloud.kms.v1.KeyRing]
+    -  [CryptoKey][google.cloud.kms.v1.CryptoKey]
+    -  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    -  [ImportJob][google.cloud.kms.v1.ImportJob]
+
+    If you are using manual gRPC libraries, see `Using gRPC with Cloud
+    KMS <https://cloud.google.com/kms/docs/grpc>`__.
+    """
+
+    _client: KeyManagementServiceClient
+
+    DEFAULT_ENDPOINT = KeyManagementServiceClient.DEFAULT_ENDPOINT
+    DEFAULT_MTLS_ENDPOINT = KeyManagementServiceClient.DEFAULT_MTLS_ENDPOINT
+
+    crypto_key_version_path = staticmethod(
+        KeyManagementServiceClient.crypto_key_version_path
+    )
+
+    key_ring_path = staticmethod(KeyManagementServiceClient.key_ring_path)
+
+    crypto_key_path = staticmethod(KeyManagementServiceClient.crypto_key_path)
+
+    import_job_path = staticmethod(KeyManagementServiceClient.import_job_path)
+
+    from_service_account_file = KeyManagementServiceClient.from_service_account_file
+    from_service_account_json = from_service_account_file
+
+    get_transport_class = functools.partial(
+        type(KeyManagementServiceClient).get_transport_class,
+        type(KeyManagementServiceClient),
+    )
+
+    def __init__(
+        self,
+        *,
+        credentials: credentials.Credentials = None,
+        transport: Union[str, KeyManagementServiceTransport] = "grpc_asyncio",
+        client_options: ClientOptions = None,
+    ) -> None:
+        """Instantiate the key management service client.
+
+
+        Args:
+            credentials (Optional[google.auth.credentials.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify the application to the service; if none
+                are specified, the client will attempt to ascertain the
+                credentials from the environment.
+            transport (Union[str, ~.KeyManagementServiceTransport]): The
+                transport to use. If set to None, a transport is chosen
+                automatically.
+            client_options (ClientOptions): Custom options for the client. It
+                won't take effect if a ``transport`` instance is provided.
+                (1) The ``api_endpoint`` property can be used to override the
+                default endpoint provided by the client. GOOGLE_API_USE_MTLS
+                environment variable can also be used to override the endpoint:
+                "always" (always use the default mTLS endpoint), "never" (always
+                use the default regular endpoint, this is the default value for
+                the environment variable) and "auto" (auto switch to the default
+                mTLS endpoint if client SSL credentials is present). However,
+                the ``api_endpoint`` property takes precedence if provided.
+                (2) The ``client_cert_source`` property is used to provide client
+                SSL credentials for mutual TLS transport. If not provided, the
+                default SSL credentials will be used if present.
+
+        Raises:
+            google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
+                creation failed for any reason.
+        """
+
+        self._client = KeyManagementServiceClient(
+            credentials=credentials, transport=transport, client_options=client_options,
+        )
+
+    async def list_key_rings(
+        self,
+        request: service.ListKeyRingsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListKeyRingsAsyncPager:
+        r"""Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+
+
+        Args:
+            request (:class:`~.service.ListKeyRingsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+            parent (:class:`str`):
+                Required. The resource name of the location associated
+                with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
+                format ``projects/*/locations/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListKeyRingsAsyncPager:
+                Response message for
+                [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListKeyRingsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.list_key_rings,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__aiter__` convenience method.
+        response = pagers.ListKeyRingsAsyncPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    async def list_crypto_keys(
+        self,
+        request: service.ListCryptoKeysRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListCryptoKeysAsyncPager:
+        r"""Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.ListCryptoKeysRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+                format ``projects/*/locations/*/keyRings/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListCryptoKeysAsyncPager:
+                Response message for
+                [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListCryptoKeysRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.list_crypto_keys,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__aiter__` convenience method.
+        response = pagers.ListCryptoKeysAsyncPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    async def list_crypto_key_versions(
+        self,
+        request: service.ListCryptoKeyVersionsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListCryptoKeyVersionsAsyncPager:
+        r"""Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.ListCryptoKeyVersionsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in
+                the format
+                ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListCryptoKeyVersionsAsyncPager:
+                Response message for
+                [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListCryptoKeyVersionsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.list_crypto_key_versions,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__aiter__` convenience method.
+        response = pagers.ListCryptoKeyVersionsAsyncPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    async def list_import_jobs(
+        self,
+        request: service.ListImportJobsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListImportJobsAsyncPager:
+        r"""Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+
+
+        Args:
+            request (:class:`~.service.ListImportJobsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+                format ``projects/*/locations/*/keyRings/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListImportJobsAsyncPager:
+                Response message for
+                [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListImportJobsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.list_import_jobs,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__aiter__` convenience method.
+        response = pagers.ListImportJobsAsyncPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    async def get_key_ring(
+        self,
+        request: service.GetKeyRingRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.KeyRing:
+        r"""Returns metadata for a given
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+
+        Args:
+            request (:class:`~.service.GetKeyRingRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.KeyRing:
+                A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
+                logical grouping of
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetKeyRingRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_key_ring,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def get_crypto_key(
+        self,
+        request: service.GetCryptoKeyRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Returns metadata for a given
+        [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
+        [primary][google.cloud.kms.v1.CryptoKey.primary]
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.GetCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.CryptoKey.name]
+                of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
+                get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_crypto_key,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def get_crypto_key_version(
+        self,
+        request: service.GetCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Returns metadata for a given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.GetCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The
+                [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_crypto_key_version,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def get_public_key(
+        self,
+        request: service.GetPublicKeyRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.PublicKey:
+        r"""Returns the public key for the given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+        or
+        [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.GetPublicKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+            name (:class:`str`):
+                Required. The
+                [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                public key to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.PublicKey:
+                The public key for a given
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+                Obtained via
+                [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetPublicKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_public_key,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def get_import_job(
+        self,
+        request: service.GetImportJobRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.ImportJob:
+        r"""Returns metadata for a given
+        [ImportJob][google.cloud.kms.v1.ImportJob].
+
+
+        Args:
+            request (:class:`~.service.GetImportJobRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.ImportJob.name]
+                of the [ImportJob][google.cloud.kms.v1.ImportJob] to
+                get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.ImportJob:
+                An [ImportJob][google.cloud.kms.v1.ImportJob] can be
+                used to create
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                using pre-existing key material, generated outside of
+                Cloud KMS.
+
+                When an [ImportJob][google.cloud.kms.v1.ImportJob] is
+                created, Cloud KMS will generate a "wrapping key", which
+                is a public/private key pair. You use the wrapping key
+                to encrypt (also known as wrap) the pre-existing key
+                material to protect it during the import process. The
+                nature of the wrapping key depends on the choice of
+                [import_method][google.cloud.kms.v1.ImportJob.import_method].
+                When the wrapping key generation is complete, the
+                [state][google.cloud.kms.v1.ImportJob.state] will be set
+                to
+                [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
+                and the
+                [public_key][google.cloud.kms.v1.ImportJob.public_key]
+                can be fetched. The fetched public key can then be used
+                to wrap your pre-existing key material.
+
+                Once the key material is wrapped, it can be imported
+                into a new
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                in an existing
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+                [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+                Multiple
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                can be imported with a single
+                [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
+                uses the private key portion of the wrapping key to
+                unwrap the key material. Only Cloud KMS has access to
+                the private key.
+
+                An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3
+                days after it is created. Once expired, Cloud KMS will
+                no longer be able to import or unwrap any key material
+                that was wrapped with the
+                [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+
+                For more information, see `Importing a
+                key <https://cloud.google.com/kms/docs/importing-a-key>`__.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetImportJobRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_import_job,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def create_key_ring(
+        self,
+        request: service.CreateKeyRingRequest = None,
+        *,
+        parent: str = None,
+        key_ring_id: str = None,
+        key_ring: resources.KeyRing = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.KeyRing:
+        r"""Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given
+        Project and Location.
+
+
+        Args:
+            request (:class:`~.service.CreateKeyRingRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
+            parent (:class:`str`):
+                Required. The resource name of the location associated
+                with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
+                format ``projects/*/locations/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            key_ring_id (:class:`str`):
+                Required. It must be unique within a location and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``key_ring_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            key_ring (:class:`~.resources.KeyRing`):
+                Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with
+                initial field values.
+                This corresponds to the ``key_ring`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.KeyRing:
+                A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
+                logical grouping of
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, key_ring_id, key_ring]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateKeyRingRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if key_ring_id is not None:
+            request.key_ring_id = key_ring_id
+        if key_ring is not None:
+            request.key_ring = key_ring
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.create_key_ring,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def create_crypto_key(
+        self,
+        request: service.CreateCryptoKeyRequest = None,
+        *,
+        parent: str = None,
+        crypto_key_id: str = None,
+        crypto_key: resources.CryptoKey = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+        [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+        are required.
+
+
+        Args:
+            request (:class:`~.service.CreateCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the KeyRing associated with the
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_id (:class:`str`):
+                Required. It must be unique within a KeyRing and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``crypto_key_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key (:class:`~.resources.CryptoKey`):
+                Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                with initial field values.
+                This corresponds to the ``crypto_key`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, crypto_key_id, crypto_key]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if crypto_key_id is not None:
+            request.crypto_key_id = crypto_key_id
+        if crypto_key is not None:
+            request.crypto_key = crypto_key
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.create_crypto_key,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def create_crypto_key_version(
+        self,
+        request: service.CreateCryptoKeyVersionRequest = None,
+        *,
+        parent: str = None,
+        crypto_key_version: resources.CryptoKeyVersion = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Create a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        The server will assign the next sequential id. If unset,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+
+
+        Args:
+            request (:class:`~.service.CreateCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.CryptoKey.name]
+                of the [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                associated with the
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_version (:class:`~.resources.CryptoKeyVersion`):
+                Required. A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                with initial field values.
+                This corresponds to the ``crypto_key_version`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, crypto_key_version]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if crypto_key_version is not None:
+            request.crypto_key_version = crypto_key_version
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.create_crypto_key_version,
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def import_crypto_key_version(
+        self,
+        request: service.ImportCryptoKeyVersionRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Imports a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an
+        existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
+        wrapped key material provided in the request.
+
+        The version ID will be assigned the next sequential id within
+        the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.ImportCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+
+        request = service.ImportCryptoKeyVersionRequest(request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.import_crypto_key_version,
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def create_import_job(
+        self,
+        request: service.CreateImportJobRequest = None,
+        *,
+        parent: str = None,
+        import_job_id: str = None,
+        import_job: resources.ImportJob = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.ImportJob:
+        r"""Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method]
+        is required.
+
+
+        Args:
+            request (:class:`~.service.CreateImportJobRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the [KeyRing][google.cloud.kms.v1.KeyRing] associated
+                with the [ImportJobs][google.cloud.kms.v1.ImportJob].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            import_job_id (:class:`str`):
+                Required. It must be unique within a KeyRing and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``import_job_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            import_job (:class:`~.resources.ImportJob`):
+                Required. An [ImportJob][google.cloud.kms.v1.ImportJob]
+                with initial field values.
+                This corresponds to the ``import_job`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.ImportJob:
+                An [ImportJob][google.cloud.kms.v1.ImportJob] can be
+                used to create
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                using pre-existing key material, generated outside of
+                Cloud KMS.
+
+                When an [ImportJob][google.cloud.kms.v1.ImportJob] is
+                created, Cloud KMS will generate a "wrapping key", which
+                is a public/private key pair. You use the wrapping key
+                to encrypt (also known as wrap) the pre-existing key
+                material to protect it during the import process. The
+                nature of the wrapping key depends on the choice of
+                [import_method][google.cloud.kms.v1.ImportJob.import_method].
+                When the wrapping key generation is complete, the
+                [state][google.cloud.kms.v1.ImportJob.state] will be set
+                to
+                [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
+                and the
+                [public_key][google.cloud.kms.v1.ImportJob.public_key]
+                can be fetched. The fetched public key can then be used
+                to wrap your pre-existing key material.
+
+                Once the key material is wrapped, it can be imported
+                into a new
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                in an existing
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+                [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+                Multiple
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                can be imported with a single
+                [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
+                uses the private key portion of the wrapping key to
+                unwrap the key material. Only Cloud KMS has access to
+                the private key.
+
+                An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3
+                days after it is created. Once expired, Cloud KMS will
+                no longer be able to import or unwrap any key material
+                that was wrapped with the
+                [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+
+                For more information, see `Importing a
+                key <https://cloud.google.com/kms/docs/importing-a-key>`__.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, import_job_id, import_job]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateImportJobRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if import_job_id is not None:
+            request.import_job_id = import_job_id
+        if import_job is not None:
+            request.import_job = import_job
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.create_import_job,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def update_crypto_key(
+        self,
+        request: service.UpdateCryptoKeyRequest = None,
+        *,
+        crypto_key: resources.CryptoKey = None,
+        update_mask: field_mask.FieldMask = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
+            crypto_key (:class:`~.resources.CryptoKey`):
+                Required. [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                with updated values.
+                This corresponds to the ``crypto_key`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            update_mask (:class:`~.field_mask.FieldMask`):
+                Required. List of fields to be
+                updated in this request.
+                This corresponds to the ``update_mask`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([crypto_key, update_mask]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if crypto_key is not None:
+            request.crypto_key = crypto_key
+        if update_mask is not None:
+            request.update_mask = update_mask
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.update_crypto_key,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata(
+                (("crypto_key.name", request.crypto_key.name),)
+            ),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def update_crypto_key_version(
+        self,
+        request: service.UpdateCryptoKeyVersionRequest = None,
+        *,
+        crypto_key_version: resources.CryptoKeyVersion = None,
+        update_mask: field_mask.FieldMask = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Update a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+        metadata.
+
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be
+        changed between
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+        and
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+        using this method. See
+        [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+        and
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        to move between other states.
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
+            crypto_key_version (:class:`~.resources.CryptoKeyVersion`):
+                Required.
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                with updated values.
+                This corresponds to the ``crypto_key_version`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            update_mask (:class:`~.field_mask.FieldMask`):
+                Required. List of fields to be
+                updated in this request.
+                This corresponds to the ``update_mask`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([crypto_key_version, update_mask]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if crypto_key_version is not None:
+            request.crypto_key_version = crypto_key_version
+        if update_mask is not None:
+            request.update_mask = update_mask
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.update_crypto_key_version,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata(
+                (("crypto_key_version.name", request.crypto_key_version.name),)
+            ),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def encrypt(
+        self,
+        request: service.EncryptRequest = None,
+        *,
+        name: str = None,
+        plaintext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.EncryptResponse:
+        r"""Encrypts data, so that it can only be recovered by a call to
+        [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.EncryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for encryption.
+
+                If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is
+                specified, the server will use its [primary
+                version][google.cloud.kms.v1.CryptoKey.primary].
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            plaintext (:class:`bytes`):
+                Required. The data to encrypt. Must be no larger than
+                64KiB.
+
+                The maximum size depends on the key version's
+                [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+                For
+                [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]
+                keys, the plaintext must be no larger than 64KiB. For
+                [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
+                combined length of the plaintext and
+                additional_authenticated_data fields must be no larger
+                than 8KiB.
+                This corresponds to the ``plaintext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.EncryptResponse:
+                Response message for
+                [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, plaintext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.EncryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if plaintext is not None:
+            request.plaintext = plaintext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.encrypt,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def decrypt(
+        self,
+        request: service.DecryptRequest = None,
+        *,
+        name: str = None,
+        ciphertext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.DecryptResponse:
+        r"""Decrypts data that was protected by
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.DecryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for
+                decryption. The server will choose the appropriate
+                version.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            ciphertext (:class:`bytes`):
+                Required. The encrypted data originally returned in
+                [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+                This corresponds to the ``ciphertext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.DecryptResponse:
+                Response message for
+                [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, ciphertext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.DecryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if ciphertext is not None:
+            request.ciphertext = ciphertext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.decrypt,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def asymmetric_sign(
+        self,
+        request: service.AsymmetricSignRequest = None,
+        *,
+        name: str = None,
+        digest: service.Digest = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.AsymmetricSignResponse:
+        r"""Signs data using a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_SIGN, producing a signature that can be verified with
+        the public key retrieved from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+
+        Args:
+            request (:class:`~.service.AsymmetricSignRequest`):
+                The request object. Request message for
+                [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for signing.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            digest (:class:`~.service.Digest`):
+                Required. The digest of the data to sign. The digest
+                must be produced with the same digest algorithm as
+                specified by the key version's
+                [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+                This corresponds to the ``digest`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.AsymmetricSignResponse:
+                Response message for
+                [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, digest]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.AsymmetricSignRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if digest is not None:
+            request.digest = digest
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.asymmetric_sign,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def asymmetric_decrypt(
+        self,
+        request: service.AsymmetricDecryptRequest = None,
+        *,
+        name: str = None,
+        ciphertext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.AsymmetricDecryptResponse:
+        r"""Decrypts data that was encrypted with a public key retrieved
+        from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+        corresponding to a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_DECRYPT.
+
+
+        Args:
+            request (:class:`~.service.AsymmetricDecryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for decryption.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            ciphertext (:class:`bytes`):
+                Required. The data encrypted with the named
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+                public key using OAEP.
+                This corresponds to the ``ciphertext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.AsymmetricDecryptResponse:
+                Response message for
+                [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, ciphertext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.AsymmetricDecryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if ciphertext is not None:
+            request.ciphertext = ciphertext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.asymmetric_decrypt,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def update_crypto_key_primary_version(
+        self,
+        request: service.UpdateCryptoKeyPrimaryVersionRequest = None,
+        *,
+        name: str = None,
+        crypto_key_version_id: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Update the version of a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        Returns an error if called on an asymmetric key.
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyPrimaryVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_version_id (:class:`str`):
+                Required. The id of the child
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use as primary.
+                This corresponds to the ``crypto_key_version_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, crypto_key_version_id]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyPrimaryVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if crypto_key_version_id is not None:
+            request.crypto_key_version_id = crypto_key_version_id
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.update_crypto_key_primary_version,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def destroy_crypto_key_version(
+        self,
+        request: service.DestroyCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Schedule a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+        destruction.
+
+        Upon calling this method,
+        [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state]
+        will be set to
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be set to a time 24 hours in the future, at which point the
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be
+        changed to
+        [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+        and the key material will be irrevocably destroyed.
+
+        Before the
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        is reached,
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        may be called to reverse the process.
+
+
+        Args:
+            request (:class:`~.service.DestroyCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to destroy.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.DestroyCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.destroy_crypto_key_version,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def restore_crypto_key_version(
+        self,
+        request: service.RestoreCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Restore a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        state.
+
+        Upon restoration of the CryptoKeyVersion,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be cleared.
+
+
+        Args:
+            request (:class:`~.service.RestoreCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to restore.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.RestoreCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.restore_crypto_key_version,
+            default_retry=retries.Retry(
+                initial=0.1,
+                maximum=60.0,
+                multiplier=1.3,
+                predicate=retries.if_exception_type(
+                    exceptions.InternalServerError,
+                    exceptions.ServiceUnavailable,
+                    exceptions.DeadlineExceeded,
+                ),
+            ),
+            default_timeout=60.0,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def set_iam_policy(
+        self,
+        request: iam_policy.SetIamPolicyRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> policy.Policy:
+        r"""Sets the IAM access control policy on the specified
+        function. Replaces any existing policy.
+
+        Args:
+            request (:class:`~.iam_policy.SetIamPolicyRequest`):
+                The request object. Request message for `SetIamPolicy`
+                method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.policy.Policy:
+                Defines an Identity and Access Management (IAM) policy.
+                It is used to specify access control policies for Cloud
+                Platform resources.
+                A ``Policy`` is a collection of ``bindings``. A
+                ``binding`` binds one or more ``members`` to a single
+                ``role``. Members can be user accounts, service
+                accounts, Google groups, and domains (such as G Suite).
+                A ``role`` is a named list of permissions (defined by
+                IAM or configured by users). A ``binding`` can
+                optionally specify a ``condition``, which is a logic
+                expression that further constrains the role binding
+                based on attributes about the request and/or target
+                resource.
+
+                **JSON Example**::
+
+                    {
+                      "bindings": [
+                        {
+                          "role": "roles/resourcemanager.organizationAdmin",
+                          "members": [
+                            "user:mike@example.com",
+                            "group:admins@example.com",
+                            "domain:google.com",
+                            "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+                          ]
+                        },
+                        {
+                          "role": "roles/resourcemanager.organizationViewer",
+                          "members": ["user:eve@example.com"],
+                          "condition": {
+                            "title": "expirable access",
+                            "description": "Does not grant access after Sep 2020",
+                            "expression": "request.time <
+                            timestamp('2020-10-01T00:00:00.000Z')",
+                          }
+                        }
+                      ]
+                    }
+
+                **YAML Example**::
+
+                    bindings:
+                    - members:
+                      - user:mike@example.com
+                      - group:admins@example.com
+                      - domain:google.com
+                      - serviceAccount:my-project-id@appspot.gserviceaccount.com
+                      role: roles/resourcemanager.organizationAdmin
+                    - members:
+                      - user:eve@example.com
+                      role: roles/resourcemanager.organizationViewer
+                      condition:
+                        title: expirable access
+                        description: Does not grant access after Sep 2020
+                        expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+
+                For a description of IAM and its features, see the `IAM
+                developer's
+                guide <https://cloud.google.com/iam/docs>`__.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.SetIamPolicyRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.set_iam_policy,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def get_iam_policy(
+        self,
+        request: iam_policy.GetIamPolicyRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> policy.Policy:
+        r"""Gets the IAM access control policy for a function.
+        Returns an empty policy if the function exists and does
+        not have a policy set.
+
+        Args:
+            request (:class:`~.iam_policy.GetIamPolicyRequest`):
+                The request object. Request message for `GetIamPolicy`
+                method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.policy.Policy:
+                Defines an Identity and Access Management (IAM) policy.
+                It is used to specify access control policies for Cloud
+                Platform resources.
+                A ``Policy`` is a collection of ``bindings``. A
+                ``binding`` binds one or more ``members`` to a single
+                ``role``. Members can be user accounts, service
+                accounts, Google groups, and domains (such as G Suite).
+                A ``role`` is a named list of permissions (defined by
+                IAM or configured by users). A ``binding`` can
+                optionally specify a ``condition``, which is a logic
+                expression that further constrains the role binding
+                based on attributes about the request and/or target
+                resource.
+
+                **JSON Example**::
+
+                    {
+                      "bindings": [
+                        {
+                          "role": "roles/resourcemanager.organizationAdmin",
+                          "members": [
+                            "user:mike@example.com",
+                            "group:admins@example.com",
+                            "domain:google.com",
+                            "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+                          ]
+                        },
+                        {
+                          "role": "roles/resourcemanager.organizationViewer",
+                          "members": ["user:eve@example.com"],
+                          "condition": {
+                            "title": "expirable access",
+                            "description": "Does not grant access after Sep 2020",
+                            "expression": "request.time <
+                            timestamp('2020-10-01T00:00:00.000Z')",
+                          }
+                        }
+                      ]
+                    }
+
+                **YAML Example**::
+
+                    bindings:
+                    - members:
+                      - user:mike@example.com
+                      - group:admins@example.com
+                      - domain:google.com
+                      - serviceAccount:my-project-id@appspot.gserviceaccount.com
+                      role: roles/resourcemanager.organizationAdmin
+                    - members:
+                      - user:eve@example.com
+                      role: roles/resourcemanager.organizationViewer
+                      condition:
+                        title: expirable access
+                        description: Does not grant access after Sep 2020
+                        expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+
+                For a description of IAM and its features, see the `IAM
+                developer's
+                guide <https://cloud.google.com/iam/docs>`__.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.GetIamPolicyRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.get_iam_policy,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    async def test_iam_permissions(
+        self,
+        request: iam_policy.TestIamPermissionsRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> iam_policy.TestIamPermissionsResponse:
+        r"""Tests the specified permissions against the IAM access control
+        policy for a function. If the function does not exist, this will
+        return an empty set of permissions, not a NOT_FOUND error.
+
+        Args:
+            request (:class:`~.iam_policy.TestIamPermissionsRequest`):
+                The request object. Request message for
+                `TestIamPermissions` method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.iam_policy.TestIamPermissionsResponse:
+                Response message for ``TestIamPermissions`` method.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.TestIamPermissionsRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method_async.wrap_method(
+            self._client._transport.test_iam_permissions,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+
+try:
+    _client_info = gapic_v1.client_info.ClientInfo(
+        gapic_version=pkg_resources.get_distribution("google-cloud-kms",).version,
+    )
+except pkg_resources.DistributionNotFound:
+    _client_info = gapic_v1.client_info.ClientInfo()
+
+
+__all__ = ("KeyManagementServiceAsyncClient",)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py
new file mode 100644
index 000000000000..f346143ea223
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py
@@ -0,0 +1,2675 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from collections import OrderedDict
+import os
+import re
+from typing import Callable, Dict, Sequence, Tuple, Type, Union
+import pkg_resources
+
+import google.api_core.client_options as ClientOptions  # type: ignore
+from google.api_core import exceptions  # type: ignore
+from google.api_core import gapic_v1  # type: ignore
+from google.api_core import retry as retries  # type: ignore
+from google.auth import credentials  # type: ignore
+from google.auth.transport import mtls  # type: ignore
+from google.auth.exceptions import MutualTLSChannelError  # type: ignore
+from google.oauth2 import service_account  # type: ignore
+
+from google.cloud.kms_v1.services.key_management_service import pagers
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+from google.protobuf import duration_pb2 as duration  # type: ignore
+from google.protobuf import field_mask_pb2 as field_mask  # type: ignore
+from google.protobuf import timestamp_pb2 as timestamp  # type: ignore
+
+from .transports.base import KeyManagementServiceTransport
+from .transports.grpc import KeyManagementServiceGrpcTransport
+from .transports.grpc_asyncio import KeyManagementServiceGrpcAsyncIOTransport
+
+
+class KeyManagementServiceClientMeta(type):
+    """Metaclass for the KeyManagementService client.
+
+    This provides class-level methods for building and retrieving
+    support objects (e.g. transport) without polluting the client instance
+    objects.
+    """
+
+    _transport_registry = (
+        OrderedDict()
+    )  # type: Dict[str, Type[KeyManagementServiceTransport]]
+    _transport_registry["grpc"] = KeyManagementServiceGrpcTransport
+    _transport_registry["grpc_asyncio"] = KeyManagementServiceGrpcAsyncIOTransport
+
+    def get_transport_class(
+        cls, label: str = None,
+    ) -> Type[KeyManagementServiceTransport]:
+        """Return an appropriate transport class.
+
+
+        Args:
+            label: The name of the desired transport. If none is
+                provided, then the first transport in the registry is used.
+
+        Returns:
+            The transport class to use.
+        """
+        # If a specific transport is requested, return that one.
+        if label:
+            return cls._transport_registry[label]
+
+        # No transport is requested; return the default (that is, the first one
+        # in the dictionary).
+        return next(iter(cls._transport_registry.values()))
+
+
+class KeyManagementServiceClient(metaclass=KeyManagementServiceClientMeta):
+    """Google Cloud Key Management Service
+
+    Manages cryptographic keys and operations using those keys.
+    Implements a REST model with the following objects:
+
+    -  [KeyRing][google.cloud.kms.v1.KeyRing]
+    -  [CryptoKey][google.cloud.kms.v1.CryptoKey]
+    -  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    -  [ImportJob][google.cloud.kms.v1.ImportJob]
+
+    If you are using manual gRPC libraries, see `Using gRPC with Cloud
+    KMS <https://cloud.google.com/kms/docs/grpc>`__.
+    """
+
+    @staticmethod
+    def _get_default_mtls_endpoint(api_endpoint):
+        """Convert api endpoint to mTLS endpoint.
+        Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to
+        "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively.
+
+        Args:
+            api_endpoint (Optional[str]): the api endpoint to convert.
+        Returns:
+            str: converted mTLS api endpoint.
+        """
+        if not api_endpoint:
+            return api_endpoint
+
+        mtls_endpoint_re = re.compile(
+            r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?"
+        )
+
+        m = mtls_endpoint_re.match(api_endpoint)
+        name, mtls, sandbox, googledomain = m.groups()
+        if mtls or not googledomain:
+            return api_endpoint
+
+        if sandbox:
+            return api_endpoint.replace(
+                "sandbox.googleapis.com", "mtls.sandbox.googleapis.com"
+            )
+
+        return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com")
+
+    DEFAULT_ENDPOINT = "cloudkms.googleapis.com"
+    DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__(  # type: ignore
+        DEFAULT_ENDPOINT
+    )
+
+    @classmethod
+    def from_service_account_file(cls, filename: str, *args, **kwargs):
+        """Creates an instance of this client using the provided credentials
+        file.
+
+
+        Args:
+            filename (str): The path to the service account private key json
+                file.
+            args: Additional arguments to pass to the constructor.
+            kwargs: Additional arguments to pass to the constructor.
+
+        Returns:
+            {@api.name}: The constructed client.
+        """
+        credentials = service_account.Credentials.from_service_account_file(filename)
+        kwargs["credentials"] = credentials
+        return cls(*args, **kwargs)
+
+    from_service_account_json = from_service_account_file
+
+    @staticmethod
+    def crypto_key_path(
+        project: str, location: str, key_ring: str, crypto_key: str,
+    ) -> str:
+        """Return a fully-qualified crypto_key string."""
+        return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}".format(
+            project=project,
+            location=location,
+            key_ring=key_ring,
+            crypto_key=crypto_key,
+        )
+
+    @staticmethod
+    def parse_crypto_key_path(path: str) -> Dict[str, str]:
+        """Parse a crypto_key path into its component segments."""
+        m = re.match(
+            r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)$",
+            path,
+        )
+        return m.groupdict() if m else {}
+
+    @staticmethod
+    def crypto_key_version_path(
+        project: str,
+        location: str,
+        key_ring: str,
+        crypto_key: str,
+        crypto_key_version: str,
+    ) -> str:
+        """Return a fully-qualified crypto_key_version string."""
+        return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}".format(
+            project=project,
+            location=location,
+            key_ring=key_ring,
+            crypto_key=crypto_key,
+            crypto_key_version=crypto_key_version,
+        )
+
+    @staticmethod
+    def parse_crypto_key_version_path(path: str) -> Dict[str, str]:
+        """Parse a crypto_key_version path into its component segments."""
+        m = re.match(
+            r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)/cryptoKeyVersions/(?P<crypto_key_version>.+?)$",
+            path,
+        )
+        return m.groupdict() if m else {}
+
+    @staticmethod
+    def import_job_path(
+        project: str, location: str, key_ring: str, import_job: str,
+    ) -> str:
+        """Return a fully-qualified import_job string."""
+        return "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}".format(
+            project=project,
+            location=location,
+            key_ring=key_ring,
+            import_job=import_job,
+        )
+
+    @staticmethod
+    def parse_import_job_path(path: str) -> Dict[str, str]:
+        """Parse a import_job path into its component segments."""
+        m = re.match(
+            r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/importJobs/(?P<import_job>.+?)$",
+            path,
+        )
+        return m.groupdict() if m else {}
+
+    @staticmethod
+    def key_ring_path(project: str, location: str, key_ring: str,) -> str:
+        """Return a fully-qualified key_ring string."""
+        return "projects/{project}/locations/{location}/keyRings/{key_ring}".format(
+            project=project, location=location, key_ring=key_ring,
+        )
+
+    @staticmethod
+    def parse_key_ring_path(path: str) -> Dict[str, str]:
+        """Parse a key_ring path into its component segments."""
+        m = re.match(
+            r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)$",
+            path,
+        )
+        return m.groupdict() if m else {}
+
+    def __init__(
+        self,
+        *,
+        credentials: credentials.Credentials = None,
+        transport: Union[str, KeyManagementServiceTransport] = None,
+        client_options: ClientOptions = None,
+    ) -> None:
+        """Instantiate the key management service client.
+
+
+        Args:
+            credentials (Optional[google.auth.credentials.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify the application to the service; if none
+                are specified, the client will attempt to ascertain the
+                credentials from the environment.
+            transport (Union[str, ~.KeyManagementServiceTransport]): The
+                transport to use. If set to None, a transport is chosen
+                automatically.
+            client_options (ClientOptions): Custom options for the client. It
+                won't take effect if a ``transport`` instance is provided.
+                (1) The ``api_endpoint`` property can be used to override the
+                default endpoint provided by the client. GOOGLE_API_USE_MTLS
+                environment variable can also be used to override the endpoint:
+                "always" (always use the default mTLS endpoint), "never" (always
+                use the default regular endpoint, this is the default value for
+                the environment variable) and "auto" (auto switch to the default
+                mTLS endpoint if client SSL credentials is present). However,
+                the ``api_endpoint`` property takes precedence if provided.
+                (2) The ``client_cert_source`` property is used to provide client
+                SSL credentials for mutual TLS transport. If not provided, the
+                default SSL credentials will be used if present.
+
+        Raises:
+            google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
+                creation failed for any reason.
+        """
+        if isinstance(client_options, dict):
+            client_options = ClientOptions.from_dict(client_options)
+        if client_options is None:
+            client_options = ClientOptions.ClientOptions()
+
+        if client_options.api_endpoint is None:
+            use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS", "never")
+            if use_mtls_env == "never":
+                client_options.api_endpoint = self.DEFAULT_ENDPOINT
+            elif use_mtls_env == "always":
+                client_options.api_endpoint = self.DEFAULT_MTLS_ENDPOINT
+            elif use_mtls_env == "auto":
+                has_client_cert_source = (
+                    client_options.client_cert_source is not None
+                    or mtls.has_default_client_cert_source()
+                )
+                client_options.api_endpoint = (
+                    self.DEFAULT_MTLS_ENDPOINT
+                    if has_client_cert_source
+                    else self.DEFAULT_ENDPOINT
+                )
+            else:
+                raise MutualTLSChannelError(
+                    "Unsupported GOOGLE_API_USE_MTLS value. Accepted values: never, auto, always"
+                )
+
+        # Save or instantiate the transport.
+        # Ordinarily, we provide the transport, but allowing a custom transport
+        # instance provides an extensibility point for unusual situations.
+        if isinstance(transport, KeyManagementServiceTransport):
+            # transport is a KeyManagementServiceTransport instance.
+            if credentials or client_options.credentials_file:
+                raise ValueError(
+                    "When providing a transport instance, "
+                    "provide its credentials directly."
+                )
+            if client_options.scopes:
+                raise ValueError(
+                    "When providing a transport instance, "
+                    "provide its scopes directly."
+                )
+            self._transport = transport
+        else:
+            Transport = type(self).get_transport_class(transport)
+            self._transport = Transport(
+                credentials=credentials,
+                credentials_file=client_options.credentials_file,
+                host=client_options.api_endpoint,
+                scopes=client_options.scopes,
+                api_mtls_endpoint=client_options.api_endpoint,
+                client_cert_source=client_options.client_cert_source,
+                quota_project_id=client_options.quota_project_id,
+            )
+
+    def list_key_rings(
+        self,
+        request: service.ListKeyRingsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListKeyRingsPager:
+        r"""Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+
+
+        Args:
+            request (:class:`~.service.ListKeyRingsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+            parent (:class:`str`):
+                Required. The resource name of the location associated
+                with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
+                format ``projects/*/locations/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListKeyRingsPager:
+                Response message for
+                [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListKeyRingsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.list_key_rings]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__iter__` convenience method.
+        response = pagers.ListKeyRingsPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    def list_crypto_keys(
+        self,
+        request: service.ListCryptoKeysRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListCryptoKeysPager:
+        r"""Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.ListCryptoKeysRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+                format ``projects/*/locations/*/keyRings/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListCryptoKeysPager:
+                Response message for
+                [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListCryptoKeysRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.list_crypto_keys]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__iter__` convenience method.
+        response = pagers.ListCryptoKeysPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    def list_crypto_key_versions(
+        self,
+        request: service.ListCryptoKeyVersionsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListCryptoKeyVersionsPager:
+        r"""Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.ListCryptoKeyVersionsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in
+                the format
+                ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListCryptoKeyVersionsPager:
+                Response message for
+                [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListCryptoKeyVersionsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.list_crypto_key_versions]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__iter__` convenience method.
+        response = pagers.ListCryptoKeyVersionsPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    def list_import_jobs(
+        self,
+        request: service.ListImportJobsRequest = None,
+        *,
+        parent: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> pagers.ListImportJobsPager:
+        r"""Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+
+
+        Args:
+            request (:class:`~.service.ListImportJobsRequest`):
+                The request object. Request message for
+                [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+            parent (:class:`str`):
+                Required. The resource name of the
+                [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+                format ``projects/*/locations/*/keyRings/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.pagers.ListImportJobsPager:
+                Response message for
+                [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+
+                Iterating over this object will yield results and
+                resolve additional pages automatically.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.ListImportJobsRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.list_import_jobs]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # This method is paged; wrap the response in a pager, which provides
+        # an `__iter__` convenience method.
+        response = pagers.ListImportJobsPager(
+            method=rpc, request=request, response=response, metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
+    def get_key_ring(
+        self,
+        request: service.GetKeyRingRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.KeyRing:
+        r"""Returns metadata for a given
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+
+        Args:
+            request (:class:`~.service.GetKeyRingRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.KeyRing:
+                A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
+                logical grouping of
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetKeyRingRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.get_key_ring]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def get_crypto_key(
+        self,
+        request: service.GetCryptoKeyRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Returns metadata for a given
+        [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
+        [primary][google.cloud.kms.v1.CryptoKey.primary]
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.GetCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.CryptoKey.name]
+                of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
+                get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.get_crypto_key]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def get_crypto_key_version(
+        self,
+        request: service.GetCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Returns metadata for a given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+
+        Args:
+            request (:class:`~.service.GetCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The
+                [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.get_crypto_key_version]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def get_public_key(
+        self,
+        request: service.GetPublicKeyRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.PublicKey:
+        r"""Returns the public key for the given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+        or
+        [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.GetPublicKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+            name (:class:`str`):
+                Required. The
+                [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                public key to get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.PublicKey:
+                The public key for a given
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+                Obtained via
+                [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetPublicKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.get_public_key]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def get_import_job(
+        self,
+        request: service.GetImportJobRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.ImportJob:
+        r"""Returns metadata for a given
+        [ImportJob][google.cloud.kms.v1.ImportJob].
+
+
+        Args:
+            request (:class:`~.service.GetImportJobRequest`):
+                The request object. Request message for
+                [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
+            name (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.ImportJob.name]
+                of the [ImportJob][google.cloud.kms.v1.ImportJob] to
+                get.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.ImportJob:
+                An [ImportJob][google.cloud.kms.v1.ImportJob] can be
+                used to create
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                using pre-existing key material, generated outside of
+                Cloud KMS.
+
+                When an [ImportJob][google.cloud.kms.v1.ImportJob] is
+                created, Cloud KMS will generate a "wrapping key", which
+                is a public/private key pair. You use the wrapping key
+                to encrypt (also known as wrap) the pre-existing key
+                material to protect it during the import process. The
+                nature of the wrapping key depends on the choice of
+                [import_method][google.cloud.kms.v1.ImportJob.import_method].
+                When the wrapping key generation is complete, the
+                [state][google.cloud.kms.v1.ImportJob.state] will be set
+                to
+                [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
+                and the
+                [public_key][google.cloud.kms.v1.ImportJob.public_key]
+                can be fetched. The fetched public key can then be used
+                to wrap your pre-existing key material.
+
+                Once the key material is wrapped, it can be imported
+                into a new
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                in an existing
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+                [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+                Multiple
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                can be imported with a single
+                [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
+                uses the private key portion of the wrapping key to
+                unwrap the key material. Only Cloud KMS has access to
+                the private key.
+
+                An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3
+                days after it is created. Once expired, Cloud KMS will
+                no longer be able to import or unwrap any key material
+                that was wrapped with the
+                [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+
+                For more information, see `Importing a
+                key <https://cloud.google.com/kms/docs/importing-a-key>`__.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.GetImportJobRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.get_import_job]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def create_key_ring(
+        self,
+        request: service.CreateKeyRingRequest = None,
+        *,
+        parent: str = None,
+        key_ring_id: str = None,
+        key_ring: resources.KeyRing = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.KeyRing:
+        r"""Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given
+        Project and Location.
+
+
+        Args:
+            request (:class:`~.service.CreateKeyRingRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
+            parent (:class:`str`):
+                Required. The resource name of the location associated
+                with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
+                format ``projects/*/locations/*``.
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            key_ring_id (:class:`str`):
+                Required. It must be unique within a location and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``key_ring_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            key_ring (:class:`~.resources.KeyRing`):
+                Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with
+                initial field values.
+                This corresponds to the ``key_ring`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.KeyRing:
+                A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
+                logical grouping of
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, key_ring_id, key_ring]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateKeyRingRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if key_ring_id is not None:
+            request.key_ring_id = key_ring_id
+        if key_ring is not None:
+            request.key_ring = key_ring
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.create_key_ring]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def create_crypto_key(
+        self,
+        request: service.CreateCryptoKeyRequest = None,
+        *,
+        parent: str = None,
+        crypto_key_id: str = None,
+        crypto_key: resources.CryptoKey = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+        [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+        are required.
+
+
+        Args:
+            request (:class:`~.service.CreateCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the KeyRing associated with the
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_id (:class:`str`):
+                Required. It must be unique within a KeyRing and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``crypto_key_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key (:class:`~.resources.CryptoKey`):
+                Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                with initial field values.
+                This corresponds to the ``crypto_key`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, crypto_key_id, crypto_key]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if crypto_key_id is not None:
+            request.crypto_key_id = crypto_key_id
+        if crypto_key is not None:
+            request.crypto_key = crypto_key
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.create_crypto_key]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def create_crypto_key_version(
+        self,
+        request: service.CreateCryptoKeyVersionRequest = None,
+        *,
+        parent: str = None,
+        crypto_key_version: resources.CryptoKeyVersion = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Create a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        The server will assign the next sequential id. If unset,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+
+
+        Args:
+            request (:class:`~.service.CreateCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.CryptoKey.name]
+                of the [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                associated with the
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_version (:class:`~.resources.CryptoKeyVersion`):
+                Required. A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                with initial field values.
+                This corresponds to the ``crypto_key_version`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, crypto_key_version]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if crypto_key_version is not None:
+            request.crypto_key_version = crypto_key_version
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.create_crypto_key_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def import_crypto_key_version(
+        self,
+        request: service.ImportCryptoKeyVersionRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Imports a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an
+        existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
+        wrapped key material provided in the request.
+
+        The version ID will be assigned the next sequential id within
+        the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.ImportCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+
+        request = service.ImportCryptoKeyVersionRequest(request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.import_crypto_key_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def create_import_job(
+        self,
+        request: service.CreateImportJobRequest = None,
+        *,
+        parent: str = None,
+        import_job_id: str = None,
+        import_job: resources.ImportJob = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.ImportJob:
+        r"""Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method]
+        is required.
+
+
+        Args:
+            request (:class:`~.service.CreateImportJobRequest`):
+                The request object. Request message for
+                [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
+            parent (:class:`str`):
+                Required. The [name][google.cloud.kms.v1.KeyRing.name]
+                of the [KeyRing][google.cloud.kms.v1.KeyRing] associated
+                with the [ImportJobs][google.cloud.kms.v1.ImportJob].
+                This corresponds to the ``parent`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            import_job_id (:class:`str`):
+                Required. It must be unique within a KeyRing and match
+                the regular expression ``[a-zA-Z0-9_-]{1,63}``
+                This corresponds to the ``import_job_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            import_job (:class:`~.resources.ImportJob`):
+                Required. An [ImportJob][google.cloud.kms.v1.ImportJob]
+                with initial field values.
+                This corresponds to the ``import_job`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.ImportJob:
+                An [ImportJob][google.cloud.kms.v1.ImportJob] can be
+                used to create
+                [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                using pre-existing key material, generated outside of
+                Cloud KMS.
+
+                When an [ImportJob][google.cloud.kms.v1.ImportJob] is
+                created, Cloud KMS will generate a "wrapping key", which
+                is a public/private key pair. You use the wrapping key
+                to encrypt (also known as wrap) the pre-existing key
+                material to protect it during the import process. The
+                nature of the wrapping key depends on the choice of
+                [import_method][google.cloud.kms.v1.ImportJob.import_method].
+                When the wrapping key generation is complete, the
+                [state][google.cloud.kms.v1.ImportJob.state] will be set
+                to
+                [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
+                and the
+                [public_key][google.cloud.kms.v1.ImportJob.public_key]
+                can be fetched. The fetched public key can then be used
+                to wrap your pre-existing key material.
+
+                Once the key material is wrapped, it can be imported
+                into a new
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                in an existing
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+                [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+                Multiple
+                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+                can be imported with a single
+                [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
+                uses the private key portion of the wrapping key to
+                unwrap the key material. Only Cloud KMS has access to
+                the private key.
+
+                An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3
+                days after it is created. Once expired, Cloud KMS will
+                no longer be able to import or unwrap any key material
+                that was wrapped with the
+                [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+
+                For more information, see `Importing a
+                key <https://cloud.google.com/kms/docs/importing-a-key>`__.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([parent, import_job_id, import_job]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.CreateImportJobRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if parent is not None:
+            request.parent = parent
+        if import_job_id is not None:
+            request.import_job_id = import_job_id
+        if import_job is not None:
+            request.import_job = import_job
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.create_import_job]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def update_crypto_key(
+        self,
+        request: service.UpdateCryptoKeyRequest = None,
+        *,
+        crypto_key: resources.CryptoKey = None,
+        update_mask: field_mask.FieldMask = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
+            crypto_key (:class:`~.resources.CryptoKey`):
+                Required. [CryptoKey][google.cloud.kms.v1.CryptoKey]
+                with updated values.
+                This corresponds to the ``crypto_key`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            update_mask (:class:`~.field_mask.FieldMask`):
+                Required. List of fields to be
+                updated in this request.
+                This corresponds to the ``update_mask`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([crypto_key, update_mask]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if crypto_key is not None:
+            request.crypto_key = crypto_key
+        if update_mask is not None:
+            request.update_mask = update_mask
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.update_crypto_key]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata(
+                (("crypto_key.name", request.crypto_key.name),)
+            ),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def update_crypto_key_version(
+        self,
+        request: service.UpdateCryptoKeyVersionRequest = None,
+        *,
+        crypto_key_version: resources.CryptoKeyVersion = None,
+        update_mask: field_mask.FieldMask = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Update a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+        metadata.
+
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be
+        changed between
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+        and
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+        using this method. See
+        [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+        and
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        to move between other states.
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
+            crypto_key_version (:class:`~.resources.CryptoKeyVersion`):
+                Required.
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                with updated values.
+                This corresponds to the ``crypto_key_version`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            update_mask (:class:`~.field_mask.FieldMask`):
+                Required. List of fields to be
+                updated in this request.
+                This corresponds to the ``update_mask`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([crypto_key_version, update_mask]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if crypto_key_version is not None:
+            request.crypto_key_version = crypto_key_version
+        if update_mask is not None:
+            request.update_mask = update_mask
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.update_crypto_key_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata(
+                (("crypto_key_version.name", request.crypto_key_version.name),)
+            ),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def encrypt(
+        self,
+        request: service.EncryptRequest = None,
+        *,
+        name: str = None,
+        plaintext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.EncryptResponse:
+        r"""Encrypts data, so that it can only be recovered by a call to
+        [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.EncryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for encryption.
+
+                If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is
+                specified, the server will use its [primary
+                version][google.cloud.kms.v1.CryptoKey.primary].
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            plaintext (:class:`bytes`):
+                Required. The data to encrypt. Must be no larger than
+                64KiB.
+
+                The maximum size depends on the key version's
+                [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+                For
+                [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]
+                keys, the plaintext must be no larger than 64KiB. For
+                [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
+                combined length of the plaintext and
+                additional_authenticated_data fields must be no larger
+                than 8KiB.
+                This corresponds to the ``plaintext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.EncryptResponse:
+                Response message for
+                [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, plaintext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.EncryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if plaintext is not None:
+            request.plaintext = plaintext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.encrypt]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def decrypt(
+        self,
+        request: service.DecryptRequest = None,
+        *,
+        name: str = None,
+        ciphertext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.DecryptResponse:
+        r"""Decrypts data that was protected by
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+
+        Args:
+            request (:class:`~.service.DecryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for
+                decryption. The server will choose the appropriate
+                version.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            ciphertext (:class:`bytes`):
+                Required. The encrypted data originally returned in
+                [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+                This corresponds to the ``ciphertext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.DecryptResponse:
+                Response message for
+                [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, ciphertext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.DecryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if ciphertext is not None:
+            request.ciphertext = ciphertext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.decrypt]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def asymmetric_sign(
+        self,
+        request: service.AsymmetricSignRequest = None,
+        *,
+        name: str = None,
+        digest: service.Digest = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.AsymmetricSignResponse:
+        r"""Signs data using a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_SIGN, producing a signature that can be verified with
+        the public key retrieved from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+
+        Args:
+            request (:class:`~.service.AsymmetricSignRequest`):
+                The request object. Request message for
+                [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for signing.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            digest (:class:`~.service.Digest`):
+                Required. The digest of the data to sign. The digest
+                must be produced with the same digest algorithm as
+                specified by the key version's
+                [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+                This corresponds to the ``digest`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.AsymmetricSignResponse:
+                Response message for
+                [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, digest]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.AsymmetricSignRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if digest is not None:
+            request.digest = digest
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.asymmetric_sign]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def asymmetric_decrypt(
+        self,
+        request: service.AsymmetricDecryptRequest = None,
+        *,
+        name: str = None,
+        ciphertext: bytes = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> service.AsymmetricDecryptResponse:
+        r"""Decrypts data that was encrypted with a public key retrieved
+        from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+        corresponding to a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_DECRYPT.
+
+
+        Args:
+            request (:class:`~.service.AsymmetricDecryptRequest`):
+                The request object. Request message for
+                [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use for decryption.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            ciphertext (:class:`bytes`):
+                Required. The data encrypted with the named
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+                public key using OAEP.
+                This corresponds to the ``ciphertext`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.service.AsymmetricDecryptResponse:
+                Response message for
+                [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, ciphertext]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.AsymmetricDecryptRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if ciphertext is not None:
+            request.ciphertext = ciphertext
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[self._transport.asymmetric_decrypt]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def update_crypto_key_primary_version(
+        self,
+        request: service.UpdateCryptoKeyPrimaryVersionRequest = None,
+        *,
+        name: str = None,
+        crypto_key_version_id: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKey:
+        r"""Update the version of a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        Returns an error if called on an asymmetric key.
+
+
+        Args:
+            request (:class:`~.service.UpdateCryptoKeyPrimaryVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+            crypto_key_version_id (:class:`str`):
+                Required. The id of the child
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to use as primary.
+                This corresponds to the ``crypto_key_version_id`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKey:
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents
+                a logical key that can be used for cryptographic
+                operations.
+
+                A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up
+                of one or more
+                [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+                represent the actual key material used in cryptographic
+                operations.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name, crypto_key_version_id]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.UpdateCryptoKeyPrimaryVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+        if crypto_key_version_id is not None:
+            request.crypto_key_version_id = crypto_key_version_id
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.update_crypto_key_primary_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def destroy_crypto_key_version(
+        self,
+        request: service.DestroyCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Schedule a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+        destruction.
+
+        Upon calling this method,
+        [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state]
+        will be set to
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be set to a time 24 hours in the future, at which point the
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be
+        changed to
+        [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+        and the key material will be irrevocably destroyed.
+
+        Before the
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        is reached,
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        may be called to reverse the process.
+
+
+        Args:
+            request (:class:`~.service.DestroyCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to destroy.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.DestroyCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.destroy_crypto_key_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def restore_crypto_key_version(
+        self,
+        request: service.RestoreCryptoKeyVersionRequest = None,
+        *,
+        name: str = None,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> resources.CryptoKeyVersion:
+        r"""Restore a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        state.
+
+        Upon restoration of the CryptoKeyVersion,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be cleared.
+
+
+        Args:
+            request (:class:`~.service.RestoreCryptoKeyVersionRequest`):
+                The request object. Request message for
+                [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
+            name (:class:`str`):
+                Required. The resource name of the
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                to restore.
+                This corresponds to the ``name`` field
+                on the ``request`` instance; if ``request`` is provided, this
+                should not be set.
+
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+
+        Returns:
+            ~.resources.CryptoKeyVersion:
+                A
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                represents an individual cryptographic key, and the
+                associated key material.
+
+                An
+                [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+                version can be used for cryptographic operations.
+
+                For security reasons, the raw cryptographic key material
+                represented by a
+                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+                can never be viewed or exported. It can only be used to
+                encrypt, decrypt, or sign data when an authorized user
+                or application invokes Cloud KMS.
+
+        """
+        # Create or coerce a protobuf request object.
+        # Sanity check: If we got a request object, we should *not* have
+        # gotten any keyword arguments that map to the request.
+        if request is not None and any([name]):
+            raise ValueError(
+                "If the `request` argument is set, then none of "
+                "the individual field arguments should be set."
+            )
+
+        request = service.RestoreCryptoKeyVersionRequest(request)
+
+        # If we have keyword arguments corresponding to fields on the
+        # request, apply these.
+
+        if name is not None:
+            request.name = name
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.restore_crypto_key_version
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def set_iam_policy(
+        self,
+        request: iam_policy.SetIamPolicyRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> policy.Policy:
+        r"""Sets the IAM access control policy on the specified
+        function. Replaces any existing policy.
+
+        Args:
+            request (:class:`~.iam_policy.SetIamPolicyRequest`):
+                The request object. Request message for `SetIamPolicy`
+                method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.policy.Policy:
+                Defines an Identity and Access Management (IAM) policy.
+                It is used to specify access control policies for Cloud
+                Platform resources.
+                A ``Policy`` is a collection of ``bindings``. A
+                ``binding`` binds one or more ``members`` to a single
+                ``role``. Members can be user accounts, service
+                accounts, Google groups, and domains (such as G Suite).
+                A ``role`` is a named list of permissions (defined by
+                IAM or configured by users). A ``binding`` can
+                optionally specify a ``condition``, which is a logic
+                expression that further constrains the role binding
+                based on attributes about the request and/or target
+                resource.
+
+                **JSON Example**::
+
+                    {
+                      "bindings": [
+                        {
+                          "role": "roles/resourcemanager.organizationAdmin",
+                          "members": [
+                            "user:mike@example.com",
+                            "group:admins@example.com",
+                            "domain:google.com",
+                            "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+                          ]
+                        },
+                        {
+                          "role": "roles/resourcemanager.organizationViewer",
+                          "members": ["user:eve@example.com"],
+                          "condition": {
+                            "title": "expirable access",
+                            "description": "Does not grant access after Sep 2020",
+                            "expression": "request.time <
+                            timestamp('2020-10-01T00:00:00.000Z')",
+                          }
+                        }
+                      ]
+                    }
+
+                **YAML Example**::
+
+                    bindings:
+                    - members:
+                      - user:mike@example.com
+                      - group:admins@example.com
+                      - domain:google.com
+                      - serviceAccount:my-project-id@appspot.gserviceaccount.com
+                      role: roles/resourcemanager.organizationAdmin
+                    - members:
+                      - user:eve@example.com
+                      role: roles/resourcemanager.organizationViewer
+                      condition:
+                        title: expirable access
+                        description: Does not grant access after Sep 2020
+                        expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+
+                For a description of IAM and its features, see the `IAM
+                developer's
+                guide <https://cloud.google.com/iam/docs>`__.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.SetIamPolicyRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method.wrap_method(
+            self._transport.set_iam_policy,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def get_iam_policy(
+        self,
+        request: iam_policy.GetIamPolicyRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> policy.Policy:
+        r"""Gets the IAM access control policy for a function.
+        Returns an empty policy if the function exists and does
+        not have a policy set.
+
+        Args:
+            request (:class:`~.iam_policy.GetIamPolicyRequest`):
+                The request object. Request message for `GetIamPolicy`
+                method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.policy.Policy:
+                Defines an Identity and Access Management (IAM) policy.
+                It is used to specify access control policies for Cloud
+                Platform resources.
+                A ``Policy`` is a collection of ``bindings``. A
+                ``binding`` binds one or more ``members`` to a single
+                ``role``. Members can be user accounts, service
+                accounts, Google groups, and domains (such as G Suite).
+                A ``role`` is a named list of permissions (defined by
+                IAM or configured by users). A ``binding`` can
+                optionally specify a ``condition``, which is a logic
+                expression that further constrains the role binding
+                based on attributes about the request and/or target
+                resource.
+
+                **JSON Example**::
+
+                    {
+                      "bindings": [
+                        {
+                          "role": "roles/resourcemanager.organizationAdmin",
+                          "members": [
+                            "user:mike@example.com",
+                            "group:admins@example.com",
+                            "domain:google.com",
+                            "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+                          ]
+                        },
+                        {
+                          "role": "roles/resourcemanager.organizationViewer",
+                          "members": ["user:eve@example.com"],
+                          "condition": {
+                            "title": "expirable access",
+                            "description": "Does not grant access after Sep 2020",
+                            "expression": "request.time <
+                            timestamp('2020-10-01T00:00:00.000Z')",
+                          }
+                        }
+                      ]
+                    }
+
+                **YAML Example**::
+
+                    bindings:
+                    - members:
+                      - user:mike@example.com
+                      - group:admins@example.com
+                      - domain:google.com
+                      - serviceAccount:my-project-id@appspot.gserviceaccount.com
+                      role: roles/resourcemanager.organizationAdmin
+                    - members:
+                      - user:eve@example.com
+                      role: roles/resourcemanager.organizationViewer
+                      condition:
+                        title: expirable access
+                        description: Does not grant access after Sep 2020
+                        expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+
+                For a description of IAM and its features, see the `IAM
+                developer's
+                guide <https://cloud.google.com/iam/docs>`__.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.GetIamPolicyRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method.wrap_method(
+            self._transport.get_iam_policy,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+    def test_iam_permissions(
+        self,
+        request: iam_policy.TestIamPermissionsRequest = None,
+        *,
+        retry: retries.Retry = gapic_v1.method.DEFAULT,
+        timeout: float = None,
+        metadata: Sequence[Tuple[str, str]] = (),
+    ) -> iam_policy.TestIamPermissionsResponse:
+        r"""Tests the specified permissions against the IAM access control
+        policy for a function. If the function does not exist, this will
+        return an empty set of permissions, not a NOT_FOUND error.
+
+        Args:
+            request (:class:`~.iam_policy.TestIamPermissionsRequest`):
+                The request object. Request message for
+                `TestIamPermissions` method.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        Returns:
+            ~.iam_policy.TestIamPermissionsResponse:
+                Response message for ``TestIamPermissions`` method.
+        """
+        # Create or coerce a protobuf request object.
+
+        # The request isn't a proto-plus wrapped type,
+        # so it must be constructed via keyword expansion.
+        if isinstance(request, dict):
+            request = iam_policy.TestIamPermissionsRequest(**request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = gapic_v1.method.wrap_method(
+            self._transport.test_iam_permissions,
+            default_timeout=None,
+            client_info=_client_info,
+        )
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
+        )
+
+        # Send the request.
+        response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
+
+        # Done; return the response.
+        return response
+
+
+try:
+    _client_info = gapic_v1.client_info.ClientInfo(
+        gapic_version=pkg_resources.get_distribution("google-cloud-kms",).version,
+    )
+except pkg_resources.DistributionNotFound:
+    _client_info = gapic_v1.client_info.ClientInfo()
+
+
+__all__ = ("KeyManagementServiceClient",)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/pagers.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/pagers.py
new file mode 100644
index 000000000000..c888e2e97172
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/pagers.py
@@ -0,0 +1,533 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from typing import Any, AsyncIterable, Awaitable, Callable, Iterable, Sequence, Tuple
+
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+
+
+class ListKeyRingsPager:
+    """A pager for iterating through ``list_key_rings`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListKeyRingsResponse` object, and
+    provides an ``__iter__`` method to iterate through its
+    ``key_rings`` field.
+
+    If there are more pages, the ``__iter__`` method will make additional
+    ``ListKeyRings`` requests and continue to iterate
+    through the ``key_rings`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListKeyRingsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., service.ListKeyRingsResponse],
+        request: service.ListKeyRingsRequest,
+        response: service.ListKeyRingsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListKeyRingsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListKeyRingsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListKeyRingsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    def pages(self) -> Iterable[service.ListKeyRingsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __iter__(self) -> Iterable[resources.KeyRing]:
+        for page in self.pages:
+            yield from page.key_rings
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListKeyRingsAsyncPager:
+    """A pager for iterating through ``list_key_rings`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListKeyRingsResponse` object, and
+    provides an ``__aiter__`` method to iterate through its
+    ``key_rings`` field.
+
+    If there are more pages, the ``__aiter__`` method will make additional
+    ``ListKeyRings`` requests and continue to iterate
+    through the ``key_rings`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListKeyRingsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., Awaitable[service.ListKeyRingsResponse]],
+        request: service.ListKeyRingsRequest,
+        response: service.ListKeyRingsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListKeyRingsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListKeyRingsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListKeyRingsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    async def pages(self) -> AsyncIterable[service.ListKeyRingsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = await self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __aiter__(self) -> AsyncIterable[resources.KeyRing]:
+        async def async_generator():
+            async for page in self.pages:
+                for response in page.key_rings:
+                    yield response
+
+        return async_generator()
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListCryptoKeysPager:
+    """A pager for iterating through ``list_crypto_keys`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListCryptoKeysResponse` object, and
+    provides an ``__iter__`` method to iterate through its
+    ``crypto_keys`` field.
+
+    If there are more pages, the ``__iter__`` method will make additional
+    ``ListCryptoKeys`` requests and continue to iterate
+    through the ``crypto_keys`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListCryptoKeysResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., service.ListCryptoKeysResponse],
+        request: service.ListCryptoKeysRequest,
+        response: service.ListCryptoKeysResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListCryptoKeysRequest`):
+                The initial request object.
+            response (:class:`~.service.ListCryptoKeysResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListCryptoKeysRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    def pages(self) -> Iterable[service.ListCryptoKeysResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __iter__(self) -> Iterable[resources.CryptoKey]:
+        for page in self.pages:
+            yield from page.crypto_keys
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListCryptoKeysAsyncPager:
+    """A pager for iterating through ``list_crypto_keys`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListCryptoKeysResponse` object, and
+    provides an ``__aiter__`` method to iterate through its
+    ``crypto_keys`` field.
+
+    If there are more pages, the ``__aiter__`` method will make additional
+    ``ListCryptoKeys`` requests and continue to iterate
+    through the ``crypto_keys`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListCryptoKeysResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., Awaitable[service.ListCryptoKeysResponse]],
+        request: service.ListCryptoKeysRequest,
+        response: service.ListCryptoKeysResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListCryptoKeysRequest`):
+                The initial request object.
+            response (:class:`~.service.ListCryptoKeysResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListCryptoKeysRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    async def pages(self) -> AsyncIterable[service.ListCryptoKeysResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = await self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __aiter__(self) -> AsyncIterable[resources.CryptoKey]:
+        async def async_generator():
+            async for page in self.pages:
+                for response in page.crypto_keys:
+                    yield response
+
+        return async_generator()
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListCryptoKeyVersionsPager:
+    """A pager for iterating through ``list_crypto_key_versions`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListCryptoKeyVersionsResponse` object, and
+    provides an ``__iter__`` method to iterate through its
+    ``crypto_key_versions`` field.
+
+    If there are more pages, the ``__iter__`` method will make additional
+    ``ListCryptoKeyVersions`` requests and continue to iterate
+    through the ``crypto_key_versions`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListCryptoKeyVersionsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., service.ListCryptoKeyVersionsResponse],
+        request: service.ListCryptoKeyVersionsRequest,
+        response: service.ListCryptoKeyVersionsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListCryptoKeyVersionsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListCryptoKeyVersionsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListCryptoKeyVersionsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    def pages(self) -> Iterable[service.ListCryptoKeyVersionsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __iter__(self) -> Iterable[resources.CryptoKeyVersion]:
+        for page in self.pages:
+            yield from page.crypto_key_versions
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListCryptoKeyVersionsAsyncPager:
+    """A pager for iterating through ``list_crypto_key_versions`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListCryptoKeyVersionsResponse` object, and
+    provides an ``__aiter__`` method to iterate through its
+    ``crypto_key_versions`` field.
+
+    If there are more pages, the ``__aiter__`` method will make additional
+    ``ListCryptoKeyVersions`` requests and continue to iterate
+    through the ``crypto_key_versions`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListCryptoKeyVersionsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., Awaitable[service.ListCryptoKeyVersionsResponse]],
+        request: service.ListCryptoKeyVersionsRequest,
+        response: service.ListCryptoKeyVersionsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListCryptoKeyVersionsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListCryptoKeyVersionsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListCryptoKeyVersionsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    async def pages(self) -> AsyncIterable[service.ListCryptoKeyVersionsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = await self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __aiter__(self) -> AsyncIterable[resources.CryptoKeyVersion]:
+        async def async_generator():
+            async for page in self.pages:
+                for response in page.crypto_key_versions:
+                    yield response
+
+        return async_generator()
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListImportJobsPager:
+    """A pager for iterating through ``list_import_jobs`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListImportJobsResponse` object, and
+    provides an ``__iter__`` method to iterate through its
+    ``import_jobs`` field.
+
+    If there are more pages, the ``__iter__`` method will make additional
+    ``ListImportJobs`` requests and continue to iterate
+    through the ``import_jobs`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListImportJobsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., service.ListImportJobsResponse],
+        request: service.ListImportJobsRequest,
+        response: service.ListImportJobsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListImportJobsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListImportJobsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListImportJobsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    def pages(self) -> Iterable[service.ListImportJobsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __iter__(self) -> Iterable[resources.ImportJob]:
+        for page in self.pages:
+            yield from page.import_jobs
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
+
+
+class ListImportJobsAsyncPager:
+    """A pager for iterating through ``list_import_jobs`` requests.
+
+    This class thinly wraps an initial
+    :class:`~.service.ListImportJobsResponse` object, and
+    provides an ``__aiter__`` method to iterate through its
+    ``import_jobs`` field.
+
+    If there are more pages, the ``__aiter__`` method will make additional
+    ``ListImportJobs`` requests and continue to iterate
+    through the ``import_jobs`` field on the
+    corresponding responses.
+
+    All the usual :class:`~.service.ListImportJobsResponse`
+    attributes are available on the pager. If multiple requests are made, only
+    the most recent response is retained, and thus used for attribute lookup.
+    """
+
+    def __init__(
+        self,
+        method: Callable[..., Awaitable[service.ListImportJobsResponse]],
+        request: service.ListImportJobsRequest,
+        response: service.ListImportJobsResponse,
+        *,
+        metadata: Sequence[Tuple[str, str]] = ()
+    ):
+        """Instantiate the pager.
+
+        Args:
+            method (Callable): The method that was originally called, and
+                which instantiated this pager.
+            request (:class:`~.service.ListImportJobsRequest`):
+                The initial request object.
+            response (:class:`~.service.ListImportJobsResponse`):
+                The initial response object.
+            metadata (Sequence[Tuple[str, str]]): Strings which should be
+                sent along with the request as metadata.
+        """
+        self._method = method
+        self._request = service.ListImportJobsRequest(request)
+        self._response = response
+        self._metadata = metadata
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._response, name)
+
+    @property
+    async def pages(self) -> AsyncIterable[service.ListImportJobsResponse]:
+        yield self._response
+        while self._response.next_page_token:
+            self._request.page_token = self._response.next_page_token
+            self._response = await self._method(self._request, metadata=self._metadata)
+            yield self._response
+
+    def __aiter__(self) -> AsyncIterable[resources.ImportJob]:
+        async def async_generator():
+            async for page in self.pages:
+                for response in page.import_jobs:
+                    yield response
+
+        return async_generator()
+
+    def __repr__(self) -> str:
+        return "{0}<{1!r}>".format(self.__class__.__name__, self._response)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/__init__.py
new file mode 100644
index 000000000000..7b89668a74aa
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/__init__.py
@@ -0,0 +1,38 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from collections import OrderedDict
+from typing import Dict, Type
+
+from .base import KeyManagementServiceTransport
+from .grpc import KeyManagementServiceGrpcTransport
+from .grpc_asyncio import KeyManagementServiceGrpcAsyncIOTransport
+
+
+# Compile a registry of transports.
+_transport_registry = (
+    OrderedDict()
+)  # type: Dict[str, Type[KeyManagementServiceTransport]]
+_transport_registry["grpc"] = KeyManagementServiceGrpcTransport
+_transport_registry["grpc_asyncio"] = KeyManagementServiceGrpcAsyncIOTransport
+
+
+__all__ = (
+    "KeyManagementServiceTransport",
+    "KeyManagementServiceGrpcTransport",
+    "KeyManagementServiceGrpcAsyncIOTransport",
+)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/base.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/base.py
new file mode 100644
index 000000000000..23572f840845
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/base.py
@@ -0,0 +1,705 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import abc
+import typing
+import pkg_resources
+
+from google import auth
+from google.api_core import exceptions  # type: ignore
+from google.api_core import gapic_v1  # type: ignore
+from google.api_core import retry as retries  # type: ignore
+from google.auth import credentials  # type: ignore
+
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+
+
+try:
+    _client_info = gapic_v1.client_info.ClientInfo(
+        gapic_version=pkg_resources.get_distribution("google-cloud-kms",).version,
+    )
+except pkg_resources.DistributionNotFound:
+    _client_info = gapic_v1.client_info.ClientInfo()
+
+
+class KeyManagementServiceTransport(abc.ABC):
+    """Abstract transport class for KeyManagementService."""
+
+    AUTH_SCOPES = (
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/cloudkms",
+    )
+
+    def __init__(
+        self,
+        *,
+        host: str = "cloudkms.googleapis.com",
+        credentials: credentials.Credentials = None,
+        credentials_file: typing.Optional[str] = None,
+        scopes: typing.Optional[typing.Sequence[str]] = AUTH_SCOPES,
+        quota_project_id: typing.Optional[str] = None,
+        **kwargs,
+    ) -> None:
+        """Instantiate the transport.
+
+        Args:
+            host (Optional[str]): The hostname to connect to.
+            credentials (Optional[google.auth.credentials.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify the application to the service; if none
+                are specified, the client will attempt to ascertain the
+                credentials from the environment.
+            credentials_file (Optional[str]): A file with credentials that can
+                be loaded with :func:`google.auth.load_credentials_from_file`.
+                This argument is mutually exclusive with credentials.
+            scope (Optional[Sequence[str]]): A list of scopes.
+            quota_project_id (Optional[str]): An optional project to use for billing
+                and quota.
+        """
+        # Save the hostname. Default to port 443 (HTTPS) if none is specified.
+        if ":" not in host:
+            host += ":443"
+        self._host = host
+
+        # If no credentials are provided, then determine the appropriate
+        # defaults.
+        if credentials and credentials_file:
+            raise exceptions.DuplicateCredentialArgs(
+                "'credentials_file' and 'credentials' are mutually exclusive"
+            )
+
+        if credentials_file is not None:
+            credentials, _ = auth.load_credentials_from_file(
+                credentials_file, scopes=scopes, quota_project_id=quota_project_id
+            )
+
+        elif credentials is None:
+            credentials, _ = auth.default(
+                scopes=scopes, quota_project_id=quota_project_id
+            )
+
+        # Save the credentials.
+        self._credentials = credentials
+
+        # Lifted into its own function so it can be stubbed out during tests.
+        self._prep_wrapped_messages()
+
+    def _prep_wrapped_messages(self):
+        # Precompute the wrapped methods.
+        self._wrapped_methods = {
+            self.list_key_rings: gapic_v1.method.wrap_method(
+                self.list_key_rings,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.list_crypto_keys: gapic_v1.method.wrap_method(
+                self.list_crypto_keys,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.list_crypto_key_versions: gapic_v1.method.wrap_method(
+                self.list_crypto_key_versions,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.list_import_jobs: gapic_v1.method.wrap_method(
+                self.list_import_jobs,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.get_key_ring: gapic_v1.method.wrap_method(
+                self.get_key_ring,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.get_crypto_key: gapic_v1.method.wrap_method(
+                self.get_crypto_key,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.get_crypto_key_version: gapic_v1.method.wrap_method(
+                self.get_crypto_key_version,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.get_public_key: gapic_v1.method.wrap_method(
+                self.get_public_key,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.get_import_job: gapic_v1.method.wrap_method(
+                self.get_import_job,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.create_key_ring: gapic_v1.method.wrap_method(
+                self.create_key_ring,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.create_crypto_key: gapic_v1.method.wrap_method(
+                self.create_crypto_key,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.create_crypto_key_version: gapic_v1.method.wrap_method(
+                self.create_crypto_key_version,
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.import_crypto_key_version: gapic_v1.method.wrap_method(
+                self.import_crypto_key_version,
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.create_import_job: gapic_v1.method.wrap_method(
+                self.create_import_job,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.update_crypto_key: gapic_v1.method.wrap_method(
+                self.update_crypto_key,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.update_crypto_key_version: gapic_v1.method.wrap_method(
+                self.update_crypto_key_version,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.encrypt: gapic_v1.method.wrap_method(
+                self.encrypt,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.decrypt: gapic_v1.method.wrap_method(
+                self.decrypt,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.asymmetric_sign: gapic_v1.method.wrap_method(
+                self.asymmetric_sign,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.asymmetric_decrypt: gapic_v1.method.wrap_method(
+                self.asymmetric_decrypt,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.update_crypto_key_primary_version: gapic_v1.method.wrap_method(
+                self.update_crypto_key_primary_version,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.destroy_crypto_key_version: gapic_v1.method.wrap_method(
+                self.destroy_crypto_key_version,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+            self.restore_crypto_key_version: gapic_v1.method.wrap_method(
+                self.restore_crypto_key_version,
+                default_retry=retries.Retry(
+                    initial=0.1,
+                    maximum=60.0,
+                    multiplier=1.3,
+                    predicate=retries.if_exception_type(
+                        exceptions.InternalServerError,
+                        exceptions.ServiceUnavailable,
+                        exceptions.DeadlineExceeded,
+                    ),
+                ),
+                default_timeout=60.0,
+                client_info=_client_info,
+            ),
+        }
+
+    @property
+    def list_key_rings(
+        self,
+    ) -> typing.Callable[
+        [service.ListKeyRingsRequest],
+        typing.Union[
+            service.ListKeyRingsResponse, typing.Awaitable[service.ListKeyRingsResponse]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def list_crypto_keys(
+        self,
+    ) -> typing.Callable[
+        [service.ListCryptoKeysRequest],
+        typing.Union[
+            service.ListCryptoKeysResponse,
+            typing.Awaitable[service.ListCryptoKeysResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def list_crypto_key_versions(
+        self,
+    ) -> typing.Callable[
+        [service.ListCryptoKeyVersionsRequest],
+        typing.Union[
+            service.ListCryptoKeyVersionsResponse,
+            typing.Awaitable[service.ListCryptoKeyVersionsResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def list_import_jobs(
+        self,
+    ) -> typing.Callable[
+        [service.ListImportJobsRequest],
+        typing.Union[
+            service.ListImportJobsResponse,
+            typing.Awaitable[service.ListImportJobsResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_key_ring(
+        self,
+    ) -> typing.Callable[
+        [service.GetKeyRingRequest],
+        typing.Union[resources.KeyRing, typing.Awaitable[resources.KeyRing]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_crypto_key(
+        self,
+    ) -> typing.Callable[
+        [service.GetCryptoKeyRequest],
+        typing.Union[resources.CryptoKey, typing.Awaitable[resources.CryptoKey]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.GetCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_public_key(
+        self,
+    ) -> typing.Callable[
+        [service.GetPublicKeyRequest],
+        typing.Union[resources.PublicKey, typing.Awaitable[resources.PublicKey]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_import_job(
+        self,
+    ) -> typing.Callable[
+        [service.GetImportJobRequest],
+        typing.Union[resources.ImportJob, typing.Awaitable[resources.ImportJob]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def create_key_ring(
+        self,
+    ) -> typing.Callable[
+        [service.CreateKeyRingRequest],
+        typing.Union[resources.KeyRing, typing.Awaitable[resources.KeyRing]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def create_crypto_key(
+        self,
+    ) -> typing.Callable[
+        [service.CreateCryptoKeyRequest],
+        typing.Union[resources.CryptoKey, typing.Awaitable[resources.CryptoKey]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def create_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.CreateCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def import_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.ImportCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def create_import_job(
+        self,
+    ) -> typing.Callable[
+        [service.CreateImportJobRequest],
+        typing.Union[resources.ImportJob, typing.Awaitable[resources.ImportJob]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def update_crypto_key(
+        self,
+    ) -> typing.Callable[
+        [service.UpdateCryptoKeyRequest],
+        typing.Union[resources.CryptoKey, typing.Awaitable[resources.CryptoKey]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def update_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.UpdateCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def encrypt(
+        self,
+    ) -> typing.Callable[
+        [service.EncryptRequest],
+        typing.Union[
+            service.EncryptResponse, typing.Awaitable[service.EncryptResponse]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def decrypt(
+        self,
+    ) -> typing.Callable[
+        [service.DecryptRequest],
+        typing.Union[
+            service.DecryptResponse, typing.Awaitable[service.DecryptResponse]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def asymmetric_sign(
+        self,
+    ) -> typing.Callable[
+        [service.AsymmetricSignRequest],
+        typing.Union[
+            service.AsymmetricSignResponse,
+            typing.Awaitable[service.AsymmetricSignResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def asymmetric_decrypt(
+        self,
+    ) -> typing.Callable[
+        [service.AsymmetricDecryptRequest],
+        typing.Union[
+            service.AsymmetricDecryptResponse,
+            typing.Awaitable[service.AsymmetricDecryptResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def update_crypto_key_primary_version(
+        self,
+    ) -> typing.Callable[
+        [service.UpdateCryptoKeyPrimaryVersionRequest],
+        typing.Union[resources.CryptoKey, typing.Awaitable[resources.CryptoKey]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def destroy_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.DestroyCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def restore_crypto_key_version(
+        self,
+    ) -> typing.Callable[
+        [service.RestoreCryptoKeyVersionRequest],
+        typing.Union[
+            resources.CryptoKeyVersion, typing.Awaitable[resources.CryptoKeyVersion]
+        ],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def set_iam_policy(
+        self,
+    ) -> typing.Callable[
+        [iam_policy.SetIamPolicyRequest],
+        typing.Union[policy.Policy, typing.Awaitable[policy.Policy]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def get_iam_policy(
+        self,
+    ) -> typing.Callable[
+        [iam_policy.GetIamPolicyRequest],
+        typing.Union[policy.Policy, typing.Awaitable[policy.Policy]],
+    ]:
+        raise NotImplementedError()
+
+    @property
+    def test_iam_permissions(
+        self,
+    ) -> typing.Callable[
+        [iam_policy.TestIamPermissionsRequest],
+        typing.Union[
+            iam_policy.TestIamPermissionsResponse,
+            typing.Awaitable[iam_policy.TestIamPermissionsResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
+
+__all__ = ("KeyManagementServiceTransport",)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc.py
new file mode 100644
index 000000000000..f914eb776ae3
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc.py
@@ -0,0 +1,1001 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from typing import Callable, Dict, Optional, Sequence, Tuple
+
+from google.api_core import grpc_helpers  # type: ignore
+from google import auth  # type: ignore
+from google.auth import credentials  # type: ignore
+from google.auth.transport.grpc import SslCredentials  # type: ignore
+
+
+import grpc  # type: ignore
+
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+
+from .base import KeyManagementServiceTransport
+
+
+class KeyManagementServiceGrpcTransport(KeyManagementServiceTransport):
+    """gRPC backend transport for KeyManagementService.
+
+    Google Cloud Key Management Service
+
+    Manages cryptographic keys and operations using those keys.
+    Implements a REST model with the following objects:
+
+    -  [KeyRing][google.cloud.kms.v1.KeyRing]
+    -  [CryptoKey][google.cloud.kms.v1.CryptoKey]
+    -  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    -  [ImportJob][google.cloud.kms.v1.ImportJob]
+
+    If you are using manual gRPC libraries, see `Using gRPC with Cloud
+    KMS <https://cloud.google.com/kms/docs/grpc>`__.
+
+    This class defines the same methods as the primary client, so the
+    primary client can load the underlying transport implementation
+    and call it.
+
+    It sends protocol buffers over the wire using gRPC (which is built on
+    top of HTTP/2); the ``grpcio`` package must be installed.
+    """
+
+    _stubs: Dict[str, Callable]
+
+    def __init__(
+        self,
+        *,
+        host: str = "cloudkms.googleapis.com",
+        credentials: credentials.Credentials = None,
+        credentials_file: str = None,
+        scopes: Sequence[str] = None,
+        channel: grpc.Channel = None,
+        api_mtls_endpoint: str = None,
+        client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
+        quota_project_id: Optional[str] = None
+    ) -> None:
+        """Instantiate the transport.
+
+        Args:
+            host (Optional[str]): The hostname to connect to.
+            credentials (Optional[google.auth.credentials.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify the application to the service; if none
+                are specified, the client will attempt to ascertain the
+                credentials from the environment.
+                This argument is ignored if ``channel`` is provided.
+            credentials_file (Optional[str]): A file with credentials that can
+                be loaded with :func:`google.auth.load_credentials_from_file`.
+                This argument is ignored if ``channel`` is provided.
+            scopes (Optional(Sequence[str])): A list of scopes. This argument is
+                ignored if ``channel`` is provided.
+            channel (Optional[grpc.Channel]): A ``Channel`` instance through
+                which to make calls.
+            api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
+                provided, it overrides the ``host`` argument and tries to create
+                a mutual TLS channel with client SSL credentials from
+                ``client_cert_source`` or applicatin default SSL credentials.
+            client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
+                callback to provide client SSL certificate bytes and private key
+                bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
+                is None.
+            quota_project_id (Optional[str]): An optional project to use for billing
+                and quota.
+
+        Raises:
+          google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
+              creation failed for any reason.
+          google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
+              and ``credentials_file`` are passed.
+        """
+        if channel:
+            # Sanity check: Ensure that channel and credentials are not both
+            # provided.
+            credentials = False
+
+            # If a channel was explicitly provided, set it.
+            self._grpc_channel = channel
+        elif api_mtls_endpoint:
+            host = (
+                api_mtls_endpoint
+                if ":" in api_mtls_endpoint
+                else api_mtls_endpoint + ":443"
+            )
+
+            if credentials is None:
+                credentials, _ = auth.default(
+                    scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id
+                )
+
+            # Create SSL credentials with client_cert_source or application
+            # default SSL credentials.
+            if client_cert_source:
+                cert, key = client_cert_source()
+                ssl_credentials = grpc.ssl_channel_credentials(
+                    certificate_chain=cert, private_key=key
+                )
+            else:
+                ssl_credentials = SslCredentials().ssl_credentials
+
+            # create a new channel. The provided one is ignored.
+            self._grpc_channel = type(self).create_channel(
+                host,
+                credentials=credentials,
+                credentials_file=credentials_file,
+                ssl_credentials=ssl_credentials,
+                scopes=scopes or self.AUTH_SCOPES,
+                quota_project_id=quota_project_id,
+            )
+
+        self._stubs = {}  # type: Dict[str, Callable]
+
+        # Run the base constructor.
+        super().__init__(
+            host=host,
+            credentials=credentials,
+            credentials_file=credentials_file,
+            scopes=scopes or self.AUTH_SCOPES,
+            quota_project_id=quota_project_id,
+        )
+
+    @classmethod
+    def create_channel(
+        cls,
+        host: str = "cloudkms.googleapis.com",
+        credentials: credentials.Credentials = None,
+        credentials_file: str = None,
+        scopes: Optional[Sequence[str]] = None,
+        quota_project_id: Optional[str] = None,
+        **kwargs
+    ) -> grpc.Channel:
+        """Create and return a gRPC channel object.
+        Args:
+            address (Optionsl[str]): The host for the channel to use.
+            credentials (Optional[~.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify this application to the service. If
+                none are specified, the client will attempt to ascertain
+                the credentials from the environment.
+            credentials_file (Optional[str]): A file with credentials that can
+                be loaded with :func:`google.auth.load_credentials_from_file`.
+                This argument is mutually exclusive with credentials.
+            scopes (Optional[Sequence[str]]): A optional list of scopes needed for this
+                service. These are only used when credentials are not specified and
+                are passed to :func:`google.auth.default`.
+            quota_project_id (Optional[str]): An optional project to use for billing
+                and quota.
+            kwargs (Optional[dict]): Keyword arguments, which are passed to the
+                channel creation.
+        Returns:
+            grpc.Channel: A gRPC channel object.
+
+        Raises:
+            google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
+              and ``credentials_file`` are passed.
+        """
+        scopes = scopes or cls.AUTH_SCOPES
+        return grpc_helpers.create_channel(
+            host,
+            credentials=credentials,
+            credentials_file=credentials_file,
+            scopes=scopes,
+            quota_project_id=quota_project_id,
+            **kwargs
+        )
+
+    @property
+    def grpc_channel(self) -> grpc.Channel:
+        """Create the channel designed to connect to this service.
+
+        This property caches on the instance; repeated calls return
+        the same channel.
+        """
+        # Sanity check: Only create a new channel if we do not already
+        # have one.
+        if not hasattr(self, "_grpc_channel"):
+            self._grpc_channel = self.create_channel(
+                self._host, credentials=self._credentials,
+            )
+
+        # Return the channel from cache.
+        return self._grpc_channel
+
+    @property
+    def list_key_rings(
+        self,
+    ) -> Callable[[service.ListKeyRingsRequest], service.ListKeyRingsResponse]:
+        r"""Return a callable for the list key rings method over gRPC.
+
+        Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+
+        Returns:
+            Callable[[~.ListKeyRingsRequest],
+                    ~.ListKeyRingsResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_key_rings" not in self._stubs:
+            self._stubs["list_key_rings"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListKeyRings",
+                request_serializer=service.ListKeyRingsRequest.serialize,
+                response_deserializer=service.ListKeyRingsResponse.deserialize,
+            )
+        return self._stubs["list_key_rings"]
+
+    @property
+    def list_crypto_keys(
+        self,
+    ) -> Callable[[service.ListCryptoKeysRequest], service.ListCryptoKeysResponse]:
+        r"""Return a callable for the list crypto keys method over gRPC.
+
+        Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.ListCryptoKeysRequest],
+                    ~.ListCryptoKeysResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_crypto_keys" not in self._stubs:
+            self._stubs["list_crypto_keys"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeys",
+                request_serializer=service.ListCryptoKeysRequest.serialize,
+                response_deserializer=service.ListCryptoKeysResponse.deserialize,
+            )
+        return self._stubs["list_crypto_keys"]
+
+    @property
+    def list_crypto_key_versions(
+        self,
+    ) -> Callable[
+        [service.ListCryptoKeyVersionsRequest], service.ListCryptoKeyVersionsResponse
+    ]:
+        r"""Return a callable for the list crypto key versions method over gRPC.
+
+        Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.ListCryptoKeyVersionsRequest],
+                    ~.ListCryptoKeyVersionsResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_crypto_key_versions" not in self._stubs:
+            self._stubs["list_crypto_key_versions"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeyVersions",
+                request_serializer=service.ListCryptoKeyVersionsRequest.serialize,
+                response_deserializer=service.ListCryptoKeyVersionsResponse.deserialize,
+            )
+        return self._stubs["list_crypto_key_versions"]
+
+    @property
+    def list_import_jobs(
+        self,
+    ) -> Callable[[service.ListImportJobsRequest], service.ListImportJobsResponse]:
+        r"""Return a callable for the list import jobs method over gRPC.
+
+        Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+
+        Returns:
+            Callable[[~.ListImportJobsRequest],
+                    ~.ListImportJobsResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_import_jobs" not in self._stubs:
+            self._stubs["list_import_jobs"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListImportJobs",
+                request_serializer=service.ListImportJobsRequest.serialize,
+                response_deserializer=service.ListImportJobsResponse.deserialize,
+            )
+        return self._stubs["list_import_jobs"]
+
+    @property
+    def get_key_ring(self) -> Callable[[service.GetKeyRingRequest], resources.KeyRing]:
+        r"""Return a callable for the get key ring method over gRPC.
+
+        Returns metadata for a given
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        Returns:
+            Callable[[~.GetKeyRingRequest],
+                    ~.KeyRing]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_key_ring" not in self._stubs:
+            self._stubs["get_key_ring"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetKeyRing",
+                request_serializer=service.GetKeyRingRequest.serialize,
+                response_deserializer=resources.KeyRing.deserialize,
+            )
+        return self._stubs["get_key_ring"]
+
+    @property
+    def get_crypto_key(
+        self,
+    ) -> Callable[[service.GetCryptoKeyRequest], resources.CryptoKey]:
+        r"""Return a callable for the get crypto key method over gRPC.
+
+        Returns metadata for a given
+        [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
+        [primary][google.cloud.kms.v1.CryptoKey.primary]
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.GetCryptoKeyRequest],
+                    ~.CryptoKey]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_crypto_key" not in self._stubs:
+            self._stubs["get_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetCryptoKey",
+                request_serializer=service.GetCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["get_crypto_key"]
+
+    @property
+    def get_crypto_key_version(
+        self,
+    ) -> Callable[[service.GetCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the get crypto key version method over gRPC.
+
+        Returns metadata for a given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.GetCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_crypto_key_version" not in self._stubs:
+            self._stubs["get_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetCryptoKeyVersion",
+                request_serializer=service.GetCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["get_crypto_key_version"]
+
+    @property
+    def get_public_key(
+        self,
+    ) -> Callable[[service.GetPublicKeyRequest], resources.PublicKey]:
+        r"""Return a callable for the get public key method over gRPC.
+
+        Returns the public key for the given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+        or
+        [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+
+        Returns:
+            Callable[[~.GetPublicKeyRequest],
+                    ~.PublicKey]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_public_key" not in self._stubs:
+            self._stubs["get_public_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetPublicKey",
+                request_serializer=service.GetPublicKeyRequest.serialize,
+                response_deserializer=resources.PublicKey.deserialize,
+            )
+        return self._stubs["get_public_key"]
+
+    @property
+    def get_import_job(
+        self,
+    ) -> Callable[[service.GetImportJobRequest], resources.ImportJob]:
+        r"""Return a callable for the get import job method over gRPC.
+
+        Returns metadata for a given
+        [ImportJob][google.cloud.kms.v1.ImportJob].
+
+        Returns:
+            Callable[[~.GetImportJobRequest],
+                    ~.ImportJob]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_import_job" not in self._stubs:
+            self._stubs["get_import_job"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetImportJob",
+                request_serializer=service.GetImportJobRequest.serialize,
+                response_deserializer=resources.ImportJob.deserialize,
+            )
+        return self._stubs["get_import_job"]
+
+    @property
+    def create_key_ring(
+        self,
+    ) -> Callable[[service.CreateKeyRingRequest], resources.KeyRing]:
+        r"""Return a callable for the create key ring method over gRPC.
+
+        Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given
+        Project and Location.
+
+        Returns:
+            Callable[[~.CreateKeyRingRequest],
+                    ~.KeyRing]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_key_ring" not in self._stubs:
+            self._stubs["create_key_ring"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateKeyRing",
+                request_serializer=service.CreateKeyRingRequest.serialize,
+                response_deserializer=resources.KeyRing.deserialize,
+            )
+        return self._stubs["create_key_ring"]
+
+    @property
+    def create_crypto_key(
+        self,
+    ) -> Callable[[service.CreateCryptoKeyRequest], resources.CryptoKey]:
+        r"""Return a callable for the create crypto key method over gRPC.
+
+        Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+        [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+        are required.
+
+        Returns:
+            Callable[[~.CreateCryptoKeyRequest],
+                    ~.CryptoKey]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_crypto_key" not in self._stubs:
+            self._stubs["create_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKey",
+                request_serializer=service.CreateCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["create_crypto_key"]
+
+    @property
+    def create_crypto_key_version(
+        self,
+    ) -> Callable[[service.CreateCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the create crypto key version method over gRPC.
+
+        Create a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        The server will assign the next sequential id. If unset,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+
+        Returns:
+            Callable[[~.CreateCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_crypto_key_version" not in self._stubs:
+            self._stubs["create_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKeyVersion",
+                request_serializer=service.CreateCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["create_crypto_key_version"]
+
+    @property
+    def import_crypto_key_version(
+        self,
+    ) -> Callable[[service.ImportCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the import crypto key version method over gRPC.
+
+        Imports a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an
+        existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
+        wrapped key material provided in the request.
+
+        The version ID will be assigned the next sequential id within
+        the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.ImportCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "import_crypto_key_version" not in self._stubs:
+            self._stubs["import_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ImportCryptoKeyVersion",
+                request_serializer=service.ImportCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["import_crypto_key_version"]
+
+    @property
+    def create_import_job(
+        self,
+    ) -> Callable[[service.CreateImportJobRequest], resources.ImportJob]:
+        r"""Return a callable for the create import job method over gRPC.
+
+        Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method]
+        is required.
+
+        Returns:
+            Callable[[~.CreateImportJobRequest],
+                    ~.ImportJob]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_import_job" not in self._stubs:
+            self._stubs["create_import_job"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateImportJob",
+                request_serializer=service.CreateImportJobRequest.serialize,
+                response_deserializer=resources.ImportJob.deserialize,
+            )
+        return self._stubs["create_import_job"]
+
+    @property
+    def update_crypto_key(
+        self,
+    ) -> Callable[[service.UpdateCryptoKeyRequest], resources.CryptoKey]:
+        r"""Return a callable for the update crypto key method over gRPC.
+
+        Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyRequest],
+                    ~.CryptoKey]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key" not in self._stubs:
+            self._stubs["update_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKey",
+                request_serializer=service.UpdateCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["update_crypto_key"]
+
+    @property
+    def update_crypto_key_version(
+        self,
+    ) -> Callable[[service.UpdateCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the update crypto key version method over gRPC.
+
+        Update a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+        metadata.
+
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be
+        changed between
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+        and
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+        using this method. See
+        [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+        and
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        to move between other states.
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key_version" not in self._stubs:
+            self._stubs["update_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyVersion",
+                request_serializer=service.UpdateCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["update_crypto_key_version"]
+
+    @property
+    def encrypt(self) -> Callable[[service.EncryptRequest], service.EncryptResponse]:
+        r"""Return a callable for the encrypt method over gRPC.
+
+        Encrypts data, so that it can only be recovered by a call to
+        [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+        Returns:
+            Callable[[~.EncryptRequest],
+                    ~.EncryptResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "encrypt" not in self._stubs:
+            self._stubs["encrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/Encrypt",
+                request_serializer=service.EncryptRequest.serialize,
+                response_deserializer=service.EncryptResponse.deserialize,
+            )
+        return self._stubs["encrypt"]
+
+    @property
+    def decrypt(self) -> Callable[[service.DecryptRequest], service.DecryptResponse]:
+        r"""Return a callable for the decrypt method over gRPC.
+
+        Decrypts data that was protected by
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+        Returns:
+            Callable[[~.DecryptRequest],
+                    ~.DecryptResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "decrypt" not in self._stubs:
+            self._stubs["decrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/Decrypt",
+                request_serializer=service.DecryptRequest.serialize,
+                response_deserializer=service.DecryptResponse.deserialize,
+            )
+        return self._stubs["decrypt"]
+
+    @property
+    def asymmetric_sign(
+        self,
+    ) -> Callable[[service.AsymmetricSignRequest], service.AsymmetricSignResponse]:
+        r"""Return a callable for the asymmetric sign method over gRPC.
+
+        Signs data using a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_SIGN, producing a signature that can be verified with
+        the public key retrieved from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+        Returns:
+            Callable[[~.AsymmetricSignRequest],
+                    ~.AsymmetricSignResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "asymmetric_sign" not in self._stubs:
+            self._stubs["asymmetric_sign"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/AsymmetricSign",
+                request_serializer=service.AsymmetricSignRequest.serialize,
+                response_deserializer=service.AsymmetricSignResponse.deserialize,
+            )
+        return self._stubs["asymmetric_sign"]
+
+    @property
+    def asymmetric_decrypt(
+        self,
+    ) -> Callable[
+        [service.AsymmetricDecryptRequest], service.AsymmetricDecryptResponse
+    ]:
+        r"""Return a callable for the asymmetric decrypt method over gRPC.
+
+        Decrypts data that was encrypted with a public key retrieved
+        from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+        corresponding to a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_DECRYPT.
+
+        Returns:
+            Callable[[~.AsymmetricDecryptRequest],
+                    ~.AsymmetricDecryptResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "asymmetric_decrypt" not in self._stubs:
+            self._stubs["asymmetric_decrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/AsymmetricDecrypt",
+                request_serializer=service.AsymmetricDecryptRequest.serialize,
+                response_deserializer=service.AsymmetricDecryptResponse.deserialize,
+            )
+        return self._stubs["asymmetric_decrypt"]
+
+    @property
+    def update_crypto_key_primary_version(
+        self,
+    ) -> Callable[[service.UpdateCryptoKeyPrimaryVersionRequest], resources.CryptoKey]:
+        r"""Return a callable for the update crypto key primary
+        version method over gRPC.
+
+        Update the version of a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        Returns an error if called on an asymmetric key.
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyPrimaryVersionRequest],
+                    ~.CryptoKey]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key_primary_version" not in self._stubs:
+            self._stubs[
+                "update_crypto_key_primary_version"
+            ] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion",
+                request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["update_crypto_key_primary_version"]
+
+    @property
+    def destroy_crypto_key_version(
+        self,
+    ) -> Callable[[service.DestroyCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the destroy crypto key version method over gRPC.
+
+        Schedule a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+        destruction.
+
+        Upon calling this method,
+        [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state]
+        will be set to
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be set to a time 24 hours in the future, at which point the
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be
+        changed to
+        [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+        and the key material will be irrevocably destroyed.
+
+        Before the
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        is reached,
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        may be called to reverse the process.
+
+        Returns:
+            Callable[[~.DestroyCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "destroy_crypto_key_version" not in self._stubs:
+            self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion",
+                request_serializer=service.DestroyCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["destroy_crypto_key_version"]
+
+    @property
+    def restore_crypto_key_version(
+        self,
+    ) -> Callable[[service.RestoreCryptoKeyVersionRequest], resources.CryptoKeyVersion]:
+        r"""Return a callable for the restore crypto key version method over gRPC.
+
+        Restore a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        state.
+
+        Upon restoration of the CryptoKeyVersion,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be cleared.
+
+        Returns:
+            Callable[[~.RestoreCryptoKeyVersionRequest],
+                    ~.CryptoKeyVersion]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "restore_crypto_key_version" not in self._stubs:
+            self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion",
+                request_serializer=service.RestoreCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["restore_crypto_key_version"]
+
+    @property
+    def set_iam_policy(
+        self,
+    ) -> Callable[[iam_policy.SetIamPolicyRequest], policy.Policy]:
+        r"""Return a callable for the set iam policy method over gRPC.
+        Sets the IAM access control policy on the specified
+        function. Replaces any existing policy.
+        Returns:
+            Callable[[~.SetIamPolicyRequest],
+                    ~.Policy]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "set_iam_policy" not in self._stubs:
+            self._stubs["set_iam_policy"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/SetIamPolicy",
+                request_serializer=iam_policy.SetIamPolicyRequest.SerializeToString,
+                response_deserializer=policy.Policy.FromString,
+            )
+        return self._stubs["set_iam_policy"]
+
+    @property
+    def get_iam_policy(
+        self,
+    ) -> Callable[[iam_policy.GetIamPolicyRequest], policy.Policy]:
+        r"""Return a callable for the get iam policy method over gRPC.
+        Gets the IAM access control policy for a function.
+        Returns an empty policy if the function exists and does
+        not have a policy set.
+        Returns:
+            Callable[[~.GetIamPolicyRequest],
+                    ~.Policy]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_iam_policy" not in self._stubs:
+            self._stubs["get_iam_policy"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/GetIamPolicy",
+                request_serializer=iam_policy.GetIamPolicyRequest.SerializeToString,
+                response_deserializer=policy.Policy.FromString,
+            )
+        return self._stubs["get_iam_policy"]
+
+    @property
+    def test_iam_permissions(
+        self,
+    ) -> Callable[
+        [iam_policy.TestIamPermissionsRequest], iam_policy.TestIamPermissionsResponse
+    ]:
+        r"""Return a callable for the test iam permissions method over gRPC.
+        Tests the specified permissions against the IAM access control
+        policy for a function. If the function does not exist, this will
+        return an empty set of permissions, not a NOT_FOUND error.
+        Returns:
+            Callable[[~.TestIamPermissionsRequest],
+                    ~.TestIamPermissionsResponse]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "test_iam_permissions" not in self._stubs:
+            self._stubs["test_iam_permissions"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/TestIamPermissions",
+                request_serializer=iam_policy.TestIamPermissionsRequest.SerializeToString,
+                response_deserializer=iam_policy.TestIamPermissionsResponse.FromString,
+            )
+        return self._stubs["test_iam_permissions"]
+
+
+__all__ = ("KeyManagementServiceGrpcTransport",)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py
new file mode 100644
index 000000000000..05fb9b49ec84
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py
@@ -0,0 +1,1024 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple
+
+from google.api_core import grpc_helpers_async  # type: ignore
+from google.auth import credentials  # type: ignore
+from google.auth.transport.grpc import SslCredentials  # type: ignore
+
+import grpc  # type: ignore
+from grpc.experimental import aio  # type: ignore
+
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+
+from .base import KeyManagementServiceTransport
+from .grpc import KeyManagementServiceGrpcTransport
+
+
+class KeyManagementServiceGrpcAsyncIOTransport(KeyManagementServiceTransport):
+    """gRPC AsyncIO backend transport for KeyManagementService.
+
+    Google Cloud Key Management Service
+
+    Manages cryptographic keys and operations using those keys.
+    Implements a REST model with the following objects:
+
+    -  [KeyRing][google.cloud.kms.v1.KeyRing]
+    -  [CryptoKey][google.cloud.kms.v1.CryptoKey]
+    -  [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    -  [ImportJob][google.cloud.kms.v1.ImportJob]
+
+    If you are using manual gRPC libraries, see `Using gRPC with Cloud
+    KMS <https://cloud.google.com/kms/docs/grpc>`__.
+
+    This class defines the same methods as the primary client, so the
+    primary client can load the underlying transport implementation
+    and call it.
+
+    It sends protocol buffers over the wire using gRPC (which is built on
+    top of HTTP/2); the ``grpcio`` package must be installed.
+    """
+
+    _grpc_channel: aio.Channel
+    _stubs: Dict[str, Callable] = {}
+
+    @classmethod
+    def create_channel(
+        cls,
+        host: str = "cloudkms.googleapis.com",
+        credentials: credentials.Credentials = None,
+        credentials_file: Optional[str] = None,
+        scopes: Optional[Sequence[str]] = None,
+        quota_project_id: Optional[str] = None,
+        **kwargs,
+    ) -> aio.Channel:
+        """Create and return a gRPC AsyncIO channel object.
+        Args:
+            address (Optional[str]): The host for the channel to use.
+            credentials (Optional[~.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify this application to the service. If
+                none are specified, the client will attempt to ascertain
+                the credentials from the environment.
+            credentials_file (Optional[str]): A file with credentials that can
+                be loaded with :func:`google.auth.load_credentials_from_file`.
+                This argument is ignored if ``channel`` is provided.
+            scopes (Optional[Sequence[str]]): A optional list of scopes needed for this
+                service. These are only used when credentials are not specified and
+                are passed to :func:`google.auth.default`.
+            quota_project_id (Optional[str]): An optional project to use for billing
+                and quota.
+            kwargs (Optional[dict]): Keyword arguments, which are passed to the
+                channel creation.
+        Returns:
+            aio.Channel: A gRPC AsyncIO channel object.
+        """
+        scopes = scopes or cls.AUTH_SCOPES
+        return grpc_helpers_async.create_channel(
+            host,
+            credentials=credentials,
+            credentials_file=credentials_file,
+            scopes=scopes,
+            quota_project_id=quota_project_id,
+            **kwargs,
+        )
+
+    def __init__(
+        self,
+        *,
+        host: str = "cloudkms.googleapis.com",
+        credentials: credentials.Credentials = None,
+        credentials_file: Optional[str] = None,
+        scopes: Optional[Sequence[str]] = None,
+        channel: aio.Channel = None,
+        api_mtls_endpoint: str = None,
+        client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
+        quota_project_id=None,
+    ) -> None:
+        """Instantiate the transport.
+
+        Args:
+            host (Optional[str]): The hostname to connect to.
+            credentials (Optional[google.auth.credentials.Credentials]): The
+                authorization credentials to attach to requests. These
+                credentials identify the application to the service; if none
+                are specified, the client will attempt to ascertain the
+                credentials from the environment.
+                This argument is ignored if ``channel`` is provided.
+            credentials_file (Optional[str]): A file with credentials that can
+                be loaded with :func:`google.auth.load_credentials_from_file`.
+                This argument is ignored if ``channel`` is provided.
+            scopes (Optional[Sequence[str]]): A optional list of scopes needed for this
+                service. These are only used when credentials are not specified and
+                are passed to :func:`google.auth.default`.
+            channel (Optional[aio.Channel]): A ``Channel`` instance through
+                which to make calls.
+            api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
+                provided, it overrides the ``host`` argument and tries to create
+                a mutual TLS channel with client SSL credentials from
+                ``client_cert_source`` or applicatin default SSL credentials.
+            client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
+                callback to provide client SSL certificate bytes and private key
+                bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
+                is None.
+            quota_project_id (Optional[str]): An optional project to use for billing
+                and quota.
+
+        Raises:
+            google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
+              creation failed for any reason.
+          google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
+              and ``credentials_file`` are passed.
+        """
+        if channel:
+            # Sanity check: Ensure that channel and credentials are not both
+            # provided.
+            credentials = False
+
+            # If a channel was explicitly provided, set it.
+            self._grpc_channel = channel
+        elif api_mtls_endpoint:
+            host = (
+                api_mtls_endpoint
+                if ":" in api_mtls_endpoint
+                else api_mtls_endpoint + ":443"
+            )
+
+            # Create SSL credentials with client_cert_source or application
+            # default SSL credentials.
+            if client_cert_source:
+                cert, key = client_cert_source()
+                ssl_credentials = grpc.ssl_channel_credentials(
+                    certificate_chain=cert, private_key=key
+                )
+            else:
+                ssl_credentials = SslCredentials().ssl_credentials
+
+            # create a new channel. The provided one is ignored.
+            self._grpc_channel = type(self).create_channel(
+                host,
+                credentials=credentials,
+                credentials_file=credentials_file,
+                ssl_credentials=ssl_credentials,
+                scopes=scopes or self.AUTH_SCOPES,
+                quota_project_id=quota_project_id,
+            )
+
+        # Run the base constructor.
+        super().__init__(
+            host=host,
+            credentials=credentials,
+            credentials_file=credentials_file,
+            scopes=scopes or self.AUTH_SCOPES,
+            quota_project_id=quota_project_id,
+        )
+
+        self._stubs = {}
+
+    @property
+    def grpc_channel(self) -> aio.Channel:
+        """Create the channel designed to connect to this service.
+
+        This property caches on the instance; repeated calls return
+        the same channel.
+        """
+        # Sanity check: Only create a new channel if we do not already
+        # have one.
+        if not hasattr(self, "_grpc_channel"):
+            self._grpc_channel = self.create_channel(
+                self._host, credentials=self._credentials,
+            )
+
+        # Return the channel from cache.
+        return self._grpc_channel
+
+    @property
+    def list_key_rings(
+        self,
+    ) -> Callable[
+        [service.ListKeyRingsRequest], Awaitable[service.ListKeyRingsResponse]
+    ]:
+        r"""Return a callable for the list key rings method over gRPC.
+
+        Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+
+        Returns:
+            Callable[[~.ListKeyRingsRequest],
+                    Awaitable[~.ListKeyRingsResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_key_rings" not in self._stubs:
+            self._stubs["list_key_rings"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListKeyRings",
+                request_serializer=service.ListKeyRingsRequest.serialize,
+                response_deserializer=service.ListKeyRingsResponse.deserialize,
+            )
+        return self._stubs["list_key_rings"]
+
+    @property
+    def list_crypto_keys(
+        self,
+    ) -> Callable[
+        [service.ListCryptoKeysRequest], Awaitable[service.ListCryptoKeysResponse]
+    ]:
+        r"""Return a callable for the list crypto keys method over gRPC.
+
+        Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.ListCryptoKeysRequest],
+                    Awaitable[~.ListCryptoKeysResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_crypto_keys" not in self._stubs:
+            self._stubs["list_crypto_keys"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeys",
+                request_serializer=service.ListCryptoKeysRequest.serialize,
+                response_deserializer=service.ListCryptoKeysResponse.deserialize,
+            )
+        return self._stubs["list_crypto_keys"]
+
+    @property
+    def list_crypto_key_versions(
+        self,
+    ) -> Callable[
+        [service.ListCryptoKeyVersionsRequest],
+        Awaitable[service.ListCryptoKeyVersionsResponse],
+    ]:
+        r"""Return a callable for the list crypto key versions method over gRPC.
+
+        Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.ListCryptoKeyVersionsRequest],
+                    Awaitable[~.ListCryptoKeyVersionsResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_crypto_key_versions" not in self._stubs:
+            self._stubs["list_crypto_key_versions"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListCryptoKeyVersions",
+                request_serializer=service.ListCryptoKeyVersionsRequest.serialize,
+                response_deserializer=service.ListCryptoKeyVersionsResponse.deserialize,
+            )
+        return self._stubs["list_crypto_key_versions"]
+
+    @property
+    def list_import_jobs(
+        self,
+    ) -> Callable[
+        [service.ListImportJobsRequest], Awaitable[service.ListImportJobsResponse]
+    ]:
+        r"""Return a callable for the list import jobs method over gRPC.
+
+        Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+
+        Returns:
+            Callable[[~.ListImportJobsRequest],
+                    Awaitable[~.ListImportJobsResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "list_import_jobs" not in self._stubs:
+            self._stubs["list_import_jobs"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ListImportJobs",
+                request_serializer=service.ListImportJobsRequest.serialize,
+                response_deserializer=service.ListImportJobsResponse.deserialize,
+            )
+        return self._stubs["list_import_jobs"]
+
+    @property
+    def get_key_ring(
+        self,
+    ) -> Callable[[service.GetKeyRingRequest], Awaitable[resources.KeyRing]]:
+        r"""Return a callable for the get key ring method over gRPC.
+
+        Returns metadata for a given
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        Returns:
+            Callable[[~.GetKeyRingRequest],
+                    Awaitable[~.KeyRing]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_key_ring" not in self._stubs:
+            self._stubs["get_key_ring"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetKeyRing",
+                request_serializer=service.GetKeyRingRequest.serialize,
+                response_deserializer=resources.KeyRing.deserialize,
+            )
+        return self._stubs["get_key_ring"]
+
+    @property
+    def get_crypto_key(
+        self,
+    ) -> Callable[[service.GetCryptoKeyRequest], Awaitable[resources.CryptoKey]]:
+        r"""Return a callable for the get crypto key method over gRPC.
+
+        Returns metadata for a given
+        [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
+        [primary][google.cloud.kms.v1.CryptoKey.primary]
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.GetCryptoKeyRequest],
+                    Awaitable[~.CryptoKey]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_crypto_key" not in self._stubs:
+            self._stubs["get_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetCryptoKey",
+                request_serializer=service.GetCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["get_crypto_key"]
+
+    @property
+    def get_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.GetCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the get crypto key version method over gRPC.
+
+        Returns metadata for a given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+
+        Returns:
+            Callable[[~.GetCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_crypto_key_version" not in self._stubs:
+            self._stubs["get_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetCryptoKeyVersion",
+                request_serializer=service.GetCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["get_crypto_key_version"]
+
+    @property
+    def get_public_key(
+        self,
+    ) -> Callable[[service.GetPublicKeyRequest], Awaitable[resources.PublicKey]]:
+        r"""Return a callable for the get public key method over gRPC.
+
+        Returns the public key for the given
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+        or
+        [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+
+        Returns:
+            Callable[[~.GetPublicKeyRequest],
+                    Awaitable[~.PublicKey]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_public_key" not in self._stubs:
+            self._stubs["get_public_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetPublicKey",
+                request_serializer=service.GetPublicKeyRequest.serialize,
+                response_deserializer=resources.PublicKey.deserialize,
+            )
+        return self._stubs["get_public_key"]
+
+    @property
+    def get_import_job(
+        self,
+    ) -> Callable[[service.GetImportJobRequest], Awaitable[resources.ImportJob]]:
+        r"""Return a callable for the get import job method over gRPC.
+
+        Returns metadata for a given
+        [ImportJob][google.cloud.kms.v1.ImportJob].
+
+        Returns:
+            Callable[[~.GetImportJobRequest],
+                    Awaitable[~.ImportJob]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_import_job" not in self._stubs:
+            self._stubs["get_import_job"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/GetImportJob",
+                request_serializer=service.GetImportJobRequest.serialize,
+                response_deserializer=resources.ImportJob.deserialize,
+            )
+        return self._stubs["get_import_job"]
+
+    @property
+    def create_key_ring(
+        self,
+    ) -> Callable[[service.CreateKeyRingRequest], Awaitable[resources.KeyRing]]:
+        r"""Return a callable for the create key ring method over gRPC.
+
+        Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given
+        Project and Location.
+
+        Returns:
+            Callable[[~.CreateKeyRingRequest],
+                    Awaitable[~.KeyRing]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_key_ring" not in self._stubs:
+            self._stubs["create_key_ring"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateKeyRing",
+                request_serializer=service.CreateKeyRingRequest.serialize,
+                response_deserializer=resources.KeyRing.deserialize,
+            )
+        return self._stubs["create_key_ring"]
+
+    @property
+    def create_crypto_key(
+        self,
+    ) -> Callable[[service.CreateCryptoKeyRequest], Awaitable[resources.CryptoKey]]:
+        r"""Return a callable for the create crypto key method over gRPC.
+
+        Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+        [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+        are required.
+
+        Returns:
+            Callable[[~.CreateCryptoKeyRequest],
+                    Awaitable[~.CryptoKey]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_crypto_key" not in self._stubs:
+            self._stubs["create_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKey",
+                request_serializer=service.CreateCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["create_crypto_key"]
+
+    @property
+    def create_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.CreateCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the create crypto key version method over gRPC.
+
+        Create a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        The server will assign the next sequential id. If unset,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+
+        Returns:
+            Callable[[~.CreateCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_crypto_key_version" not in self._stubs:
+            self._stubs["create_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateCryptoKeyVersion",
+                request_serializer=service.CreateCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["create_crypto_key_version"]
+
+    @property
+    def import_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.ImportCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the import crypto key version method over gRPC.
+
+        Imports a new
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an
+        existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
+        wrapped key material provided in the request.
+
+        The version ID will be assigned the next sequential id within
+        the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.ImportCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "import_crypto_key_version" not in self._stubs:
+            self._stubs["import_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/ImportCryptoKeyVersion",
+                request_serializer=service.ImportCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["import_crypto_key_version"]
+
+    @property
+    def create_import_job(
+        self,
+    ) -> Callable[[service.CreateImportJobRequest], Awaitable[resources.ImportJob]]:
+        r"""Return a callable for the create import job method over gRPC.
+
+        Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+        [KeyRing][google.cloud.kms.v1.KeyRing].
+
+        [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method]
+        is required.
+
+        Returns:
+            Callable[[~.CreateImportJobRequest],
+                    Awaitable[~.ImportJob]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "create_import_job" not in self._stubs:
+            self._stubs["create_import_job"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/CreateImportJob",
+                request_serializer=service.CreateImportJobRequest.serialize,
+                response_deserializer=resources.ImportJob.deserialize,
+            )
+        return self._stubs["create_import_job"]
+
+    @property
+    def update_crypto_key(
+        self,
+    ) -> Callable[[service.UpdateCryptoKeyRequest], Awaitable[resources.CryptoKey]]:
+        r"""Return a callable for the update crypto key method over gRPC.
+
+        Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyRequest],
+                    Awaitable[~.CryptoKey]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key" not in self._stubs:
+            self._stubs["update_crypto_key"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKey",
+                request_serializer=service.UpdateCryptoKeyRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["update_crypto_key"]
+
+    @property
+    def update_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.UpdateCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the update crypto key version method over gRPC.
+
+        Update a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+        metadata.
+
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be
+        changed between
+        [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+        and
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+        using this method. See
+        [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+        and
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        to move between other states.
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key_version" not in self._stubs:
+            self._stubs["update_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyVersion",
+                request_serializer=service.UpdateCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["update_crypto_key_version"]
+
+    @property
+    def encrypt(
+        self,
+    ) -> Callable[[service.EncryptRequest], Awaitable[service.EncryptResponse]]:
+        r"""Return a callable for the encrypt method over gRPC.
+
+        Encrypts data, so that it can only be recovered by a call to
+        [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+        Returns:
+            Callable[[~.EncryptRequest],
+                    Awaitable[~.EncryptResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "encrypt" not in self._stubs:
+            self._stubs["encrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/Encrypt",
+                request_serializer=service.EncryptRequest.serialize,
+                response_deserializer=service.EncryptResponse.deserialize,
+            )
+        return self._stubs["encrypt"]
+
+    @property
+    def decrypt(
+        self,
+    ) -> Callable[[service.DecryptRequest], Awaitable[service.DecryptResponse]]:
+        r"""Return a callable for the decrypt method over gRPC.
+
+        Decrypts data that was protected by
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
+        be
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+        Returns:
+            Callable[[~.DecryptRequest],
+                    Awaitable[~.DecryptResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "decrypt" not in self._stubs:
+            self._stubs["decrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/Decrypt",
+                request_serializer=service.DecryptRequest.serialize,
+                response_deserializer=service.DecryptResponse.deserialize,
+            )
+        return self._stubs["decrypt"]
+
+    @property
+    def asymmetric_sign(
+        self,
+    ) -> Callable[
+        [service.AsymmetricSignRequest], Awaitable[service.AsymmetricSignResponse]
+    ]:
+        r"""Return a callable for the asymmetric sign method over gRPC.
+
+        Signs data using a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_SIGN, producing a signature that can be verified with
+        the public key retrieved from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+        Returns:
+            Callable[[~.AsymmetricSignRequest],
+                    Awaitable[~.AsymmetricSignResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "asymmetric_sign" not in self._stubs:
+            self._stubs["asymmetric_sign"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/AsymmetricSign",
+                request_serializer=service.AsymmetricSignRequest.serialize,
+                response_deserializer=service.AsymmetricSignResponse.deserialize,
+            )
+        return self._stubs["asymmetric_sign"]
+
+    @property
+    def asymmetric_decrypt(
+        self,
+    ) -> Callable[
+        [service.AsymmetricDecryptRequest], Awaitable[service.AsymmetricDecryptResponse]
+    ]:
+        r"""Return a callable for the asymmetric decrypt method over gRPC.
+
+        Decrypts data that was encrypted with a public key retrieved
+        from
+        [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+        corresponding to a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        ASYMMETRIC_DECRYPT.
+
+        Returns:
+            Callable[[~.AsymmetricDecryptRequest],
+                    Awaitable[~.AsymmetricDecryptResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "asymmetric_decrypt" not in self._stubs:
+            self._stubs["asymmetric_decrypt"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/AsymmetricDecrypt",
+                request_serializer=service.AsymmetricDecryptRequest.serialize,
+                response_deserializer=service.AsymmetricDecryptResponse.deserialize,
+            )
+        return self._stubs["asymmetric_decrypt"]
+
+    @property
+    def update_crypto_key_primary_version(
+        self,
+    ) -> Callable[
+        [service.UpdateCryptoKeyPrimaryVersionRequest], Awaitable[resources.CryptoKey]
+    ]:
+        r"""Return a callable for the update crypto key primary
+        version method over gRPC.
+
+        Update the version of a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in
+        [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+        Returns an error if called on an asymmetric key.
+
+        Returns:
+            Callable[[~.UpdateCryptoKeyPrimaryVersionRequest],
+                    Awaitable[~.CryptoKey]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "update_crypto_key_primary_version" not in self._stubs:
+            self._stubs[
+                "update_crypto_key_primary_version"
+            ] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion",
+                request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize,
+                response_deserializer=resources.CryptoKey.deserialize,
+            )
+        return self._stubs["update_crypto_key_primary_version"]
+
+    @property
+    def destroy_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.DestroyCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the destroy crypto key version method over gRPC.
+
+        Schedule a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+        destruction.
+
+        Upon calling this method,
+        [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state]
+        will be set to
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be set to a time 24 hours in the future, at which point the
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be
+        changed to
+        [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+        and the key material will be irrevocably destroyed.
+
+        Before the
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        is reached,
+        [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+        may be called to reverse the process.
+
+        Returns:
+            Callable[[~.DestroyCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "destroy_crypto_key_version" not in self._stubs:
+            self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion",
+                request_serializer=service.DestroyCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["destroy_crypto_key_version"]
+
+    @property
+    def restore_crypto_key_version(
+        self,
+    ) -> Callable[
+        [service.RestoreCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion]
+    ]:
+        r"""Return a callable for the restore crypto key version method over gRPC.
+
+        Restore a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+        [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+        state.
+
+        Upon restoration of the CryptoKeyVersion,
+        [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
+        to
+        [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+        and
+        [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
+        will be cleared.
+
+        Returns:
+            Callable[[~.RestoreCryptoKeyVersionRequest],
+                    Awaitable[~.CryptoKeyVersion]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "restore_crypto_key_version" not in self._stubs:
+            self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary(
+                "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion",
+                request_serializer=service.RestoreCryptoKeyVersionRequest.serialize,
+                response_deserializer=resources.CryptoKeyVersion.deserialize,
+            )
+        return self._stubs["restore_crypto_key_version"]
+
+    @property
+    def set_iam_policy(
+        self,
+    ) -> Callable[[iam_policy.SetIamPolicyRequest], Awaitable[policy.Policy]]:
+        r"""Return a callable for the set iam policy method over gRPC.
+        Sets the IAM access control policy on the specified
+        function. Replaces any existing policy.
+        Returns:
+            Callable[[~.SetIamPolicyRequest],
+                    Awaitable[~.Policy]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "set_iam_policy" not in self._stubs:
+            self._stubs["set_iam_policy"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/SetIamPolicy",
+                request_serializer=iam_policy.SetIamPolicyRequest.SerializeToString,
+                response_deserializer=policy.Policy.FromString,
+            )
+        return self._stubs["set_iam_policy"]
+
+    @property
+    def get_iam_policy(
+        self,
+    ) -> Callable[[iam_policy.GetIamPolicyRequest], Awaitable[policy.Policy]]:
+        r"""Return a callable for the get iam policy method over gRPC.
+        Gets the IAM access control policy for a function.
+        Returns an empty policy if the function exists and does
+        not have a policy set.
+        Returns:
+            Callable[[~.GetIamPolicyRequest],
+                    Awaitable[~.Policy]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "get_iam_policy" not in self._stubs:
+            self._stubs["get_iam_policy"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/GetIamPolicy",
+                request_serializer=iam_policy.GetIamPolicyRequest.SerializeToString,
+                response_deserializer=policy.Policy.FromString,
+            )
+        return self._stubs["get_iam_policy"]
+
+    @property
+    def test_iam_permissions(
+        self,
+    ) -> Callable[
+        [iam_policy.TestIamPermissionsRequest],
+        Awaitable[iam_policy.TestIamPermissionsResponse],
+    ]:
+        r"""Return a callable for the test iam permissions method over gRPC.
+        Tests the specified permissions against the IAM access control
+        policy for a function. If the function does not exist, this will
+        return an empty set of permissions, not a NOT_FOUND error.
+        Returns:
+            Callable[[~.TestIamPermissionsRequest],
+                    Awaitable[~.TestIamPermissionsResponse]]:
+                A function that, when called, will call the underlying RPC
+                on the server.
+        """
+        # Generate a "stub function" on-the-fly which will actually make
+        # the request.
+        # gRPC handles serialization and deserialization, so we just need
+        # to pass in the functions for each.
+        if "test_iam_permissions" not in self._stubs:
+            self._stubs["test_iam_permissions"] = self.grpc_channel.unary_unary(
+                "/google.iam.v1.IAMPolicy/TestIamPermissions",
+                request_serializer=iam_policy.TestIamPermissionsRequest.SerializeToString,
+                response_deserializer=iam_policy.TestIamPermissionsResponse.FromString,
+            )
+        return self._stubs["test_iam_permissions"]
+
+
+__all__ = ("KeyManagementServiceGrpcAsyncIOTransport",)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types.py b/packages/google-cloud-kms/google/cloud/kms_v1/types.py
deleted file mode 100644
index b7e62883111e..000000000000
--- a/packages/google-cloud-kms/google/cloud/kms_v1/types.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-from __future__ import absolute_import
-import sys
-
-from google.api_core.protobuf_helpers import get_messages
-
-from google.cloud.kms_v1.proto import resources_pb2
-from google.cloud.kms_v1.proto import service_pb2
-from google.protobuf import duration_pb2
-from google.protobuf import field_mask_pb2
-from google.protobuf import timestamp_pb2
-
-
-_shared_modules = [duration_pb2, field_mask_pb2, timestamp_pb2]
-
-_local_modules = [resources_pb2, service_pb2]
-
-names = []
-
-for module in _shared_modules:  # pragma: NO COVER
-    for name, message in get_messages(module).items():
-        setattr(sys.modules[__name__], name, message)
-        names.append(name)
-for module in _local_modules:
-    for name, message in get_messages(module).items():
-        message.__module__ = "google.cloud.kms_v1.types"
-        setattr(sys.modules[__name__], name, message)
-        names.append(name)
-
-
-__all__ = tuple(sorted(names))
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types/__init__.py b/packages/google-cloud-kms/google/cloud/kms_v1/types/__init__.py
new file mode 100644
index 000000000000..5ef2bd36f2dd
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/types/__init__.py
@@ -0,0 +1,107 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from .resources import (
+    KeyRing,
+    CryptoKey,
+    CryptoKeyVersionTemplate,
+    KeyOperationAttestation,
+    CryptoKeyVersion,
+    PublicKey,
+    ImportJob,
+    ExternalProtectionLevelOptions,
+)
+from .service import (
+    ListKeyRingsRequest,
+    ListCryptoKeysRequest,
+    ListCryptoKeyVersionsRequest,
+    ListImportJobsRequest,
+    ListKeyRingsResponse,
+    ListCryptoKeysResponse,
+    ListCryptoKeyVersionsResponse,
+    ListImportJobsResponse,
+    GetKeyRingRequest,
+    GetCryptoKeyRequest,
+    GetCryptoKeyVersionRequest,
+    GetPublicKeyRequest,
+    GetImportJobRequest,
+    CreateKeyRingRequest,
+    CreateCryptoKeyRequest,
+    CreateCryptoKeyVersionRequest,
+    ImportCryptoKeyVersionRequest,
+    CreateImportJobRequest,
+    UpdateCryptoKeyRequest,
+    UpdateCryptoKeyVersionRequest,
+    EncryptRequest,
+    DecryptRequest,
+    AsymmetricSignRequest,
+    AsymmetricDecryptRequest,
+    DecryptResponse,
+    EncryptResponse,
+    AsymmetricSignResponse,
+    AsymmetricDecryptResponse,
+    UpdateCryptoKeyPrimaryVersionRequest,
+    DestroyCryptoKeyVersionRequest,
+    RestoreCryptoKeyVersionRequest,
+    Digest,
+    LocationMetadata,
+)
+
+
+__all__ = (
+    "KeyRing",
+    "CryptoKey",
+    "CryptoKeyVersionTemplate",
+    "KeyOperationAttestation",
+    "CryptoKeyVersion",
+    "PublicKey",
+    "ImportJob",
+    "ExternalProtectionLevelOptions",
+    "ListKeyRingsRequest",
+    "ListCryptoKeysRequest",
+    "ListCryptoKeyVersionsRequest",
+    "ListImportJobsRequest",
+    "ListKeyRingsResponse",
+    "ListCryptoKeysResponse",
+    "ListCryptoKeyVersionsResponse",
+    "ListImportJobsResponse",
+    "GetKeyRingRequest",
+    "GetCryptoKeyRequest",
+    "GetCryptoKeyVersionRequest",
+    "GetPublicKeyRequest",
+    "GetImportJobRequest",
+    "CreateKeyRingRequest",
+    "CreateCryptoKeyRequest",
+    "CreateCryptoKeyVersionRequest",
+    "ImportCryptoKeyVersionRequest",
+    "CreateImportJobRequest",
+    "UpdateCryptoKeyRequest",
+    "UpdateCryptoKeyVersionRequest",
+    "EncryptRequest",
+    "DecryptRequest",
+    "AsymmetricSignRequest",
+    "AsymmetricDecryptRequest",
+    "DecryptResponse",
+    "EncryptResponse",
+    "AsymmetricSignResponse",
+    "AsymmetricDecryptResponse",
+    "UpdateCryptoKeyPrimaryVersionRequest",
+    "DestroyCryptoKeyVersionRequest",
+    "RestoreCryptoKeyVersionRequest",
+    "Digest",
+    "LocationMetadata",
+)
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py b/packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py
new file mode 100644
index 000000000000..29a22293c350
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py
@@ -0,0 +1,650 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import proto  # type: ignore
+
+
+from google.protobuf import duration_pb2 as duration  # type: ignore
+from google.protobuf import timestamp_pb2 as timestamp  # type: ignore
+
+
+__protobuf__ = proto.module(
+    package="google.cloud.kms.v1",
+    manifest={
+        "ProtectionLevel",
+        "KeyRing",
+        "CryptoKey",
+        "CryptoKeyVersionTemplate",
+        "KeyOperationAttestation",
+        "CryptoKeyVersion",
+        "PublicKey",
+        "ImportJob",
+        "ExternalProtectionLevelOptions",
+    },
+)
+
+
+class ProtectionLevel(proto.Enum):
+    r"""[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how
+    cryptographic operations are performed. For more information, see
+    [Protection levels]
+    (https://cloud.google.com/kms/docs/algorithms#protection_levels).
+    """
+    PROTECTION_LEVEL_UNSPECIFIED = 0
+    SOFTWARE = 1
+    HSM = 2
+    EXTERNAL = 3
+
+
+class KeyRing(proto.Message):
+    r"""A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical
+    grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+
+    Attributes:
+        name (str):
+            Output only. The resource name for the
+            [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+            ``projects/*/locations/*/keyRings/*``.
+        create_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [KeyRing][google.cloud.kms.v1.KeyRing] was created.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    create_time = proto.Field(proto.MESSAGE, number=2, message=timestamp.Timestamp,)
+
+
+class CryptoKey(proto.Message):
+    r"""A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical
+    key that can be used for cryptographic operations.
+
+    A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or
+    more [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+    represent the actual key material used in cryptographic operations.
+
+    Attributes:
+        name (str):
+            Output only. The resource name for this
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+            ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
+        primary (~.resources.CryptoKeyVersion):
+            Output only. A copy of the "primary"
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            that will be used by
+            [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]
+            when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is
+            given in
+            [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+
+            The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary
+            version can be updated via
+            [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+
+            Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+            may have a primary. For other keys, this field will be
+            omitted.
+        purpose (~.resources.CryptoKey.CryptoKeyPurpose):
+            Immutable. The immutable purpose of this
+            [CryptoKey][google.cloud.kms.v1.CryptoKey].
+        create_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+        next_rotation_time (~.timestamp.Timestamp):
+            At
+            [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time],
+            the Key Management Service will automatically:
+
+            1. Create a new version of this
+               [CryptoKey][google.cloud.kms.v1.CryptoKey].
+            2. Mark the new version as primary.
+
+            Key rotations performed manually via
+            [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+            and
+            [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+            do not affect
+            [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+
+            Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+            support automatic rotation. For other keys, this field must
+            be omitted.
+        rotation_period (~.duration.Duration):
+            [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+            will be advanced by this period when the service
+            automatically rotates a key. Must be at least 24 hours and
+            at most 876,000 hours.
+
+            If
+            [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period]
+            is set,
+            [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+            must also be set.
+
+            Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+            support automatic rotation. For other keys, this field must
+            be omitted.
+        version_template (~.resources.CryptoKeyVersionTemplate):
+            A template describing settings for new
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            instances. The properties of new
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            instances created by either
+            [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+            or auto-rotation are controlled by this template.
+        labels (Sequence[~.resources.CryptoKey.LabelsEntry]):
+            Labels with user-defined metadata. For more information, see
+            `Labeling
+            Keys <https://cloud.google.com/kms/docs/labeling-keys>`__.
+    """
+
+    class CryptoKeyPurpose(proto.Enum):
+        r"""[CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose]
+        describes the cryptographic capabilities of a
+        [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be
+        used for the operations allowed by its purpose. For more
+        information, see `Key
+        purposes <https://cloud.google.com/kms/docs/algorithms#key_purposes>`__.
+        """
+        CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
+        ENCRYPT_DECRYPT = 1
+        ASYMMETRIC_SIGN = 5
+        ASYMMETRIC_DECRYPT = 6
+
+    name = proto.Field(proto.STRING, number=1)
+
+    primary = proto.Field(proto.MESSAGE, number=2, message="CryptoKeyVersion",)
+
+    purpose = proto.Field(proto.ENUM, number=3, enum=CryptoKeyPurpose,)
+
+    create_time = proto.Field(proto.MESSAGE, number=5, message=timestamp.Timestamp,)
+
+    next_rotation_time = proto.Field(
+        proto.MESSAGE, number=7, message=timestamp.Timestamp,
+    )
+
+    rotation_period = proto.Field(
+        proto.MESSAGE, number=8, oneof="rotation_schedule", message=duration.Duration,
+    )
+
+    version_template = proto.Field(
+        proto.MESSAGE, number=11, message="CryptoKeyVersionTemplate",
+    )
+
+    labels = proto.MapField(proto.STRING, proto.STRING, number=10)
+
+
+class CryptoKeyVersionTemplate(proto.Message):
+    r"""A
+    [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate]
+    specifies the properties to use when creating a new
+    [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either
+    manually with
+    [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+    or automatically as a result of auto-rotation.
+
+    Attributes:
+        protection_level (~.resources.ProtectionLevel):
+            [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to
+            use when creating a
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            based on this template. Immutable. Defaults to
+            [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+        algorithm (~.resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm):
+            Required.
+            [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+            to use when creating a
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            based on this template.
+
+            For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is
+            implied if both this field is omitted and
+            [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            is
+            [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+    """
+
+    protection_level = proto.Field(proto.ENUM, number=1, enum="ProtectionLevel",)
+
+    algorithm = proto.Field(
+        proto.ENUM, number=3, enum="CryptoKeyVersion.CryptoKeyVersionAlgorithm",
+    )
+
+
+class KeyOperationAttestation(proto.Message):
+    r"""Contains an HSM-generated attestation about a key operation. For
+    more information, see [Verifying attestations]
+    (https://cloud.google.com/kms/docs/attest-key).
+
+    Attributes:
+        format (~.resources.KeyOperationAttestation.AttestationFormat):
+            Output only. The format of the attestation
+            data.
+        content (bytes):
+            Output only. The attestation data provided by
+            the HSM when the key operation was performed.
+    """
+
+    class AttestationFormat(proto.Enum):
+        r"""Attestation formats provided by the HSM."""
+        ATTESTATION_FORMAT_UNSPECIFIED = 0
+        CAVIUM_V1_COMPRESSED = 3
+        CAVIUM_V2_COMPRESSED = 4
+
+    format = proto.Field(proto.ENUM, number=4, enum=AttestationFormat,)
+
+    content = proto.Field(proto.BYTES, number=5)
+
+
+class CryptoKeyVersion(proto.Message):
+    r"""A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    represents an individual cryptographic key, and the associated key
+    material.
+
+    An
+    [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+    version can be used for cryptographic operations.
+
+    For security reasons, the raw cryptographic key material represented
+    by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can
+    never be viewed or exported. It can only be used to encrypt,
+    decrypt, or sign data when an authorized user or application invokes
+    Cloud KMS.
+
+    Attributes:
+        name (str):
+            Output only. The resource name for this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in
+            the format
+            ``projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*``.
+        state (~.resources.CryptoKeyVersion.CryptoKeyVersionState):
+            The current state of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+        protection_level (~.resources.ProtectionLevel):
+            Output only. The
+            [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
+            describing how crypto operations are performed with this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+        algorithm (~.resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm):
+            Output only. The
+            [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+            that this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            supports.
+        attestation (~.resources.KeyOperationAttestation):
+            Output only. Statement that was generated and signed by the
+            HSM at key creation time. Use this statement to verify
+            attributes of the key as stored on the HSM, independently of
+            Google. Only provided for key versions with
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level]
+            [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+        create_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was
+            created.
+        generate_time (~.timestamp.Timestamp):
+            Output only. The time this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+            key material was generated.
+        destroy_time (~.timestamp.Timestamp):
+            Output only. The time this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+            key material is scheduled for destruction. Only present if
+            [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+            [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+        destroy_event_time (~.timestamp.Timestamp):
+            Output only. The time this CryptoKeyVersion's key material
+            was destroyed. Only present if
+            [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+            [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+        import_job (str):
+            Output only. The name of the
+            [ImportJob][google.cloud.kms.v1.ImportJob] used to import
+            this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+            Only present if the underlying key material was imported.
+        import_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+            key material was imported.
+        import_failure_reason (str):
+            Output only. The root cause of an import failure. Only
+            present if
+            [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+            [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+        external_protection_level_options (~.resources.ExternalProtectionLevelOptions):
+            ExternalProtectionLevelOptions stores a group of additional
+            fields for configuring a
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            that are specific to the
+            [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL]
+            protection level.
+    """
+
+    class CryptoKeyVersionAlgorithm(proto.Enum):
+        r"""The algorithm of the
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating
+        what parameters must be used for each cryptographic operation.
+
+        The
+        [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION]
+        algorithm is usable with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+
+        Algorithms beginning with "RSA_SIGN\_" are usable with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+
+        The fields in the name after "RSA_SIGN\_" correspond to the following
+        parameters: padding algorithm, modulus bit length, and digest
+        algorithm.
+
+        For PSS, the salt length used is equal to the length of digest
+        algorithm. For example,
+        [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256]
+        will use PSS with a salt length of 256 bits or 32 bytes.
+
+        Algorithms beginning with "RSA_DECRYPT\_" are usable with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+
+        The fields in the name after "RSA_DECRYPT\_" correspond to the
+        following parameters: padding algorithm, modulus bit length, and
+        digest algorithm.
+
+        Algorithms beginning with "EC_SIGN\_" are usable with
+        [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+        [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+
+        The fields in the name after "EC_SIGN\_" correspond to the following
+        parameters: elliptic curve, digest algorithm.
+
+        For more information, see [Key purposes and algorithms]
+        (https://cloud.google.com/kms/docs/algorithms).
+        """
+        CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
+        GOOGLE_SYMMETRIC_ENCRYPTION = 1
+        RSA_SIGN_PSS_2048_SHA256 = 2
+        RSA_SIGN_PSS_3072_SHA256 = 3
+        RSA_SIGN_PSS_4096_SHA256 = 4
+        RSA_SIGN_PSS_4096_SHA512 = 15
+        RSA_SIGN_PKCS1_2048_SHA256 = 5
+        RSA_SIGN_PKCS1_3072_SHA256 = 6
+        RSA_SIGN_PKCS1_4096_SHA256 = 7
+        RSA_SIGN_PKCS1_4096_SHA512 = 16
+        RSA_DECRYPT_OAEP_2048_SHA256 = 8
+        RSA_DECRYPT_OAEP_3072_SHA256 = 9
+        RSA_DECRYPT_OAEP_4096_SHA256 = 10
+        RSA_DECRYPT_OAEP_4096_SHA512 = 17
+        EC_SIGN_P256_SHA256 = 12
+        EC_SIGN_P384_SHA384 = 13
+        EXTERNAL_SYMMETRIC_ENCRYPTION = 18
+
+    class CryptoKeyVersionState(proto.Enum):
+        r"""The state of a
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating
+        if it can be used.
+        """
+        CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
+        PENDING_GENERATION = 5
+        ENABLED = 1
+        DISABLED = 2
+        DESTROYED = 3
+        DESTROY_SCHEDULED = 4
+        PENDING_IMPORT = 6
+        IMPORT_FAILED = 7
+
+    class CryptoKeyVersionView(proto.Enum):
+        r"""A view for
+        [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls
+        the level of detail returned for
+        [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in
+        [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]
+        and
+        [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+        """
+        CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
+        FULL = 1
+
+    name = proto.Field(proto.STRING, number=1)
+
+    state = proto.Field(proto.ENUM, number=3, enum=CryptoKeyVersionState,)
+
+    protection_level = proto.Field(proto.ENUM, number=7, enum="ProtectionLevel",)
+
+    algorithm = proto.Field(proto.ENUM, number=10, enum=CryptoKeyVersionAlgorithm,)
+
+    attestation = proto.Field(proto.MESSAGE, number=8, message=KeyOperationAttestation,)
+
+    create_time = proto.Field(proto.MESSAGE, number=4, message=timestamp.Timestamp,)
+
+    generate_time = proto.Field(proto.MESSAGE, number=11, message=timestamp.Timestamp,)
+
+    destroy_time = proto.Field(proto.MESSAGE, number=5, message=timestamp.Timestamp,)
+
+    destroy_event_time = proto.Field(
+        proto.MESSAGE, number=6, message=timestamp.Timestamp,
+    )
+
+    import_job = proto.Field(proto.STRING, number=14)
+
+    import_time = proto.Field(proto.MESSAGE, number=15, message=timestamp.Timestamp,)
+
+    import_failure_reason = proto.Field(proto.STRING, number=16)
+
+    external_protection_level_options = proto.Field(
+        proto.MESSAGE, number=17, message="ExternalProtectionLevelOptions",
+    )
+
+
+class PublicKey(proto.Message):
+    r"""The public key for a given
+    [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained
+    via
+    [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+    Attributes:
+        pem (str):
+            The public key, encoded in PEM format. For more information,
+            see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__
+            sections for `General
+            Considerations <https://tools.ietf.org/html/rfc7468#section-2>`__
+            and [Textual Encoding of Subject Public Key Info]
+            (https://tools.ietf.org/html/rfc7468#section-13).
+        algorithm (~.resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm):
+            The
+            [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+            associated with this key.
+    """
+
+    pem = proto.Field(proto.STRING, number=1)
+
+    algorithm = proto.Field(
+        proto.ENUM, number=2, enum=CryptoKeyVersion.CryptoKeyVersionAlgorithm,
+    )
+
+
+class ImportJob(proto.Message):
+    r"""An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create
+    [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+    [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using
+    pre-existing key material, generated outside of Cloud KMS.
+
+    When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud
+    KMS will generate a "wrapping key", which is a public/private key
+    pair. You use the wrapping key to encrypt (also known as wrap) the
+    pre-existing key material to protect it during the import process.
+    The nature of the wrapping key depends on the choice of
+    [import_method][google.cloud.kms.v1.ImportJob.import_method]. When
+    the wrapping key generation is complete, the
+    [state][google.cloud.kms.v1.ImportJob.state] will be set to
+    [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and
+    the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be
+    fetched. The fetched public key can then be used to wrap your
+    pre-existing key material.
+
+    Once the key material is wrapped, it can be imported into a new
+    [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an
+    existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+    [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+    Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+    can be imported with a single
+    [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the
+    private key portion of the wrapping key to unwrap the key material.
+    Only Cloud KMS has access to the private key.
+
+    An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after
+    it is created. Once expired, Cloud KMS will no longer be able to
+    import or unwrap any key material that was wrapped with the
+    [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+
+    For more information, see `Importing a
+    key <https://cloud.google.com/kms/docs/importing-a-key>`__.
+
+    Attributes:
+        name (str):
+            Output only. The resource name for this
+            [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+            ``projects/*/locations/*/keyRings/*/importJobs/*``.
+        import_method (~.resources.ImportJob.ImportMethod):
+            Required. Immutable. The wrapping method to
+            be used for incoming key material.
+        protection_level (~.resources.ProtectionLevel):
+            Required. Immutable. The protection level of the
+            [ImportJob][google.cloud.kms.v1.ImportJob]. This must match
+            the
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+            of the
+            [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+            on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you
+            attempt to import into.
+        create_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+        generate_time (~.timestamp.Timestamp):
+            Output only. The time this
+            [ImportJob][google.cloud.kms.v1.ImportJob]'s key material
+            was generated.
+        expire_time (~.timestamp.Timestamp):
+            Output only. The time at which this
+            [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for
+            expiration and can no longer be used to import key material.
+        expire_event_time (~.timestamp.Timestamp):
+            Output only. The time this
+            [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only
+            present if [state][google.cloud.kms.v1.ImportJob.state] is
+            [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+        state (~.resources.ImportJob.ImportJobState):
+            Output only. The current state of the
+            [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it
+            can be used.
+        public_key (~.resources.ImportJob.WrappingPublicKey):
+            Output only. The public key with which to wrap key material
+            prior to import. Only returned if
+            [state][google.cloud.kms.v1.ImportJob.state] is
+            [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+        attestation (~.resources.KeyOperationAttestation):
+            Output only. Statement that was generated and signed by the
+            key creator (for example, an HSM) at key creation time. Use
+            this statement to verify attributes of the key as stored on
+            the HSM, independently of Google. Only present if the chosen
+            [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]
+            is one with a protection level of
+            [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+    """
+
+    class ImportMethod(proto.Enum):
+        r"""[ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes
+        the key wrapping method chosen for this
+        [ImportJob][google.cloud.kms.v1.ImportJob].
+        """
+        IMPORT_METHOD_UNSPECIFIED = 0
+        RSA_OAEP_3072_SHA1_AES_256 = 1
+        RSA_OAEP_4096_SHA1_AES_256 = 2
+
+    class ImportJobState(proto.Enum):
+        r"""The state of the [ImportJob][google.cloud.kms.v1.ImportJob],
+        indicating if it can be used.
+        """
+        IMPORT_JOB_STATE_UNSPECIFIED = 0
+        PENDING_GENERATION = 1
+        ACTIVE = 2
+        EXPIRED = 3
+
+    class WrappingPublicKey(proto.Message):
+        r"""The public key component of the wrapping key. For details of the
+        type of key this public key corresponds to, see the
+        [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
+
+        Attributes:
+            pem (str):
+                The public key, encoded in PEM format. For more information,
+                see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__
+                sections for `General
+                Considerations <https://tools.ietf.org/html/rfc7468#section-2>`__
+                and [Textual Encoding of Subject Public Key Info]
+                (https://tools.ietf.org/html/rfc7468#section-13).
+        """
+
+        pem = proto.Field(proto.STRING, number=1)
+
+    name = proto.Field(proto.STRING, number=1)
+
+    import_method = proto.Field(proto.ENUM, number=2, enum=ImportMethod,)
+
+    protection_level = proto.Field(proto.ENUM, number=9, enum="ProtectionLevel",)
+
+    create_time = proto.Field(proto.MESSAGE, number=3, message=timestamp.Timestamp,)
+
+    generate_time = proto.Field(proto.MESSAGE, number=4, message=timestamp.Timestamp,)
+
+    expire_time = proto.Field(proto.MESSAGE, number=5, message=timestamp.Timestamp,)
+
+    expire_event_time = proto.Field(
+        proto.MESSAGE, number=10, message=timestamp.Timestamp,
+    )
+
+    state = proto.Field(proto.ENUM, number=6, enum=ImportJobState,)
+
+    public_key = proto.Field(proto.MESSAGE, number=7, message=WrappingPublicKey,)
+
+    attestation = proto.Field(proto.MESSAGE, number=8, message=KeyOperationAttestation,)
+
+
+class ExternalProtectionLevelOptions(proto.Message):
+    r"""ExternalProtectionLevelOptions stores a group of additional fields
+    for configuring a
+    [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are
+    specific to the
+    [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection
+    level.
+
+    Attributes:
+        external_key_uri (str):
+            The URI for an external resource that this
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            represents.
+    """
+
+    external_key_uri = proto.Field(proto.STRING, number=1)
+
+
+__all__ = tuple(sorted(__protobuf__.manifest))
diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types/service.py b/packages/google-cloud-kms/google/cloud/kms_v1/types/service.py
new file mode 100644
index 000000000000..bebb6e8fe37d
--- /dev/null
+++ b/packages/google-cloud-kms/google/cloud/kms_v1/types/service.py
@@ -0,0 +1,913 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import proto  # type: ignore
+
+
+from google.cloud.kms_v1.types import resources
+from google.protobuf import field_mask_pb2 as field_mask  # type: ignore
+
+
+__protobuf__ = proto.module(
+    package="google.cloud.kms.v1",
+    manifest={
+        "ListKeyRingsRequest",
+        "ListCryptoKeysRequest",
+        "ListCryptoKeyVersionsRequest",
+        "ListImportJobsRequest",
+        "ListKeyRingsResponse",
+        "ListCryptoKeysResponse",
+        "ListCryptoKeyVersionsResponse",
+        "ListImportJobsResponse",
+        "GetKeyRingRequest",
+        "GetCryptoKeyRequest",
+        "GetCryptoKeyVersionRequest",
+        "GetPublicKeyRequest",
+        "GetImportJobRequest",
+        "CreateKeyRingRequest",
+        "CreateCryptoKeyRequest",
+        "CreateCryptoKeyVersionRequest",
+        "ImportCryptoKeyVersionRequest",
+        "CreateImportJobRequest",
+        "UpdateCryptoKeyRequest",
+        "UpdateCryptoKeyVersionRequest",
+        "EncryptRequest",
+        "DecryptRequest",
+        "AsymmetricSignRequest",
+        "AsymmetricDecryptRequest",
+        "DecryptResponse",
+        "EncryptResponse",
+        "AsymmetricSignResponse",
+        "AsymmetricDecryptResponse",
+        "UpdateCryptoKeyPrimaryVersionRequest",
+        "DestroyCryptoKeyVersionRequest",
+        "RestoreCryptoKeyVersionRequest",
+        "Digest",
+        "LocationMetadata",
+    },
+)
+
+
+class ListKeyRingsRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+
+    Attributes:
+        parent (str):
+            Required. The resource name of the location associated with
+            the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+            ``projects/*/locations/*``.
+        page_size (int):
+            Optional. Optional limit on the number of
+            [KeyRings][google.cloud.kms.v1.KeyRing] to include in the
+            response. Further [KeyRings][google.cloud.kms.v1.KeyRing]
+            can subsequently be obtained by including the
+            [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
+            in a subsequent request. If unspecified, the server will
+            pick an appropriate default.
+        page_token (str):
+            Optional. Optional pagination token, returned earlier via
+            [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+        filter (str):
+            Optional. Only include resources that match the filter in
+            the response. For more information, see `Sorting and
+            filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+        order_by (str):
+            Optional. Specify how the results should be sorted. If not
+            specified, the results will be sorted in the default order.
+            For more information, see `Sorting and filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    page_size = proto.Field(proto.INT32, number=2)
+
+    page_token = proto.Field(proto.STRING, number=3)
+
+    filter = proto.Field(proto.STRING, number=4)
+
+    order_by = proto.Field(proto.STRING, number=5)
+
+
+class ListCryptoKeysRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+
+    Attributes:
+        parent (str):
+            Required. The resource name of the
+            [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+            format ``projects/*/locations/*/keyRings/*``.
+        page_size (int):
+            Optional. Optional limit on the number of
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in
+            the response. Further
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently
+            be obtained by including the
+            [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
+            in a subsequent request. If unspecified, the server will
+            pick an appropriate default.
+        page_token (str):
+            Optional. Optional pagination token, returned earlier via
+            [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+        version_view (~.resources.CryptoKeyVersion.CryptoKeyVersionView):
+            The fields of the primary version to include
+            in the response.
+        filter (str):
+            Optional. Only include resources that match the filter in
+            the response. For more information, see `Sorting and
+            filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+        order_by (str):
+            Optional. Specify how the results should be sorted. If not
+            specified, the results will be sorted in the default order.
+            For more information, see `Sorting and filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    page_size = proto.Field(proto.INT32, number=2)
+
+    page_token = proto.Field(proto.STRING, number=3)
+
+    version_view = proto.Field(
+        proto.ENUM, number=4, enum=resources.CryptoKeyVersion.CryptoKeyVersionView,
+    )
+
+    filter = proto.Field(proto.STRING, number=5)
+
+    order_by = proto.Field(proto.STRING, number=6)
+
+
+class ListCryptoKeyVersionsRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+
+    Attributes:
+        parent (str):
+            Required. The resource name of the
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the
+            format ``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
+        page_size (int):
+            Optional. Optional limit on the number of
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to
+            include in the response. Further
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+            can subsequently be obtained by including the
+            [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
+            in a subsequent request. If unspecified, the server will
+            pick an appropriate default.
+        page_token (str):
+            Optional. Optional pagination token, returned earlier via
+            [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+        view (~.resources.CryptoKeyVersion.CryptoKeyVersionView):
+            The fields to include in the response.
+        filter (str):
+            Optional. Only include resources that match the filter in
+            the response. For more information, see `Sorting and
+            filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+        order_by (str):
+            Optional. Specify how the results should be sorted. If not
+            specified, the results will be sorted in the default order.
+            For more information, see `Sorting and filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    page_size = proto.Field(proto.INT32, number=2)
+
+    page_token = proto.Field(proto.STRING, number=3)
+
+    view = proto.Field(
+        proto.ENUM, number=4, enum=resources.CryptoKeyVersion.CryptoKeyVersionView,
+    )
+
+    filter = proto.Field(proto.STRING, number=5)
+
+    order_by = proto.Field(proto.STRING, number=6)
+
+
+class ListImportJobsRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+
+    Attributes:
+        parent (str):
+            Required. The resource name of the
+            [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
+            format ``projects/*/locations/*/keyRings/*``.
+        page_size (int):
+            Optional. Optional limit on the number of
+            [ImportJobs][google.cloud.kms.v1.ImportJob] to include in
+            the response. Further
+            [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently
+            be obtained by including the
+            [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
+            in a subsequent request. If unspecified, the server will
+            pick an appropriate default.
+        page_token (str):
+            Optional. Optional pagination token, returned earlier via
+            [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+        filter (str):
+            Optional. Only include resources that match the filter in
+            the response. For more information, see `Sorting and
+            filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+        order_by (str):
+            Optional. Specify how the results should be sorted. If not
+            specified, the results will be sorted in the default order.
+            For more information, see `Sorting and filtering list
+            results <https://cloud.google.com/kms/docs/sorting-and-filtering>`__.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    page_size = proto.Field(proto.INT32, number=2)
+
+    page_token = proto.Field(proto.STRING, number=3)
+
+    filter = proto.Field(proto.STRING, number=4)
+
+    order_by = proto.Field(proto.STRING, number=5)
+
+
+class ListKeyRingsResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+
+    Attributes:
+        key_rings (Sequence[~.resources.KeyRing]):
+            The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+        next_page_token (str):
+            A token to retrieve next page of results. Pass this value in
+            [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
+            to retrieve the next page of results.
+        total_size (int):
+            The total number of [KeyRings][google.cloud.kms.v1.KeyRing]
+            that matched the query.
+    """
+
+    @property
+    def raw_page(self):
+        return self
+
+    key_rings = proto.RepeatedField(proto.MESSAGE, number=1, message=resources.KeyRing,)
+
+    next_page_token = proto.Field(proto.STRING, number=2)
+
+    total_size = proto.Field(proto.INT32, number=3)
+
+
+class ListCryptoKeysResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+
+    Attributes:
+        crypto_keys (Sequence[~.resources.CryptoKey]):
+            The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+        next_page_token (str):
+            A token to retrieve next page of results. Pass this value in
+            [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
+            to retrieve the next page of results.
+        total_size (int):
+            The total number of
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the
+            query.
+    """
+
+    @property
+    def raw_page(self):
+        return self
+
+    crypto_keys = proto.RepeatedField(
+        proto.MESSAGE, number=1, message=resources.CryptoKey,
+    )
+
+    next_page_token = proto.Field(proto.STRING, number=2)
+
+    total_size = proto.Field(proto.INT32, number=3)
+
+
+class ListCryptoKeyVersionsResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+
+    Attributes:
+        crypto_key_versions (Sequence[~.resources.CryptoKeyVersion]):
+            The list of
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+        next_page_token (str):
+            A token to retrieve next page of results. Pass this value in
+            [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
+            to retrieve the next page of results.
+        total_size (int):
+            The total number of
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+            that matched the query.
+    """
+
+    @property
+    def raw_page(self):
+        return self
+
+    crypto_key_versions = proto.RepeatedField(
+        proto.MESSAGE, number=1, message=resources.CryptoKeyVersion,
+    )
+
+    next_page_token = proto.Field(proto.STRING, number=2)
+
+    total_size = proto.Field(proto.INT32, number=3)
+
+
+class ListImportJobsResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+
+    Attributes:
+        import_jobs (Sequence[~.resources.ImportJob]):
+            The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+        next_page_token (str):
+            A token to retrieve next page of results. Pass this value in
+            [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
+            to retrieve the next page of results.
+        total_size (int):
+            The total number of
+            [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the
+            query.
+    """
+
+    @property
+    def raw_page(self):
+        return self
+
+    import_jobs = proto.RepeatedField(
+        proto.MESSAGE, number=1, message=resources.ImportJob,
+    )
+
+    next_page_token = proto.Field(proto.STRING, number=2)
+
+    total_size = proto.Field(proto.INT32, number=3)
+
+
+class GetKeyRingRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
+
+    Attributes:
+        name (str):
+            Required. The [name][google.cloud.kms.v1.KeyRing.name] of
+            the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class GetCryptoKeyRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
+
+    Attributes:
+        name (str):
+            Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
+            the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class GetCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
+
+    Attributes:
+        name (str):
+            Required. The
+            [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            get.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class GetPublicKeyRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+
+    Attributes:
+        name (str):
+            Required. The
+            [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            public key to get.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class GetImportJobRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
+
+    Attributes:
+        name (str):
+            Required. The [name][google.cloud.kms.v1.ImportJob.name] of
+            the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class CreateKeyRingRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
+
+    Attributes:
+        parent (str):
+            Required. The resource name of the location associated with
+            the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+            ``projects/*/locations/*``.
+        key_ring_id (str):
+            Required. It must be unique within a location and match the
+            regular expression ``[a-zA-Z0-9_-]{1,63}``
+        key_ring (~.resources.KeyRing):
+            Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with
+            initial field values.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    key_ring_id = proto.Field(proto.STRING, number=2)
+
+    key_ring = proto.Field(proto.MESSAGE, number=3, message=resources.KeyRing,)
+
+
+class CreateCryptoKeyRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
+
+    Attributes:
+        parent (str):
+            Required. The [name][google.cloud.kms.v1.KeyRing.name] of
+            the KeyRing associated with the
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+        crypto_key_id (str):
+            Required. It must be unique within a KeyRing and match the
+            regular expression ``[a-zA-Z0-9_-]{1,63}``
+        crypto_key (~.resources.CryptoKey):
+            Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with
+            initial field values.
+        skip_initial_version_creation (bool):
+            If set to true, the request will create a
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+            You must manually call
+            [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+            or
+            [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+            before you can use this
+            [CryptoKey][google.cloud.kms.v1.CryptoKey].
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    crypto_key_id = proto.Field(proto.STRING, number=2)
+
+    crypto_key = proto.Field(proto.MESSAGE, number=3, message=resources.CryptoKey,)
+
+    skip_initial_version_creation = proto.Field(proto.BOOL, number=5)
+
+
+class CreateCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
+
+    Attributes:
+        parent (str):
+            Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
+            the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated
+            with the
+            [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+        crypto_key_version (~.resources.CryptoKeyVersion):
+            Required. A
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            with initial field values.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    crypto_key_version = proto.Field(
+        proto.MESSAGE, number=2, message=resources.CryptoKeyVersion,
+    )
+
+
+class ImportCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+
+    Attributes:
+        parent (str):
+            Required. The [name][google.cloud.kms.v1.CryptoKey.name] of
+            the [CryptoKey][google.cloud.kms.v1.CryptoKey] to be
+            imported into.
+        algorithm (~.resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm):
+            Required. The
+            [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+            of the key being imported. This does not need to match the
+            [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+            of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this
+            version imports into.
+        import_job (str):
+            Required. The [name][google.cloud.kms.v1.ImportJob.name] of
+            the [ImportJob][google.cloud.kms.v1.ImportJob] that was used
+            to wrap this key material.
+        rsa_aes_wrapped_key (bytes):
+            Wrapped key material produced with
+            [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+            or
+            [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
+
+            This field contains the concatenation of two wrapped keys:
+
+            .. raw:: html
+
+                <ol>
+                  <li>An ephemeral AES-256 wrapping key wrapped with the
+                      [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1,
+                      MGF1 with SHA-1, and an empty label.
+                  </li>
+                  <li>The key to be imported, wrapped with the ephemeral AES-256 key
+                      using AES-KWP (RFC 5649).
+                  </li>
+                </ol>
+
+            If importing symmetric key material, it is expected that the
+            unwrapped key contains plain bytes. If importing asymmetric
+            key material, it is expected that the unwrapped key is in
+            PKCS#8-encoded DER format (the PrivateKeyInfo structure from
+            RFC 5208).
+
+            This format is the same as the format produced by PKCS#11
+            mechanism CKM_RSA_AES_KEY_WRAP.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    algorithm = proto.Field(
+        proto.ENUM, number=2, enum=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm,
+    )
+
+    import_job = proto.Field(proto.STRING, number=4)
+
+    rsa_aes_wrapped_key = proto.Field(
+        proto.BYTES, number=5, oneof="wrapped_key_material"
+    )
+
+
+class CreateImportJobRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
+
+    Attributes:
+        parent (str):
+            Required. The [name][google.cloud.kms.v1.KeyRing.name] of
+            the [KeyRing][google.cloud.kms.v1.KeyRing] associated with
+            the [ImportJobs][google.cloud.kms.v1.ImportJob].
+        import_job_id (str):
+            Required. It must be unique within a KeyRing and match the
+            regular expression ``[a-zA-Z0-9_-]{1,63}``
+        import_job (~.resources.ImportJob):
+            Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with
+            initial field values.
+    """
+
+    parent = proto.Field(proto.STRING, number=1)
+
+    import_job_id = proto.Field(proto.STRING, number=2)
+
+    import_job = proto.Field(proto.MESSAGE, number=3, message=resources.ImportJob,)
+
+
+class UpdateCryptoKeyRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
+
+    Attributes:
+        crypto_key (~.resources.CryptoKey):
+            Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with
+            updated values.
+        update_mask (~.field_mask.FieldMask):
+            Required. List of fields to be updated in
+            this request.
+    """
+
+    crypto_key = proto.Field(proto.MESSAGE, number=1, message=resources.CryptoKey,)
+
+    update_mask = proto.Field(proto.MESSAGE, number=2, message=field_mask.FieldMask,)
+
+
+class UpdateCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
+
+    Attributes:
+        crypto_key_version (~.resources.CryptoKeyVersion):
+            Required.
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            with updated values.
+        update_mask (~.field_mask.FieldMask):
+            Required. List of fields to be updated in
+            this request.
+    """
+
+    crypto_key_version = proto.Field(
+        proto.MESSAGE, number=1, message=resources.CryptoKeyVersion,
+    )
+
+    update_mask = proto.Field(proto.MESSAGE, number=2, message=field_mask.FieldMask,)
+
+
+class EncryptRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            use for encryption.
+
+            If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is
+            specified, the server will use its [primary
+            version][google.cloud.kms.v1.CryptoKey.primary].
+        plaintext (bytes):
+            Required. The data to encrypt. Must be no larger than 64KiB.
+
+            The maximum size depends on the key version's
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+            For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]
+            keys, the plaintext must be no larger than 64KiB. For
+            [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
+            combined length of the plaintext and
+            additional_authenticated_data fields must be no larger than
+            8KiB.
+        additional_authenticated_data (bytes):
+            Optional. Optional data that, if specified, must also be
+            provided during decryption through
+            [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+
+            The maximum size depends on the key version's
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+            For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]
+            keys, the AAD must be no larger than 64KiB. For
+            [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
+            combined length of the plaintext and
+            additional_authenticated_data fields must be no larger than
+            8KiB.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    plaintext = proto.Field(proto.BYTES, number=2)
+
+    additional_authenticated_data = proto.Field(proto.BYTES, number=3)
+
+
+class DecryptRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for
+            decryption. The server will choose the appropriate version.
+        ciphertext (bytes):
+            Required. The encrypted data originally returned in
+            [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+        additional_authenticated_data (bytes):
+            Optional. Optional data that must match the data originally
+            supplied in
+            [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    ciphertext = proto.Field(proto.BYTES, number=2)
+
+    additional_authenticated_data = proto.Field(proto.BYTES, number=3)
+
+
+class AsymmetricSignRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            use for signing.
+        digest (~.service.Digest):
+            Required. The digest of the data to sign. The digest must be
+            produced with the same digest algorithm as specified by the
+            key version's
+            [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    digest = proto.Field(proto.MESSAGE, number=3, message="Digest",)
+
+
+class AsymmetricDecryptRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            use for decryption.
+        ciphertext (bytes):
+            Required. The data encrypted with the named
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+            public key using OAEP.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    ciphertext = proto.Field(proto.BYTES, number=3)
+
+
+class DecryptResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+
+    Attributes:
+        plaintext (bytes):
+            The decrypted data originally supplied in
+            [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+    """
+
+    plaintext = proto.Field(proto.BYTES, number=1)
+
+
+class EncryptResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+
+    Attributes:
+        name (str):
+            The resource name of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+            used in encryption. Check this field to verify that the
+            intended resource was used for encryption.
+        ciphertext (bytes):
+            The encrypted data.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    ciphertext = proto.Field(proto.BYTES, number=2)
+
+
+class AsymmetricSignResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+
+    Attributes:
+        signature (bytes):
+            The created signature.
+    """
+
+    signature = proto.Field(proto.BYTES, number=1)
+
+
+class AsymmetricDecryptResponse(proto.Message):
+    r"""Response message for
+    [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+
+    Attributes:
+        plaintext (bytes):
+            The decrypted data originally encrypted with
+            the matching public key.
+    """
+
+    plaintext = proto.Field(proto.BYTES, number=1)
+
+
+class UpdateCryptoKeyPrimaryVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+        crypto_key_version_id (str):
+            Required. The id of the child
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            use as primary.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+    crypto_key_version_id = proto.Field(proto.STRING, number=2)
+
+
+class DestroyCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            destroy.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class RestoreCryptoKeyVersionRequest(proto.Message):
+    r"""Request message for
+    [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
+
+    Attributes:
+        name (str):
+            Required. The resource name of the
+            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+            restore.
+    """
+
+    name = proto.Field(proto.STRING, number=1)
+
+
+class Digest(proto.Message):
+    r"""A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message
+    digest.
+
+    Attributes:
+        sha256 (bytes):
+            A message digest produced with the SHA-256
+            algorithm.
+        sha384 (bytes):
+            A message digest produced with the SHA-384
+            algorithm.
+        sha512 (bytes):
+            A message digest produced with the SHA-512
+            algorithm.
+    """
+
+    sha256 = proto.Field(proto.BYTES, number=1, oneof="digest")
+
+    sha384 = proto.Field(proto.BYTES, number=2, oneof="digest")
+
+    sha512 = proto.Field(proto.BYTES, number=3, oneof="digest")
+
+
+class LocationMetadata(proto.Message):
+    r"""Cloud KMS metadata for the given
+    [google.cloud.location.Location][google.cloud.location.Location].
+
+    Attributes:
+        hsm_available (bool):
+            Indicates whether
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+            [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be
+            created in this location.
+        ekm_available (bool):
+            Indicates whether
+            [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+            [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+            [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can
+            be created in this location.
+    """
+
+    hsm_available = proto.Field(proto.BOOL, number=1)
+
+    ekm_available = proto.Field(proto.BOOL, number=2)
+
+
+__all__ = tuple(sorted(__protobuf__.manifest))
diff --git a/packages/google-cloud-kms/mypy.ini b/packages/google-cloud-kms/mypy.ini
new file mode 100644
index 000000000000..4505b485436b
--- /dev/null
+++ b/packages/google-cloud-kms/mypy.ini
@@ -0,0 +1,3 @@
+[mypy]
+python_version = 3.6
+namespace_packages = True
diff --git a/packages/google-cloud-kms/noxfile.py b/packages/google-cloud-kms/noxfile.py
index 552de1b0eed1..eef3316508cc 100644
--- a/packages/google-cloud-kms/noxfile.py
+++ b/packages/google-cloud-kms/noxfile.py
@@ -23,12 +23,12 @@
 import nox
 
 
-BLACK_VERSION = "black==19.3b0"
+BLACK_VERSION = "black==19.10b0"
 BLACK_PATHS = ["docs", "google", "tests", "noxfile.py", "setup.py"]
 
-DEFAULT_PYTHON_VERSION = "3.7"
-SYSTEM_TEST_PYTHON_VERSIONS = ["2.7", "3.7"]
-UNIT_TEST_PYTHON_VERSIONS = ["2.7", "3.5", "3.6", "3.7", "3.8"]
+DEFAULT_PYTHON_VERSION = "3.8"
+SYSTEM_TEST_PYTHON_VERSIONS = ["3.8"]
+UNIT_TEST_PYTHON_VERSIONS = ["3.6", "3.7", "3.8"]
 
 
 @nox.session(python=DEFAULT_PYTHON_VERSION)
@@ -39,7 +39,9 @@ def lint(session):
     serious code quality issues.
     """
     session.install("flake8", BLACK_VERSION)
-    session.run("black", "--check", *BLACK_PATHS)
+    session.run(
+        "black", "--check", *BLACK_PATHS,
+    )
     session.run("flake8", "google", "tests")
 
 
@@ -54,7 +56,9 @@ def blacken(session):
     check the state of the `gcp_ubuntu_config` we use for that Kokoro run.
     """
     session.install(BLACK_VERSION)
-    session.run("black", *BLACK_PATHS)
+    session.run(
+        "black", *BLACK_PATHS,
+    )
 
 
 @nox.session(python=DEFAULT_PYTHON_VERSION)
@@ -66,6 +70,8 @@ def lint_setup_py(session):
 
 def default(session):
     # Install all test dependencies, then install this package in-place.
+    session.install("asyncmock", "pytest-asyncio")
+
     session.install("mock", "pytest", "pytest-cov")
     session.install("-e", ".")
 
@@ -111,7 +117,9 @@ def system(session):
 
     # Install all test dependencies, then install this package into the
     # virtualenv's dist-packages.
-    session.install("mock", "pytest", "google-cloud-testutils")
+    session.install(
+        "mock", "pytest", "google-cloud-testutils",
+    )
     session.install("-e", ".")
 
     # Run py.test against the system tests.
@@ -129,7 +137,7 @@ def cover(session):
     test runs (not system test runs), and then erases coverage data.
     """
     session.install("coverage", "pytest-cov")
-    session.run("coverage", "report", "--show-missing", "--fail-under=70")
+    session.run("coverage", "report", "--show-missing", "--fail-under=99")
 
     session.run("coverage", "erase")
 
@@ -139,7 +147,7 @@ def docs(session):
     """Build the docs for this library."""
 
     session.install("-e", ".")
-    session.install("sphinx<3.0.0", "alabaster", "recommonmark")
+    session.install("sphinx", "alabaster", "recommonmark")
 
     shutil.rmtree(os.path.join("docs", "_build"), ignore_errors=True)
     session.run(
diff --git a/packages/google-cloud-kms/samples/attestations/README.rst b/packages/google-cloud-kms/samples/attestations/README.rst
index dddddfbcd7d3..0c56a914359f 100644
--- a/packages/google-cloud-kms/samples/attestations/README.rst
+++ b/packages/google-cloud-kms/samples/attestations/README.rst
@@ -32,7 +32,7 @@ Install Dependencies
    .. _Python Development Environment Setup Guide:
        https://cloud.google.com/python/setup
 
-#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+.
+#. Create a virtualenv. Samples are compatible with Python 3.6+.
 
     .. code-block:: bash
 
@@ -48,9 +48,15 @@ Install Dependencies
 .. _pip: https://pip.pypa.io/
 .. _virtualenv: https://virtualenv.pypa.io/
 
+
+
+
+
+
 Samples
 -------------------------------------------------------------------------------
 
+
 Verify attestations for keys generated by Cloud HSM
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
@@ -66,9 +72,26 @@ To run this sample:
 
     $ python verify_attestation.py
 
-    
+
+    usage: verify_attestation.py [-h] attestation_file bundle_file
+
+    This application verifies HSM attestations using certificate bundles obtained
+    from Cloud HSM. For more information, visit
+    https://cloud.google.com/kms/docs/attest-key.
+
+    positional arguments:
+      attestation_file  Name of attestation file.
+      bundle_file       Name of certificate bundle file.
+
+    optional arguments:
+      -h, --help        show this help message and exit
+
+
+
+
+
 
 
 
 
-.. _Google Cloud SDK: https://cloud.google.com/sdk/
\ No newline at end of file
+.. _Google Cloud SDK: https://cloud.google.com/sdk/
diff --git a/packages/google-cloud-kms/samples/attestations/noxfile.py b/packages/google-cloud-kms/samples/attestations/noxfile.py
index b23055f14a65..ba55d7ce53ca 100644
--- a/packages/google-cloud-kms/samples/attestations/noxfile.py
+++ b/packages/google-cloud-kms/samples/attestations/noxfile.py
@@ -43,7 +43,7 @@
     # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
     # build specific Cloud project. You can also use your own string
     # to use your own Cloud project.
-    'gcloud_project_env': 'GCLOUD_PROJECT',
+    'gcloud_project_env': 'GOOGLE_CLOUD_PROJECT',
     # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT',
 
     # A dictionary you want to inject into your test. Don't put any
@@ -72,7 +72,6 @@ def get_pytest_env_vars():
     env_key = TEST_CONFIG['gcloud_project_env']
     # This should error out if not set.
     ret['GOOGLE_CLOUD_PROJECT'] = os.environ[env_key]
-    ret['GCLOUD_PROJECT'] = os.environ[env_key]
 
     # Apply user supplied envs.
     ret.update(TEST_CONFIG['envs'])
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_decrypt.py b/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_decrypt.py
index cac157958ebd..4865a266cf45 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_decrypt.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_decrypt.py
@@ -38,8 +38,8 @@ def create_key_asymmetric_decrypt(project_id, location_id, key_ring_id, id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
     key = {
         'purpose': purpose,
         'version_template': {
@@ -48,7 +48,7 @@ def create_key_asymmetric_decrypt(project_id, location_id, key_ring_id, id):
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created asymmetric decrypt key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_asymmetric_decrypt]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_sign.py b/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_sign.py
index 9bf18a7a996d..1b05799727b4 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_sign.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_asymmetric_sign.py
@@ -38,8 +38,8 @@ def create_key_asymmetric_sign(project_id, location_id, key_ring_id, id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
     key = {
         'purpose': purpose,
         'version_template': {
@@ -48,7 +48,7 @@ def create_key_asymmetric_sign(project_id, location_id, key_ring_id, id):
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created asymmetric signing key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_asymmetric_sign]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_hsm.py b/packages/google-cloud-kms/samples/snippets/create_key_hsm.py
index 84ba37e5d00e..34a9c8a2c509 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_hsm.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_hsm.py
@@ -38,9 +38,9 @@ def create_key_hsm(project_id, location_id, key_ring_id, id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
-    protection_level = kms.enums.ProtectionLevel.HSM
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    protection_level = kms.ProtectionLevel.HSM
     key = {
         'purpose': purpose,
         'version_template': {
@@ -50,7 +50,7 @@ def create_key_hsm(project_id, location_id, key_ring_id, id):
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created hsm key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_hsm]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_labels.py b/packages/google-cloud-kms/samples/snippets/create_key_labels.py
index e64a10cb955f..1bef62ebfb24 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_labels.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_labels.py
@@ -38,8 +38,8 @@ def create_key_labels(project_id, location_id, key_ring_id, id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
     key = {
         'purpose': purpose,
         'version_template': {
@@ -52,7 +52,7 @@ def create_key_labels(project_id, location_id, key_ring_id, id):
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created labeled key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_labels]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_ring.py b/packages/google-cloud-kms/samples/snippets/create_key_ring.py
index c01e8490516b..49348aa9a20d 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_ring.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_ring.py
@@ -34,13 +34,13 @@ def create_key_ring(project_id, location_id, id):
     client = kms.KeyManagementServiceClient()
 
     # Build the parent location name.
-    location_name = client.location_path(project_id, location_id)
+    location_name = f'projects/{project_id}/locations/{location_id}'
 
     # Build the key ring.
     key_ring = {}
 
     # Call the API.
-    created_key_ring = client.create_key_ring(location_name, id, key_ring)
+    created_key_ring = client.create_key_ring(request={'parent': location_name, 'key_ring_id': id, 'key_ring': key_ring})
     print('Created key ring: {}'.format(created_key_ring.name))
     return created_key_ring
 # [END kms_create_key_ring]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_rotation_schedule.py b/packages/google-cloud-kms/samples/snippets/create_key_rotation_schedule.py
index e6bbdb62d361..02e323345e6f 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_rotation_schedule.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_rotation_schedule.py
@@ -41,8 +41,8 @@ def create_key_rotation_schedule(project_id, location_id, key_ring_id, id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
     key = {
         'purpose': purpose,
         'version_template': {
@@ -61,7 +61,7 @@ def create_key_rotation_schedule(project_id, location_id, key_ring_id, id):
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created labeled key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_rotation_schedule]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_symmetric_encrypt_decrypt.py b/packages/google-cloud-kms/samples/snippets/create_key_symmetric_encrypt_decrypt.py
index 54b9c5f40981..1b6b88c5cf50 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_symmetric_encrypt_decrypt.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_symmetric_encrypt_decrypt.py
@@ -38,8 +38,8 @@ def create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id, i
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
 
     # Build the key.
-    purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
     key = {
         'purpose': purpose,
         'version_template': {
@@ -48,7 +48,7 @@ def create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id, i
     }
 
     # Call the API.
-    created_key = client.create_crypto_key(key_ring_name, id, key)
+    created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key})
     print('Created symmetric key: {}'.format(created_key.name))
     return created_key
 # [END kms_create_key_symmetric_encrypt_decrypt]
diff --git a/packages/google-cloud-kms/samples/snippets/create_key_version.py b/packages/google-cloud-kms/samples/snippets/create_key_version.py
index 9c84f808a943..aced5abfc9db 100644
--- a/packages/google-cloud-kms/samples/snippets/create_key_version.py
+++ b/packages/google-cloud-kms/samples/snippets/create_key_version.py
@@ -41,7 +41,7 @@ def create_key_version(project_id, location_id, key_ring_id, key_id):
     version = {}
 
     # Call the API.
-    created_version = client.create_crypto_key_version(key_name, version)
+    created_version = client.create_crypto_key_version(request={'parent': key_name, 'crypto_key_version': version})
     print('Created key version: {}'.format(created_version.name))
     return created_version
 # [END kms_create_key_version]
diff --git a/packages/google-cloud-kms/samples/snippets/decrypt_asymmetric.py b/packages/google-cloud-kms/samples/snippets/decrypt_asymmetric.py
index 7b040cdd4203..7f5397c92392 100644
--- a/packages/google-cloud-kms/samples/snippets/decrypt_asymmetric.py
+++ b/packages/google-cloud-kms/samples/snippets/decrypt_asymmetric.py
@@ -40,7 +40,7 @@ def decrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id,
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Call the API.
-    decrypt_response = client.asymmetric_decrypt(key_version_name, ciphertext)
+    decrypt_response = client.asymmetric_decrypt(request={'name': key_version_name, 'ciphertext': ciphertext})
     print('Plaintext: {}'.format(decrypt_response.plaintext))
     return decrypt_response
 # [END kms_decrypt_asymmetric]
diff --git a/packages/google-cloud-kms/samples/snippets/decrypt_symmetric.py b/packages/google-cloud-kms/samples/snippets/decrypt_symmetric.py
index a5cbe714279b..c0b64d3b2d16 100644
--- a/packages/google-cloud-kms/samples/snippets/decrypt_symmetric.py
+++ b/packages/google-cloud-kms/samples/snippets/decrypt_symmetric.py
@@ -39,7 +39,7 @@ def decrypt_symmetric(project_id, location_id, key_ring_id, key_id, ciphertext):
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
     # Call the API.
-    decrypt_response = client.decrypt(key_name, ciphertext)
+    decrypt_response = client.decrypt(request={'name': key_name, 'ciphertext': ciphertext})
     print('Plaintext: {}'.format(decrypt_response.plaintext))
     return decrypt_response
 # [END kms_decrypt_symmetric]
diff --git a/packages/google-cloud-kms/samples/snippets/destroy_key_version.py b/packages/google-cloud-kms/samples/snippets/destroy_key_version.py
index 7423ca7e099e..1425c890e4b0 100644
--- a/packages/google-cloud-kms/samples/snippets/destroy_key_version.py
+++ b/packages/google-cloud-kms/samples/snippets/destroy_key_version.py
@@ -39,7 +39,7 @@ def destroy_key_version(project_id, location_id, key_ring_id, key_id, version_id
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Call the API.
-    destroyed_version = client.destroy_crypto_key_version(key_version_name)
+    destroyed_version = client.destroy_crypto_key_version(request={'name': key_version_name})
     print('Destroyed key version: {}'.format(destroyed_version.name))
     return destroyed_version
 # [END kms_destroy_key_version]
diff --git a/packages/google-cloud-kms/samples/snippets/disable_key_version.py b/packages/google-cloud-kms/samples/snippets/disable_key_version.py
index a4a16dd57a65..a4625d704393 100644
--- a/packages/google-cloud-kms/samples/snippets/disable_key_version.py
+++ b/packages/google-cloud-kms/samples/snippets/disable_key_version.py
@@ -38,18 +38,16 @@ def disable_key_version(project_id, location_id, key_ring_id, key_id, version_id
     # Build the key version name.
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
-    # Build the key version. We need to build a full proto instead of a dict due
-    # to https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key_version = resources_pb2.CryptoKeyVersion()
-    key_version.name = key_version_name
-    key_version.state = kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
+    key_version = {
+        'name': key_version_name,
+        'state': kms.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['state']}
 
     # Call the API.
-    disabled_version = client.update_crypto_key_version(key_version, update_mask)
+    disabled_version = client.update_crypto_key_version(request={'crypto_key_version': key_version, 'update_mask': update_mask})
     print('Disabled key version: {}'.format(disabled_version.name))
     return disabled_version
 # [END kms_disable_key_version]
diff --git a/packages/google-cloud-kms/samples/snippets/enable_key_version.py b/packages/google-cloud-kms/samples/snippets/enable_key_version.py
index 9cb8daadd66f..edad8eabe1c9 100644
--- a/packages/google-cloud-kms/samples/snippets/enable_key_version.py
+++ b/packages/google-cloud-kms/samples/snippets/enable_key_version.py
@@ -38,18 +38,16 @@ def enable_key_version(project_id, location_id, key_ring_id, key_id, version_id)
     # Build the key version name.
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
-    # Build the key version. We need to build a full proto instead of a dict due
-    # to https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key_version = resources_pb2.CryptoKeyVersion()
-    key_version.name = key_version_name
-    key_version.state = kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED
+    key_version = {
+        'name': key_version_name,
+        'state': kms.CryptoKeyVersion.CryptoKeyVersionState.ENABLED
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['state']}
 
     # Call the API.
-    enabled_version = client.update_crypto_key_version(key_version, update_mask)
+    enabled_version = client.update_crypto_key_version(request={'crypto_key_version': key_version, 'update_mask': update_mask})
     print('Enabled key version: {}'.format(enabled_version.name))
     return enabled_version
 # [END kms_enable_key_version]
diff --git a/packages/google-cloud-kms/samples/snippets/encrypt_asymmetric.py b/packages/google-cloud-kms/samples/snippets/encrypt_asymmetric.py
index efe40322c425..065c7e9bf70d 100644
--- a/packages/google-cloud-kms/samples/snippets/encrypt_asymmetric.py
+++ b/packages/google-cloud-kms/samples/snippets/encrypt_asymmetric.py
@@ -51,7 +51,7 @@ def encrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id,
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Get the public key.
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
 
     # Extract and parse the public key as a PEM-encoded RSA key.
     pem = public_key.pem.encode('utf-8')
diff --git a/packages/google-cloud-kms/samples/snippets/encrypt_symmetric.py b/packages/google-cloud-kms/samples/snippets/encrypt_symmetric.py
index b90da358f676..9cc3b1a5d12c 100644
--- a/packages/google-cloud-kms/samples/snippets/encrypt_symmetric.py
+++ b/packages/google-cloud-kms/samples/snippets/encrypt_symmetric.py
@@ -45,7 +45,7 @@ def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext):
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
     # Call the API.
-    encrypt_response = client.encrypt(key_name, plaintext_bytes)
+    encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes})
     print('Ciphertext: {}'.format(base64.b64encode(encrypt_response.ciphertext)))
     return encrypt_response
 # [END kms_encrypt_symmetric]
diff --git a/packages/google-cloud-kms/samples/snippets/get_key_labels.py b/packages/google-cloud-kms/samples/snippets/get_key_labels.py
index 363bcfbaf03b..504dbcaa0c03 100644
--- a/packages/google-cloud-kms/samples/snippets/get_key_labels.py
+++ b/packages/google-cloud-kms/samples/snippets/get_key_labels.py
@@ -38,7 +38,7 @@ def get_key_labels(project_id, location_id, key_ring_id, key_id):
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
     # Call the API.
-    key = client.get_crypto_key(key_name)
+    key = client.get_crypto_key(request={'name': key_name})
 
     # Example of iterating over labels.
     for k, v in key.labels.items():
diff --git a/packages/google-cloud-kms/samples/snippets/get_key_version_attestation.py b/packages/google-cloud-kms/samples/snippets/get_key_version_attestation.py
index 615d4653d8ef..569cf2045bba 100644
--- a/packages/google-cloud-kms/samples/snippets/get_key_version_attestation.py
+++ b/packages/google-cloud-kms/samples/snippets/get_key_version_attestation.py
@@ -42,7 +42,7 @@ def get_key_version_attestation(project_id, location_id, key_ring_id, key_id, ve
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Call the API.
-    version = client.get_crypto_key_version(key_version_name)
+    version = client.get_crypto_key_version(request={'name': key_version_name})
 
     # Only HSM keys have an attestation. For other key types, the attestion
     # will be None.
diff --git a/packages/google-cloud-kms/samples/snippets/get_public_key.py b/packages/google-cloud-kms/samples/snippets/get_public_key.py
index 1b810d15f6ad..bdc91139944d 100644
--- a/packages/google-cloud-kms/samples/snippets/get_public_key.py
+++ b/packages/google-cloud-kms/samples/snippets/get_public_key.py
@@ -39,7 +39,7 @@ def get_public_key(project_id, location_id, key_ring_id, key_id, version_id):
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Call the API.
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
     print('Public key: {}'.format(public_key.pem))
     return public_key
 # [END kms_get_public_key]
diff --git a/packages/google-cloud-kms/samples/snippets/iam_add_member.py b/packages/google-cloud-kms/samples/snippets/iam_add_member.py
index 442f248390de..7847aa4a7079 100644
--- a/packages/google-cloud-kms/samples/snippets/iam_add_member.py
+++ b/packages/google-cloud-kms/samples/snippets/iam_add_member.py
@@ -42,7 +42,7 @@ def iam_add_member(project_id, location_id, key_ring_id, key_id, member):
     # resource_name = client.key_ring_path(project_id, location_id, key_ring_id);
 
     # Get the current policy.
-    policy = client.get_iam_policy(resource_name)
+    policy = client.get_iam_policy(request={'resource': resource_name})
 
     # Add the member to the policy.
     policy.bindings.add(
@@ -50,7 +50,12 @@ def iam_add_member(project_id, location_id, key_ring_id, key_id, member):
         members=[member])
 
     # Save the updated IAM policy.
-    updated_policy = client.set_iam_policy(resource_name, policy)
+    request = {
+        'resource': resource_name,
+        'policy': policy
+    }
+
+    updated_policy = client.set_iam_policy(request=request)
     print('Added {} to {}'.format(member, resource_name))
     return updated_policy
 # [END kms_iam_add_member]
diff --git a/packages/google-cloud-kms/samples/snippets/iam_get_policy.py b/packages/google-cloud-kms/samples/snippets/iam_get_policy.py
index c00172e98a5b..96ae743ebb5a 100644
--- a/packages/google-cloud-kms/samples/snippets/iam_get_policy.py
+++ b/packages/google-cloud-kms/samples/snippets/iam_get_policy.py
@@ -41,7 +41,7 @@ def iam_get_policy(project_id, location_id, key_ring_id, key_id):
     # resource_name = client.key_ring_path(project_id, location_id, key_ring_id);
 
     # Get the current policy.
-    policy = client.get_iam_policy(resource_name)
+    policy = client.get_iam_policy(request={'resource': resource_name})
 
     # Print the policy
     print('IAM policy for {}'.format(resource_name))
diff --git a/packages/google-cloud-kms/samples/snippets/iam_remove_member.py b/packages/google-cloud-kms/samples/snippets/iam_remove_member.py
index ad73fab943c5..890a027d9e54 100644
--- a/packages/google-cloud-kms/samples/snippets/iam_remove_member.py
+++ b/packages/google-cloud-kms/samples/snippets/iam_remove_member.py
@@ -42,7 +42,7 @@ def iam_remove_member(project_id, location_id, key_ring_id, key_id, member):
     # resource_name = client.key_ring_path(project_id, location_id, key_ring_id);
 
     # Get the current policy.
-    policy = client.get_iam_policy(resource_name)
+    policy = client.get_iam_policy(request={'resource': resource_name})
 
     # Remove the member from the policy.
     for binding in policy.bindings:
@@ -51,7 +51,11 @@ def iam_remove_member(project_id, location_id, key_ring_id, key_id, member):
                 binding.members.remove(member)
 
     # Save the updated IAM policy.
-    updated_policy = client.set_iam_policy(resource_name, policy)
+    request = {
+        'resource': resource_name,
+        'policy': policy
+    }
+    updated_policy = client.set_iam_policy(request=request)
     print('Removed {} from {}'.format(member, resource_name))
     return updated_policy
 # [END kms_iam_remove_member]
diff --git a/packages/google-cloud-kms/samples/snippets/noxfile.py b/packages/google-cloud-kms/samples/snippets/noxfile.py
index b23055f14a65..ba55d7ce53ca 100644
--- a/packages/google-cloud-kms/samples/snippets/noxfile.py
+++ b/packages/google-cloud-kms/samples/snippets/noxfile.py
@@ -43,7 +43,7 @@
     # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
     # build specific Cloud project. You can also use your own string
     # to use your own Cloud project.
-    'gcloud_project_env': 'GCLOUD_PROJECT',
+    'gcloud_project_env': 'GOOGLE_CLOUD_PROJECT',
     # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT',
 
     # A dictionary you want to inject into your test. Don't put any
@@ -72,7 +72,6 @@ def get_pytest_env_vars():
     env_key = TEST_CONFIG['gcloud_project_env']
     # This should error out if not set.
     ret['GOOGLE_CLOUD_PROJECT'] = os.environ[env_key]
-    ret['GCLOUD_PROJECT'] = os.environ[env_key]
 
     # Apply user supplied envs.
     ret.update(TEST_CONFIG['envs'])
diff --git a/packages/google-cloud-kms/samples/snippets/quickstart.py b/packages/google-cloud-kms/samples/snippets/quickstart.py
index 91b5a49ad41f..6b24d643f5e0 100644
--- a/packages/google-cloud-kms/samples/snippets/quickstart.py
+++ b/packages/google-cloud-kms/samples/snippets/quickstart.py
@@ -25,10 +25,10 @@ def quickstart(project_id, location_id):
     client = kms.KeyManagementServiceClient()
 
     # Build the parent location name.
-    location_name = client.location_path(project_id, location_id)
+    location_name = f'projects/{project_id}/locations/{location_id}'
 
     # Call the API.
-    key_rings = client.list_key_rings(location_name)
+    key_rings = client.list_key_rings(request={'parent': location_name})
 
     # Example of iterating over key rings.
     for key_ring in key_rings:
diff --git a/packages/google-cloud-kms/samples/snippets/restore_key_version.py b/packages/google-cloud-kms/samples/snippets/restore_key_version.py
index 3c4668d6bedf..c65456b2dff2 100644
--- a/packages/google-cloud-kms/samples/snippets/restore_key_version.py
+++ b/packages/google-cloud-kms/samples/snippets/restore_key_version.py
@@ -39,7 +39,7 @@ def restore_key_version(project_id, location_id, key_ring_id, key_id, version_id
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Call the API.
-    restored_version = client.restore_crypto_key_version(key_version_name)
+    restored_version = client.restore_crypto_key_version(request={'name': key_version_name})
     print('Restored key version: {}'.format(restored_version.name))
     return restored_version
 # [END kms_restore_key_version]
diff --git a/packages/google-cloud-kms/samples/snippets/sign_asymmetric.py b/packages/google-cloud-kms/samples/snippets/sign_asymmetric.py
index a92a13ec20e2..c12a31d2d1f5 100644
--- a/packages/google-cloud-kms/samples/snippets/sign_asymmetric.py
+++ b/packages/google-cloud-kms/samples/snippets/sign_asymmetric.py
@@ -58,7 +58,7 @@ def sign_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, me
     digest = {'sha256': hash_}
 
     # Call the API
-    sign_response = client.asymmetric_sign(key_version_name, digest)
+    sign_response = client.asymmetric_sign(request={'name': key_version_name, 'digest': digest})
     print('Signature: {}'.format(base64.b64encode(sign_response.signature)))
     return sign_response
 # [END kms_sign_asymmetric]
diff --git a/packages/google-cloud-kms/samples/snippets/snippets_test.py b/packages/google-cloud-kms/samples/snippets/snippets_test.py
index 795edeb47370..7e3f02ef04ce 100644
--- a/packages/google-cloud-kms/samples/snippets/snippets_test.py
+++ b/packages/google-cloud-kms/samples/snippets/snippets_test.py
@@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 
+import datetime
 import hashlib
 import os
 import time
@@ -21,7 +22,6 @@
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, utils
 from google.cloud import kms
-from google.cloud.kms_v1.proto import resources_pb2
 import pytest
 
 from create_key_asymmetric_decrypt import create_key_asymmetric_decrypt
@@ -64,7 +64,7 @@ def client():
 
 @pytest.fixture(scope="module")
 def project_id():
-    return os.environ['GCLOUD_PROJECT']
+    return os.environ['GOOGLE_CLOUD_PROJECT']
 
 
 @pytest.fixture(scope="module")
@@ -74,36 +74,34 @@ def location_id():
 
 @pytest.fixture(scope="module")
 def key_ring_id(client, project_id, location_id):
-    location_name = client.location_path(project_id, location_id)
+    location_name = f"projects/{project_id}/locations/{location_id}"
     key_ring_id = '{}'.format(uuid.uuid4())
-    key_ring = client.create_key_ring(location_name, key_ring_id, {})
+    key_ring = client.create_key_ring(request={'parent': location_name, 'key_ring_id': key_ring_id, 'key_ring': {}})
 
     yield key_ring_id
 
-    for key in client.list_crypto_keys(key_ring.name):
-        if key.rotation_period.seconds > 0 or key.next_rotation_time.seconds > 0:
-            # https://github.com/googleapis/gapic-generator-python/issues/364
-            updated_key = resources_pb2.CryptoKey()
-            updated_key.name = key.name
+    for key in client.list_crypto_keys(request={'parent': key_ring.name}):
+        if key.rotation_period or key.next_rotation_time:
+            updated_key = {'name': key.name}
             update_mask = {'paths': ['rotation_period', 'next_rotation_time']}
-            client.update_crypto_key(updated_key, update_mask)
+            client.update_crypto_key(request={'crypto_key': updated_key, 'update_mask': update_mask})
 
         f = 'state != DESTROYED AND state != DESTROY_SCHEDULED'
-        for version in client.list_crypto_key_versions(key.name, filter_=f):
-            client.destroy_crypto_key_version(version.name)
+        for version in client.list_crypto_key_versions(request={'parent': key.name, 'filter': f}):
+            client.destroy_crypto_key_version(request={'name': version.name})
 
 
 @pytest.fixture(scope="module")
 def asymmetric_decrypt_key_id(client, project_id, location_id, key_ring_id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
     key_id = '{}'.format(uuid.uuid4())
-    key = client.create_crypto_key(key_ring_name, key_id, {
-        'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT,
+    key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': key_id, 'crypto_key': {
+        'purpose': kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT,
         'version_template': {
-            'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
+            'algorithm': kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
         },
         'labels': {'foo': 'bar', 'zip': 'zap'}
-    })
+    }})
     wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name))
     return key_id
 
@@ -112,13 +110,13 @@ def asymmetric_decrypt_key_id(client, project_id, location_id, key_ring_id):
 def asymmetric_sign_ec_key_id(client, project_id, location_id, key_ring_id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
     key_id = '{}'.format(uuid.uuid4())
-    key = client.create_crypto_key(key_ring_name, key_id, {
-        'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN,
+    key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': key_id, 'crypto_key': {
+        'purpose': kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN,
         'version_template': {
-            'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
+            'algorithm': kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
         },
         'labels': {'foo': 'bar', 'zip': 'zap'}
-    })
+    }})
     wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name))
     return key_id
 
@@ -127,13 +125,13 @@ def asymmetric_sign_ec_key_id(client, project_id, location_id, key_ring_id):
 def asymmetric_sign_rsa_key_id(client, project_id, location_id, key_ring_id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
     key_id = '{}'.format(uuid.uuid4())
-    key = client.create_crypto_key(key_ring_name, key_id, {
-        'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN,
+    key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': key_id, 'crypto_key': {
+        'purpose': kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN,
         'version_template': {
-            'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
+            'algorithm': kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
         },
         'labels': {'foo': 'bar', 'zip': 'zap'}
-    })
+    }})
     wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name))
     return key_id
 
@@ -142,14 +140,14 @@ def asymmetric_sign_rsa_key_id(client, project_id, location_id, key_ring_id):
 def hsm_key_id(client, project_id, location_id, key_ring_id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
     key_id = '{}'.format(uuid.uuid4())
-    key = client.create_crypto_key(key_ring_name, key_id, {
-        'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+    key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': key_id, 'crypto_key': {
+        'purpose': kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
         'version_template': {
-            'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
-            'protection_level': kms.enums.ProtectionLevel.HSM
+            'algorithm': kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            'protection_level': kms.ProtectionLevel.HSM
         },
         'labels': {'foo': 'bar', 'zip': 'zap'}
-    })
+    }})
     wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name))
     return key_id
 
@@ -158,21 +156,21 @@ def hsm_key_id(client, project_id, location_id, key_ring_id):
 def symmetric_key_id(client, project_id, location_id, key_ring_id):
     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
     key_id = '{}'.format(uuid.uuid4())
-    key = client.create_crypto_key(key_ring_name, key_id, {
-        'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+    key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': key_id, 'crypto_key': {
+        'purpose': kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
         'version_template': {
-            'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+            'algorithm': kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
         },
         'labels': {'foo': 'bar', 'zip': 'zap'}
-    })
+    }})
     wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name))
     return key_id
 
 
 def wait_for_ready(client, key_version_name):
     for i in range(5):
-        key_version = client.get_crypto_key_version(key_version_name)
-        if key_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED:
+        key_version = client.get_crypto_key_version(request={'name': key_version_name})
+        if key_version.state == kms.CryptoKeyVersion.CryptoKeyVersionState.ENABLED:
             return
         time.sleep(0.1*(i**2))
     pytest.fail('{} not ready'.format(key_version_name))
@@ -181,30 +179,30 @@ def wait_for_ready(client, key_version_name):
 def test_create_key_asymmetric_decrypt(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_asymmetric_decrypt(project_id, location_id, key_ring_id, key_id)
-    assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT
-    assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
+    assert key.purpose == kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT
+    assert key.version_template.algorithm == kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256
 
 
 def test_create_key_asymmetric_sign(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_asymmetric_sign(project_id, location_id, key_ring_id, key_id)
-    assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
-    assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
+    assert key.purpose == kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
+    assert key.version_template.algorithm == kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
 
 
 def test_create_key_hsm(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_hsm(project_id, location_id, key_ring_id, key_id)
-    assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
-    assert key.version_template.protection_level == kms.enums.ProtectionLevel.HSM
+    assert key.purpose == kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    assert key.version_template.algorithm == kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    assert key.version_template.protection_level == kms.ProtectionLevel.HSM
 
 
 def test_create_key_labels(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_labels(project_id, location_id, key_ring_id, key_id)
-    assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    assert key.purpose == kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    assert key.version_template.algorithm == kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
     assert key.labels == {'team': 'alpha', 'cost_center': 'cc1234'}
 
 
@@ -217,15 +215,15 @@ def test_create_key_ring(project_id, location_id):
 def test_create_key_rotation_schedule(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_rotation_schedule(project_id, location_id, key_ring_id, key_id)
-    assert key.rotation_period.seconds == 60*60*24*30
-    assert key.next_rotation_time.seconds > 0
+    assert key.rotation_period == datetime.timedelta(seconds=60*60*24*30)
+    assert key.next_rotation_time
 
 
 def test_create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id):
     key_id = '{}'.format(uuid.uuid4())
     key = create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id, key_id)
-    assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-    assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    assert key.purpose == kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+    assert key.version_template.algorithm == kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
 
 
 def test_create_key_version(project_id, location_id, key_ring_id, symmetric_key_id):
@@ -237,7 +235,7 @@ def test_decrypt_asymmetric(client, project_id, location_id, key_ring_id, asymme
     message = 'my message'.encode('utf-8')
 
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1')
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
 
     pem = public_key.pem.encode('utf-8')
     rsa_key = serialization.load_pem_public_key(pem, default_backend())
@@ -255,7 +253,7 @@ def test_decrypt_symmetric(client, project_id, location_id, key_ring_id, symmetr
     plaintext = 'my message'.encode('utf-8')
 
     key_version_name = client.crypto_key_path(project_id, location_id, key_ring_id, symmetric_key_id)
-    encrypt_response = client.encrypt(key_version_name, plaintext)
+    encrypt_response = client.encrypt(request={'name': key_version_name, 'plaintext': plaintext})
     ciphertext = encrypt_response.ciphertext
 
     decrypt_response = decrypt_symmetric(project_id, location_id, key_ring_id, symmetric_key_id, ciphertext)
@@ -264,30 +262,30 @@ def test_decrypt_symmetric(client, project_id, location_id, key_ring_id, symmetr
 
 def test_destroy_restore_key_version(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id):
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id)
-    version = client.create_crypto_key_version(key_name, {})
+    version = client.create_crypto_key_version(request={'parent': key_name, 'crypto_key_version': {}})
     version_id = version.name.split('/')[-1]
 
     wait_for_ready(client, version.name)
 
     destroyed_version = destroy_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id)
-    assert destroyed_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED
+    assert destroyed_version.state == kms.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED
 
     restored_version = restore_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id)
-    assert restored_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
+    assert restored_version.state == kms.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
 
 
 def test_disable_enable_key_version(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id):
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id)
-    version = client.create_crypto_key_version(key_name, {})
+    version = client.create_crypto_key_version(request={'parent': key_name, 'crypto_key_version': {}})
     version_id = version.name.split('/')[-1]
 
     wait_for_ready(client, version.name)
 
     disabled_version = disable_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id)
-    assert disabled_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
+    assert disabled_version.state == kms.CryptoKeyVersion.CryptoKeyVersionState.DISABLED
 
     enabled_version = enable_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id)
-    assert enabled_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED
+    assert enabled_version.state == kms.CryptoKeyVersion.CryptoKeyVersionState.ENABLED
 
 
 def test_encrypt_asymmetric(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id):
@@ -295,7 +293,7 @@ def test_encrypt_asymmetric(client, project_id, location_id, key_ring_id, asymme
     ciphertext = encrypt_asymmetric(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1', plaintext)
 
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1')
-    response = client.asymmetric_decrypt(key_version_name, ciphertext)
+    response = client.asymmetric_decrypt(request={'name': key_version_name, 'ciphertext': ciphertext})
     assert response.plaintext == plaintext.encode('utf-8')
 
 
@@ -304,7 +302,7 @@ def test_encrypt_symmetric(client, project_id, location_id, key_ring_id, symmetr
     encrypt_response = encrypt_symmetric(project_id, location_id, key_ring_id, symmetric_key_id, plaintext)
 
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, symmetric_key_id)
-    decrypt_response = client.decrypt(key_name, encrypt_response.ciphertext)
+    decrypt_response = client.decrypt(request={'name': key_name, 'ciphertext': encrypt_response.ciphertext})
     assert decrypt_response.plaintext == plaintext.encode('utf-8')
 
 
@@ -338,11 +336,11 @@ def test_iam_get_policy(project_id, location_id, key_ring_id, symmetric_key_id):
 def test_iam_remove_member(client, project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id):
     resource_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id)
 
-    policy = client.get_iam_policy(resource_name)
+    policy = client.get_iam_policy(request={"resource": resource_name})
     policy.bindings.add(
         role='roles/cloudkms.cryptoKeyEncrypterDecrypter',
         members=['group:test@google.com', 'group:tester@google.com'])
-    client.set_iam_policy(resource_name, policy)
+    client.set_iam_policy(request={"resource": resource_name, "policy": policy})
 
     policy = iam_remove_member(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, 'group:test@google.com')
     assert not any('group:test@google.com' in b.members for b in policy.bindings)
@@ -356,7 +354,7 @@ def test_sign_asymmetric(client, project_id, location_id, key_ring_id, asymmetri
     assert sign_response.signature
 
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1')
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
     pem = public_key.pem.encode('utf-8')
     rsa_key = serialization.load_pem_public_key(pem, default_backend())
     hash_ = hashlib.sha256(message.encode('utf-8')).digest()
@@ -371,8 +369,8 @@ def test_sign_asymmetric(client, project_id, location_id, key_ring_id, asymmetri
 
 def test_update_key_add_rotation(project_id, location_id, key_ring_id, symmetric_key_id):
     key = update_key_add_rotation(project_id, location_id, key_ring_id, symmetric_key_id)
-    assert key.rotation_period.seconds == 60*60*24*30
-    assert key.next_rotation_time.seconds > 0
+    assert key.rotation_period == datetime.timedelta(seconds=60*60*24*30)
+    assert key.next_rotation_time
 
 
 def test_update_key_remove_labels(project_id, location_id, key_ring_id, symmetric_key_id):
@@ -382,8 +380,8 @@ def test_update_key_remove_labels(project_id, location_id, key_ring_id, symmetri
 
 def test_update_key_remove_rotation(project_id, location_id, key_ring_id, symmetric_key_id):
     key = update_key_remove_rotation(project_id, location_id, key_ring_id, symmetric_key_id)
-    assert key.rotation_period.seconds == 0
-    assert key.next_rotation_time.seconds == 0
+    assert not key.rotation_period
+    assert not key.next_rotation_time
 
 
 def test_update_key_set_primary(project_id, location_id, key_ring_id, symmetric_key_id):
@@ -401,7 +399,7 @@ def test_verify_asymmetric_ec(client, project_id, location_id, key_ring_id, asym
 
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_ec_key_id, '1')
     hash_ = hashlib.sha256(message.encode('utf-8')).digest()
-    sign_response = client.asymmetric_sign(key_version_name, {'sha256': hash_})
+    sign_response = client.asymmetric_sign(request={'name': key_version_name, 'digest': {'sha256': hash_}})
 
     verified = verify_asymmetric_ec(project_id, location_id, key_ring_id, asymmetric_sign_ec_key_id, '1', message, sign_response.signature)
     assert verified
@@ -412,7 +410,7 @@ def test_verify_asymmetric_rsa(client, project_id, location_id, key_ring_id, asy
 
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1')
     hash_ = hashlib.sha256(message.encode('utf-8')).digest()
-    sign_response = client.asymmetric_sign(key_version_name, {'sha256': hash_})
+    sign_response = client.asymmetric_sign(request={'name': key_version_name, 'digest': {'sha256': hash_}})
 
     verified = verify_asymmetric_rsa(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1', message, sign_response.signature)
     assert verified
diff --git a/packages/google-cloud-kms/samples/snippets/update_key_add_rotation.py b/packages/google-cloud-kms/samples/snippets/update_key_add_rotation.py
index 22dd6b6622fc..acc4d95612a9 100644
--- a/packages/google-cloud-kms/samples/snippets/update_key_add_rotation.py
+++ b/packages/google-cloud-kms/samples/snippets/update_key_add_rotation.py
@@ -40,23 +40,21 @@ def update_key_add_rotation(project_id, location_id, key_ring_id, key_id):
     # Build the key name.
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
-    # Build the key. We need to build a full proto instead of a dict due to
-    # https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key = resources_pb2.CryptoKey()
-    key.name = key_name
-
-    # Rotate the key every 30 days.
-    key.rotation_period.seconds = 60*60*24*30
-
-    # Start the first rotation in 24 hours.
-    key.next_rotation_time.seconds = int(time.time()) + 60*60*24
+    key = {
+        'name': key_name,
+        'rotation_period': {
+            'seconds': 60*60*24*30  # Rotate the key every 30 days.
+        },
+        'next_rotation_time': {
+            'seconds': int(time.time()) + 60*60*24  # Start the first rotation in 24 hours.
+        }
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['rotation_period', 'next_rotation_time']}
 
     # Call the API.
-    updated_key = client.update_crypto_key(key, update_mask)
+    updated_key = client.update_crypto_key(request={'crypto_key': key, 'update_mask': update_mask})
     print('Updated key: {}'.format(updated_key.name))
     return updated_key
 # [END kms_update_key_add_rotation_schedule]
diff --git a/packages/google-cloud-kms/samples/snippets/update_key_remove_labels.py b/packages/google-cloud-kms/samples/snippets/update_key_remove_labels.py
index a44ab214b7a8..648db99c5973 100644
--- a/packages/google-cloud-kms/samples/snippets/update_key_remove_labels.py
+++ b/packages/google-cloud-kms/samples/snippets/update_key_remove_labels.py
@@ -37,18 +37,16 @@ def update_key_remove_labels(project_id, location_id, key_ring_id, key_id):
     # Build the key name.
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
-    # Build the key. We need to build a full proto instead of a dict due to
-    # https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key = resources_pb2.CryptoKey()
-    key.name = key_name
-    key.labels.clear()
+    key = {
+        'name': key_name,
+        'labels': [],
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['labels']}
 
     # Call the API.
-    updated_key = client.update_crypto_key(key, update_mask)
+    updated_key = client.update_crypto_key(request={'crypto_key': key, 'update_mask': update_mask})
     print('Updated key: {}'.format(updated_key.name))
     return updated_key
 # [END kms_update_key_remove_labels]
diff --git a/packages/google-cloud-kms/samples/snippets/update_key_remove_rotation.py b/packages/google-cloud-kms/samples/snippets/update_key_remove_rotation.py
index 7f8707eb6eb0..5dd596a7822b 100644
--- a/packages/google-cloud-kms/samples/snippets/update_key_remove_rotation.py
+++ b/packages/google-cloud-kms/samples/snippets/update_key_remove_rotation.py
@@ -37,17 +37,15 @@ def update_key_remove_rotation(project_id, location_id, key_ring_id, key_id):
     # Build the key name.
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
-    # Build the key. We need to build a full proto instead of a dict due to
-    # https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key = resources_pb2.CryptoKey()
-    key.name = key_name
+    key = {
+        'name': key_name
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['rotation_period', 'next_rotation_time']}
 
     # Call the API.
-    updated_key = client.update_crypto_key(key, update_mask)
+    updated_key = client.update_crypto_key(request={'crypto_key': key, 'update_mask': update_mask})
     print('Updated key: {}'.format(updated_key.name))
     return updated_key
 # [END kms_update_key_remove_rotation_schedule]
diff --git a/packages/google-cloud-kms/samples/snippets/update_key_set_primary.py b/packages/google-cloud-kms/samples/snippets/update_key_set_primary.py
index dd889dbd407f..74ba5cdf845a 100644
--- a/packages/google-cloud-kms/samples/snippets/update_key_set_primary.py
+++ b/packages/google-cloud-kms/samples/snippets/update_key_set_primary.py
@@ -39,7 +39,7 @@ def update_key_set_primary(project_id, location_id, key_ring_id, key_id, version
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
     # Call the API.
-    updated_key = client.update_crypto_key_primary_version(key_name, version_id)
+    updated_key = client.update_crypto_key_primary_version(request={'name': key_name, 'crypto_key_version_id': version_id})
     print('Updated {} primary to {}'.format(updated_key.name, version_id))
     return updated_key
 # [END kms_update_key_set_primary]
diff --git a/packages/google-cloud-kms/samples/snippets/update_key_update_labels.py b/packages/google-cloud-kms/samples/snippets/update_key_update_labels.py
index 21372472bc2a..3f58f15f142c 100644
--- a/packages/google-cloud-kms/samples/snippets/update_key_update_labels.py
+++ b/packages/google-cloud-kms/samples/snippets/update_key_update_labels.py
@@ -37,18 +37,18 @@ def update_key_update_labels(project_id, location_id, key_ring_id, key_id):
     # Build the key name.
     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
 
-    # Build the key. We need to build a full proto instead of a dict due to
-    # https://github.com/googleapis/gapic-generator-python/issues/364.
-    from google.cloud.kms_v1.proto import resources_pb2
-    key = resources_pb2.CryptoKey()
-    key.name = key_name
-    key.labels.update({'new_label': 'new_value'})
+    key = {
+        'name': key_name,
+        'labels': {
+            'new_label': 'new_value'
+        }
+    }
 
     # Build the update mask.
     update_mask = {'paths': ['labels']}
 
     # Call the API.
-    updated_key = client.update_crypto_key(key, update_mask)
+    updated_key = client.update_crypto_key(request={'crypto_key': key, 'update_mask': update_mask})
     print('Updated key: {}'.format(updated_key.name))
     return updated_key
 # [END kms_update_key_update_labels]
diff --git a/packages/google-cloud-kms/samples/snippets/verify_asymmetric_ec.py b/packages/google-cloud-kms/samples/snippets/verify_asymmetric_ec.py
index ac77a64b8681..d29128bd8aca 100644
--- a/packages/google-cloud-kms/samples/snippets/verify_asymmetric_ec.py
+++ b/packages/google-cloud-kms/samples/snippets/verify_asymmetric_ec.py
@@ -53,7 +53,7 @@ def verify_asymmetric_ec(project_id, location_id, key_ring_id, key_id, version_i
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Get the public key.
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
 
     # Extract and parse the public key as a PEM-encoded RSA key.
     pem = public_key.pem.encode('utf-8')
diff --git a/packages/google-cloud-kms/samples/snippets/verify_asymmetric_rsa.py b/packages/google-cloud-kms/samples/snippets/verify_asymmetric_rsa.py
index 6df3d862f83b..ee7330367d75 100644
--- a/packages/google-cloud-kms/samples/snippets/verify_asymmetric_rsa.py
+++ b/packages/google-cloud-kms/samples/snippets/verify_asymmetric_rsa.py
@@ -53,7 +53,7 @@ def verify_asymmetric_rsa(project_id, location_id, key_ring_id, key_id, version_
     key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id)
 
     # Get the public key.
-    public_key = client.get_public_key(key_version_name)
+    public_key = client.get_public_key(request={'name': key_version_name})
 
     # Extract and parse the public key as a PEM-encoded RSA key.
     pem = public_key.pem.encode('utf-8')
diff --git a/packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py b/packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py
new file mode 100644
index 000000000000..5a3c1bd7157c
--- /dev/null
+++ b/packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py
@@ -0,0 +1,204 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import argparse
+import os
+import libcst as cst
+import pathlib
+import sys
+from typing import (Any, Callable, Dict, List, Sequence, Tuple)
+
+
+def partition(
+    predicate: Callable[[Any], bool],
+    iterator: Sequence[Any]
+) -> Tuple[List[Any], List[Any]]:
+    """A stable, out-of-place partition."""
+    results = ([], [])
+
+    for i in iterator:
+        results[int(predicate(i))].append(i)
+
+    # Returns trueList, falseList
+    return results[1], results[0]
+
+
+class kmsCallTransformer(cst.CSTTransformer):
+    CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata')
+    METHOD_TO_PARAMS: Dict[str, Tuple[str]] = {
+    'asymmetric_decrypt': ('name', 'ciphertext', ),
+    'asymmetric_sign': ('name', 'digest', ),
+    'create_crypto_key': ('parent', 'crypto_key_id', 'crypto_key', 'skip_initial_version_creation', ),
+    'create_crypto_key_version': ('parent', 'crypto_key_version', ),
+    'create_import_job': ('parent', 'import_job_id', 'import_job', ),
+    'create_key_ring': ('parent', 'key_ring_id', 'key_ring', ),
+    'decrypt': ('name', 'ciphertext', 'additional_authenticated_data', ),
+    'destroy_crypto_key_version': ('name', ),
+    'encrypt': ('name', 'plaintext', 'additional_authenticated_data', ),
+    'get_crypto_key': ('name', ),
+    'get_crypto_key_version': ('name', ),
+    'get_import_job': ('name', ),
+    'get_key_ring': ('name', ),
+    'get_public_key': ('name', ),
+    'import_crypto_key_version': ('parent', 'algorithm', 'import_job', 'rsa_aes_wrapped_key', ),
+    'list_crypto_keys': ('parent', 'page_size', 'page_token', 'version_view', 'filter', 'order_by', ),
+    'list_crypto_key_versions': ('parent', 'page_size', 'page_token', 'view', 'filter', 'order_by', ),
+    'list_import_jobs': ('parent', 'page_size', 'page_token', 'filter', 'order_by', ),
+    'list_key_rings': ('parent', 'page_size', 'page_token', 'filter', 'order_by', ),
+    'restore_crypto_key_version': ('name', ),
+    'update_crypto_key': ('crypto_key', 'update_mask', ),
+    'update_crypto_key_primary_version': ('name', 'crypto_key_version_id', ),
+    'update_crypto_key_version': ('crypto_key_version', 'update_mask', ),
+
+    'get_iam_policy': ('resource', 'options', ),
+    'set_iam_policy': ('resource', 'policy', ),
+    'test_iam_permissions': ('resource', 'permissions', ),
+
+    }
+
+    def leave_Call(self, original: cst.Call, updated: cst.Call) -> cst.CSTNode:
+        try:
+            key = original.func.attr.value
+            kword_params = self.METHOD_TO_PARAMS[key]
+        except (AttributeError, KeyError):
+            # Either not a method from the API or too convoluted to be sure.
+            return updated
+
+        # If the existing code is valid, keyword args come after positional args.
+        # Therefore, all positional args must map to the first parameters.
+        args, kwargs = partition(lambda a: not bool(a.keyword), updated.args)
+        if any(k.keyword.value == "request" for k in kwargs):
+            # We've already fixed this file, don't fix it again.
+            return updated
+
+        kwargs, ctrl_kwargs = partition(
+            lambda a: not a.keyword.value in self.CTRL_PARAMS,
+            kwargs
+        )
+
+        args, ctrl_args = args[:len(kword_params)], args[len(kword_params):]
+        ctrl_kwargs.extend(cst.Arg(value=a.value, keyword=cst.Name(value=ctrl))
+                           for a, ctrl in zip(ctrl_args, self.CTRL_PARAMS))
+
+        request_arg = cst.Arg(
+            value=cst.Dict([
+                cst.DictElement(
+                    cst.SimpleString("'{}'".format(name)),
+                    cst.Element(value=arg.value)
+                )
+                # Note: the args + kwargs looks silly, but keep in mind that
+                # the control parameters had to be stripped out, and that
+                # those could have been passed positionally or by keyword.
+                for name, arg in zip(kword_params, args + kwargs)]),
+            keyword=cst.Name("request")
+        )
+
+        return updated.with_changes(
+            args=[request_arg] + ctrl_kwargs
+        )
+
+
+def fix_files(
+    in_dir: pathlib.Path,
+    out_dir: pathlib.Path,
+    *,
+    transformer=kmsCallTransformer(),
+):
+    """Duplicate the input dir to the output dir, fixing file method calls.
+
+    Preconditions:
+    * in_dir is a real directory
+    * out_dir is a real, empty directory
+    """
+    pyfile_gen = (
+        pathlib.Path(os.path.join(root, f))
+        for root, _, files in os.walk(in_dir)
+        for f in files if os.path.splitext(f)[1] == ".py"
+    )
+
+    for fpath in pyfile_gen:
+        with open(fpath, 'r') as f:
+            src = f.read()
+
+        # Parse the code and insert method call fixes.
+        tree = cst.parse_module(src)
+        updated = tree.visit(transformer)
+
+        # Create the path and directory structure for the new file.
+        updated_path = out_dir.joinpath(fpath.relative_to(in_dir))
+        updated_path.parent.mkdir(parents=True, exist_ok=True)
+
+        # Generate the updated source file at the corresponding path.
+        with open(updated_path, 'w') as f:
+            f.write(updated.code)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description="""Fix up source that uses the kms client library.
+
+The existing sources are NOT overwritten but are copied to output_dir with changes made.
+
+Note: This tool operates at a best-effort level at converting positional
+      parameters in client method calls to keyword based parameters.
+      Cases where it WILL FAIL include
+      A) * or ** expansion in a method call.
+      B) Calls via function or method alias (includes free function calls)
+      C) Indirect or dispatched calls (e.g. the method is looked up dynamically)
+
+      These all constitute false negatives. The tool will also detect false
+      positives when an API method shares a name with another method.
+""")
+    parser.add_argument(
+        '-d',
+        '--input-directory',
+        required=True,
+        dest='input_dir',
+        help='the input directory to walk for python files to fix up',
+    )
+    parser.add_argument(
+        '-o',
+        '--output-directory',
+        required=True,
+        dest='output_dir',
+        help='the directory to output files fixed via un-flattening',
+    )
+    args = parser.parse_args()
+    input_dir = pathlib.Path(args.input_dir)
+    output_dir = pathlib.Path(args.output_dir)
+    if not input_dir.is_dir():
+        print(
+            f"input directory '{input_dir}' does not exist or is not a directory",
+            file=sys.stderr,
+        )
+        sys.exit(-1)
+
+    if not output_dir.is_dir():
+        print(
+            f"output directory '{output_dir}' does not exist or is not a directory",
+            file=sys.stderr,
+        )
+        sys.exit(-1)
+
+    if os.listdir(output_dir):
+        print(
+            f"output directory '{output_dir}' is not empty",
+            file=sys.stderr,
+        )
+        sys.exit(-1)
+
+    fix_files(input_dir, output_dir)
diff --git a/packages/google-cloud-kms/setup.py b/packages/google-cloud-kms/setup.py
index 37ac5c2a916b..0ae2645ded6c 100644
--- a/packages/google-cloud-kms/setup.py
+++ b/packages/google-cloud-kms/setup.py
@@ -20,25 +20,33 @@
 import setuptools
 
 name = "google-cloud-kms"
-description = "Cloud Key Management Service (KMS) API API client library"
+description = "Cloud Key Management Service (KMS) API client library"
 version = "1.4.0"
 release_status = "Development Status :: 5 - Production/Stable"
 dependencies = [
-    "google-api-core[grpc] >= 1.14.0, < 2.0.0dev",
+    "google-api-core[grpc] >= 1.22.0, < 2.0.0dev",
     "grpc-google-iam-v1 >= 0.12.3, < 0.13dev",
-    'enum34; python_version < "3.4"',
+    "proto-plus >= 0.4.0",
+    "libcst >= 0.2.5",
 ]
 
+extras = {}
+
 package_root = os.path.abspath(os.path.dirname(__file__))
 
 readme_filename = os.path.join(package_root, "README.rst")
 with io.open(readme_filename, encoding="utf-8") as readme_file:
     readme = readme_file.read()
 
+# Only include packages under the 'google' namespace. Do not include tests,
+# benchmarks, etc.
 packages = [
-    package for package in setuptools.find_packages() if package.startswith("google")
+    package
+    for package in setuptools.PEP420PackageFinder.find()
+    if package.startswith("google")
 ]
 
+
 namespaces = ["google"]
 if "google.cloud" in packages:
     namespaces.append("google.cloud")
@@ -57,12 +65,10 @@
         "Intended Audience :: Developers",
         "License :: OSI Approved :: Apache Software License",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 2",
-        "Programming Language :: Python :: 2.7",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.5",
         "Programming Language :: Python :: 3.6",
         "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
         "Operating System :: OS Independent",
         "Topic :: Internet",
     ],
@@ -70,7 +76,9 @@
     packages=packages,
     namespace_packages=namespaces,
     install_requires=dependencies,
-    python_requires=">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*",
+    extras_require=extras,
+    python_requires=">=3.6",
+    scripts=["scripts/fixup_kms_v1_keywords.py"],
     include_package_data=True,
     zip_safe=False,
 )
diff --git a/packages/google-cloud-kms/synth.metadata b/packages/google-cloud-kms/synth.metadata
index 29286d251729..e2e1e315622c 100644
--- a/packages/google-cloud-kms/synth.metadata
+++ b/packages/google-cloud-kms/synth.metadata
@@ -3,16 +3,30 @@
     {
       "git": {
         "name": ".",
-        "remote": "git@github.com:googleapis/python-kms.git",
-        "sha": "309319a29b3e0f851d93c58de06b60f50cf0fbfb"
+        "remote": "git@github.com:googleapis/python-kms",
+        "sha": "b86cb3a61661e102bff02e592dd6ec952e008162"
       }
     },
     {
       "git": {
         "name": "googleapis",
         "remote": "https://github.com/googleapis/googleapis.git",
-        "sha": "eafa840ceec23b44a5c21670288107c661252711",
-        "internalRef": "313488995"
+        "sha": "1907f0fdbd1c51e62d8452a4007bf2134a8bd4c2",
+        "internalRef": "323657371"
+      }
+    },
+    {
+      "git": {
+        "name": "synthtool",
+        "remote": "https://github.com/googleapis/synthtool.git",
+        "sha": "5506723fef367557d83cf072d0c18020c049fcb8"
+      }
+    },
+    {
+      "git": {
+        "name": "synthtool",
+        "remote": "https://github.com/googleapis/synthtool.git",
+        "sha": "5506723fef367557d83cf072d0c18020c049fcb8"
       }
     }
   ],
diff --git a/packages/google-cloud-kms/synth.py b/packages/google-cloud-kms/synth.py
index c17cb683d25e..7dbde9b4ac42 100644
--- a/packages/google-cloud-kms/synth.py
+++ b/packages/google-cloud-kms/synth.py
@@ -37,43 +37,61 @@
     include_protos=True,
 )
 
-s.move(library, excludes=["README.rst", "setup.py", "nox*.py", "docs/**/*"])
+s.move(library, excludes=["README.rst", "setup.py", "nox*.py", "docs/index.rst"])
 
-# Temporary fixup for 'grpc-google-iam-vi 0.12.4' (before generation).
+# Escape single '_' which RST treats as target names
+s.replace("google/**/resources.py", '''"(.*?)_((SIGN)|(DECRYPT))_"''', '''"\g<1>_\g<2>\_"''')
+
+# Docstrings of *_iam_policy() methods are formatted poorly and must be fixed
+# in order to avoid docstring format warnings in docs.
+s.replace(
+    "google/**/*client.py",
+    r"(\s+)Args:",
+    "\n\g<1>Args:"
+)
+s.replace(
+    "google/**/*client.py",
+    r"(\s+)\*\*JSON Example\*\*\s+::",
+    "\n\g<1>**JSON Example**::\n",
+)
+s.replace(
+    "google/**/*client.py",
+    r"(\s+)\*\*YAML Example\*\*\s+::",
+    "\n\g<1>**YAML Example**::\n",
+)
 s.replace(
-    "google/cloud/kms_v1/gapic/transports/key_management_service_grpc_transport.py",
-    "from google.iam.v1 import iam_policy_pb2",
-    "from google.iam.v1 import iam_policy_pb2_grpc as iam_policy_pb2",
+    "google/**/*client.py",
+    r"(\s+)For a description of IAM and its features, see",
+    "\n\g<0>",
 )
-# re-insert `crypto_key_path_path` method as this was used in the published samples
-# TODO: remove when this library is moved to the microgenerator and mention it in the relase
-# notes
-count = s.replace("google/cloud/kms_v1/gapic/key_management_service_client.py",
-"""(@classmethod
-\s+def crypto_key_version_path\(.*)""",
-"""
-    @classmethod	
-    def crypto_key_path_path(cls, project, location, key_ring, crypto_key_path):	
-        \"\"\"Return a fully-qualified crypto_key_path string.\"\"\"	
-        return google.api_core.path_template.expand(	
-            "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key_path=**}",	
-            project=project,	
-            location=location,	
-            key_ring=key_ring,	
-            crypto_key_path=crypto_key_path,	
-        )
-
-    \g<1>
-""")
-
-if count != 1:
-    raise Exception("Required insertion of `crypto_key_path_path` not made.")
+
+# TODO(busunkim): Remove once https://github.com/googleapis/gapic-generator-python/pull/555 is merged
+s.replace(
+    "google/**/base.py",
+    """from google\.api_core import gapic_v1\s+# type: ignore""",
+    """from google.api_core import gapic_v1  # type: ignore
+from google.api_core import retry as retries  # type: ignore""",
+)
+
+# fix bad indentation
+s.replace(
+    "google/**/*service.py",
+    """(\s+)settings resource.
+\s+If empty all mutable fields will be updated.""",
+    """\g<1>settings resource.
+\g<1>If empty all mutable fields will be updated.""",
+)
+
 
 # ----------------------------------------------------------------------------
 # Add templated files
 # ----------------------------------------------------------------------------
-templated_files = common.py_library(cov_level=70, samples=True)
-s.move(templated_files)
+templated_files = common.py_library(
+    cov_level=99,
+    samples=True,
+    microgenerator=True,
+)
+s.move(templated_files, excludes=[".coveragerc"])  # microgenerator has a good .coveragerc file
 
 # ----------------------------------------------------------------------------
 # Samples templates
diff --git a/packages/google-cloud-kms/tests/system.py b/packages/google-cloud-kms/tests/system.py
deleted file mode 100644
index 4a23908dc337..000000000000
--- a/packages/google-cloud-kms/tests/system.py
+++ /dev/null
@@ -1,29 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-
-from google.cloud import kms_v1
-
-
-class TestKeyManagementServiceClient(object):
-    def test_list_global_key_rings(self):
-        project_id = os.environ["PROJECT_ID"]
-
-        client = kms_v1.KeyManagementServiceClient()
-        location = "global"
-        parent = client.location_path(project_id, location)
-        client.list_key_rings(parent)
diff --git a/packages/google-cloud-kms/tests/unit/gapic/kms_v1/__init__.py b/packages/google-cloud-kms/tests/unit/gapic/kms_v1/__init__.py
new file mode 100644
index 000000000000..8b137891791f
--- /dev/null
+++ b/packages/google-cloud-kms/tests/unit/gapic/kms_v1/__init__.py
@@ -0,0 +1 @@
+
diff --git a/packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py b/packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py
new file mode 100644
index 000000000000..2bcd122acdde
--- /dev/null
+++ b/packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py
@@ -0,0 +1,6815 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import os
+import mock
+
+import grpc
+from grpc.experimental import aio
+import math
+import pytest
+from proto.marshal.rules.dates import DurationRule, TimestampRule
+
+from google import auth
+from google.api_core import client_options
+from google.api_core import exceptions
+from google.api_core import gapic_v1
+from google.api_core import grpc_helpers
+from google.api_core import grpc_helpers_async
+from google.auth import credentials
+from google.auth.exceptions import MutualTLSChannelError
+from google.cloud.kms_v1.services.key_management_service import (
+    KeyManagementServiceAsyncClient,
+)
+from google.cloud.kms_v1.services.key_management_service import (
+    KeyManagementServiceClient,
+)
+from google.cloud.kms_v1.services.key_management_service import pagers
+from google.cloud.kms_v1.services.key_management_service import transports
+from google.cloud.kms_v1.types import resources
+from google.cloud.kms_v1.types import service
+from google.iam.v1 import iam_policy_pb2 as iam_policy  # type: ignore
+from google.iam.v1 import options_pb2 as options  # type: ignore
+from google.iam.v1 import policy_pb2 as policy  # type: ignore
+from google.oauth2 import service_account
+from google.protobuf import duration_pb2 as duration  # type: ignore
+from google.protobuf import field_mask_pb2 as field_mask  # type: ignore
+from google.protobuf import timestamp_pb2 as timestamp  # type: ignore
+
+
+def client_cert_source_callback():
+    return b"cert bytes", b"key bytes"
+
+
+# If default endpoint is localhost, then default mtls endpoint will be the same.
+# This method modifies the default endpoint so the client can produce a different
+# mtls endpoint for endpoint testing purposes.
+def modify_default_endpoint(client):
+    return (
+        "foo.googleapis.com"
+        if ("localhost" in client.DEFAULT_ENDPOINT)
+        else client.DEFAULT_ENDPOINT
+    )
+
+
+def test__get_default_mtls_endpoint():
+    api_endpoint = "example.googleapis.com"
+    api_mtls_endpoint = "example.mtls.googleapis.com"
+    sandbox_endpoint = "example.sandbox.googleapis.com"
+    sandbox_mtls_endpoint = "example.mtls.sandbox.googleapis.com"
+    non_googleapi = "api.example.com"
+
+    assert KeyManagementServiceClient._get_default_mtls_endpoint(None) is None
+    assert (
+        KeyManagementServiceClient._get_default_mtls_endpoint(api_endpoint)
+        == api_mtls_endpoint
+    )
+    assert (
+        KeyManagementServiceClient._get_default_mtls_endpoint(api_mtls_endpoint)
+        == api_mtls_endpoint
+    )
+    assert (
+        KeyManagementServiceClient._get_default_mtls_endpoint(sandbox_endpoint)
+        == sandbox_mtls_endpoint
+    )
+    assert (
+        KeyManagementServiceClient._get_default_mtls_endpoint(sandbox_mtls_endpoint)
+        == sandbox_mtls_endpoint
+    )
+    assert (
+        KeyManagementServiceClient._get_default_mtls_endpoint(non_googleapi)
+        == non_googleapi
+    )
+
+
+@pytest.mark.parametrize(
+    "client_class", [KeyManagementServiceClient, KeyManagementServiceAsyncClient]
+)
+def test_key_management_service_client_from_service_account_file(client_class):
+    creds = credentials.AnonymousCredentials()
+    with mock.patch.object(
+        service_account.Credentials, "from_service_account_file"
+    ) as factory:
+        factory.return_value = creds
+        client = client_class.from_service_account_file("dummy/file/path.json")
+        assert client._transport._credentials == creds
+
+        client = client_class.from_service_account_json("dummy/file/path.json")
+        assert client._transport._credentials == creds
+
+        assert client._transport._host == "cloudkms.googleapis.com:443"
+
+
+def test_key_management_service_client_get_transport_class():
+    transport = KeyManagementServiceClient.get_transport_class()
+    assert transport == transports.KeyManagementServiceGrpcTransport
+
+    transport = KeyManagementServiceClient.get_transport_class("grpc")
+    assert transport == transports.KeyManagementServiceGrpcTransport
+
+
+@pytest.mark.parametrize(
+    "client_class,transport_class,transport_name",
+    [
+        (
+            KeyManagementServiceClient,
+            transports.KeyManagementServiceGrpcTransport,
+            "grpc",
+        ),
+        (
+            KeyManagementServiceAsyncClient,
+            transports.KeyManagementServiceGrpcAsyncIOTransport,
+            "grpc_asyncio",
+        ),
+    ],
+)
+@mock.patch.object(
+    KeyManagementServiceClient,
+    "DEFAULT_ENDPOINT",
+    modify_default_endpoint(KeyManagementServiceClient),
+)
+@mock.patch.object(
+    KeyManagementServiceAsyncClient,
+    "DEFAULT_ENDPOINT",
+    modify_default_endpoint(KeyManagementServiceAsyncClient),
+)
+def test_key_management_service_client_client_options(
+    client_class, transport_class, transport_name
+):
+    # Check that if channel is provided we won't create a new one.
+    with mock.patch.object(KeyManagementServiceClient, "get_transport_class") as gtc:
+        transport = transport_class(credentials=credentials.AnonymousCredentials())
+        client = client_class(transport=transport)
+        gtc.assert_not_called()
+
+    # Check that if channel is provided via str we will create a new one.
+    with mock.patch.object(KeyManagementServiceClient, "get_transport_class") as gtc:
+        client = client_class(transport=transport_name)
+        gtc.assert_called()
+
+    # Check the case api_endpoint is provided.
+    options = client_options.ClientOptions(api_endpoint="squid.clam.whelk")
+    with mock.patch.object(transport_class, "__init__") as patched:
+        patched.return_value = None
+        client = client_class(client_options=options)
+        patched.assert_called_once_with(
+            credentials=None,
+            credentials_file=None,
+            host="squid.clam.whelk",
+            scopes=None,
+            api_mtls_endpoint="squid.clam.whelk",
+            client_cert_source=None,
+            quota_project_id=None,
+        )
+
+    # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS is
+    # "never".
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "never"}):
+        with mock.patch.object(transport_class, "__init__") as patched:
+            patched.return_value = None
+            client = client_class()
+            patched.assert_called_once_with(
+                credentials=None,
+                credentials_file=None,
+                host=client.DEFAULT_ENDPOINT,
+                scopes=None,
+                api_mtls_endpoint=client.DEFAULT_ENDPOINT,
+                client_cert_source=None,
+                quota_project_id=None,
+            )
+
+    # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS is
+    # "always".
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "always"}):
+        with mock.patch.object(transport_class, "__init__") as patched:
+            patched.return_value = None
+            client = client_class()
+            patched.assert_called_once_with(
+                credentials=None,
+                credentials_file=None,
+                host=client.DEFAULT_MTLS_ENDPOINT,
+                scopes=None,
+                api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT,
+                client_cert_source=None,
+                quota_project_id=None,
+            )
+
+    # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is
+    # "auto", and client_cert_source is provided.
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}):
+        options = client_options.ClientOptions(
+            client_cert_source=client_cert_source_callback
+        )
+        with mock.patch.object(transport_class, "__init__") as patched:
+            patched.return_value = None
+            client = client_class(client_options=options)
+            patched.assert_called_once_with(
+                credentials=None,
+                credentials_file=None,
+                host=client.DEFAULT_MTLS_ENDPOINT,
+                scopes=None,
+                api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT,
+                client_cert_source=client_cert_source_callback,
+                quota_project_id=None,
+            )
+
+    # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is
+    # "auto", and default_client_cert_source is provided.
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}):
+        with mock.patch.object(transport_class, "__init__") as patched:
+            with mock.patch(
+                "google.auth.transport.mtls.has_default_client_cert_source",
+                return_value=True,
+            ):
+                patched.return_value = None
+                client = client_class()
+                patched.assert_called_once_with(
+                    credentials=None,
+                    credentials_file=None,
+                    host=client.DEFAULT_MTLS_ENDPOINT,
+                    scopes=None,
+                    api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT,
+                    client_cert_source=None,
+                    quota_project_id=None,
+                )
+
+    # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is
+    # "auto", but client_cert_source and default_client_cert_source are None.
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}):
+        with mock.patch.object(transport_class, "__init__") as patched:
+            with mock.patch(
+                "google.auth.transport.mtls.has_default_client_cert_source",
+                return_value=False,
+            ):
+                patched.return_value = None
+                client = client_class()
+                patched.assert_called_once_with(
+                    credentials=None,
+                    credentials_file=None,
+                    host=client.DEFAULT_ENDPOINT,
+                    scopes=None,
+                    api_mtls_endpoint=client.DEFAULT_ENDPOINT,
+                    client_cert_source=None,
+                    quota_project_id=None,
+                )
+
+    # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS has
+    # unsupported value.
+    with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "Unsupported"}):
+        with pytest.raises(MutualTLSChannelError):
+            client = client_class()
+
+    # Check the case quota_project_id is provided
+    options = client_options.ClientOptions(quota_project_id="octopus")
+    with mock.patch.object(transport_class, "__init__") as patched:
+        patched.return_value = None
+        client = client_class(client_options=options)
+        patched.assert_called_once_with(
+            credentials=None,
+            credentials_file=None,
+            host=client.DEFAULT_ENDPOINT,
+            scopes=None,
+            api_mtls_endpoint=client.DEFAULT_ENDPOINT,
+            client_cert_source=None,
+            quota_project_id="octopus",
+        )
+
+
+@pytest.mark.parametrize(
+    "client_class,transport_class,transport_name",
+    [
+        (
+            KeyManagementServiceClient,
+            transports.KeyManagementServiceGrpcTransport,
+            "grpc",
+        ),
+        (
+            KeyManagementServiceAsyncClient,
+            transports.KeyManagementServiceGrpcAsyncIOTransport,
+            "grpc_asyncio",
+        ),
+    ],
+)
+def test_key_management_service_client_client_options_scopes(
+    client_class, transport_class, transport_name
+):
+    # Check the case scopes are provided.
+    options = client_options.ClientOptions(scopes=["1", "2"],)
+    with mock.patch.object(transport_class, "__init__") as patched:
+        patched.return_value = None
+        client = client_class(client_options=options)
+        patched.assert_called_once_with(
+            credentials=None,
+            credentials_file=None,
+            host=client.DEFAULT_ENDPOINT,
+            scopes=["1", "2"],
+            api_mtls_endpoint=client.DEFAULT_ENDPOINT,
+            client_cert_source=None,
+            quota_project_id=None,
+        )
+
+
+@pytest.mark.parametrize(
+    "client_class,transport_class,transport_name",
+    [
+        (
+            KeyManagementServiceClient,
+            transports.KeyManagementServiceGrpcTransport,
+            "grpc",
+        ),
+        (
+            KeyManagementServiceAsyncClient,
+            transports.KeyManagementServiceGrpcAsyncIOTransport,
+            "grpc_asyncio",
+        ),
+    ],
+)
+def test_key_management_service_client_client_options_credentials_file(
+    client_class, transport_class, transport_name
+):
+    # Check the case credentials file is provided.
+    options = client_options.ClientOptions(credentials_file="credentials.json")
+    with mock.patch.object(transport_class, "__init__") as patched:
+        patched.return_value = None
+        client = client_class(client_options=options)
+        patched.assert_called_once_with(
+            credentials=None,
+            credentials_file="credentials.json",
+            host=client.DEFAULT_ENDPOINT,
+            scopes=None,
+            api_mtls_endpoint=client.DEFAULT_ENDPOINT,
+            client_cert_source=None,
+            quota_project_id=None,
+        )
+
+
+def test_key_management_service_client_client_options_from_dict():
+    with mock.patch(
+        "google.cloud.kms_v1.services.key_management_service.transports.KeyManagementServiceGrpcTransport.__init__"
+    ) as grpc_transport:
+        grpc_transport.return_value = None
+        client = KeyManagementServiceClient(
+            client_options={"api_endpoint": "squid.clam.whelk"}
+        )
+        grpc_transport.assert_called_once_with(
+            credentials=None,
+            credentials_file=None,
+            host="squid.clam.whelk",
+            scopes=None,
+            api_mtls_endpoint="squid.clam.whelk",
+            client_cert_source=None,
+            quota_project_id=None,
+        )
+
+
+def test_list_key_rings(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListKeyRingsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.list_key_rings), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListKeyRingsResponse(
+            next_page_token="next_page_token_value", total_size=1086,
+        )
+
+        response = client.list_key_rings(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListKeyRingsPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListKeyRingsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_key_rings), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListKeyRingsResponse(
+                next_page_token="next_page_token_value", total_size=1086,
+            )
+        )
+
+        response = await client.list_key_rings(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListKeyRingsAsyncPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+def test_list_key_rings_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListKeyRingsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.list_key_rings), "__call__") as call:
+        call.return_value = service.ListKeyRingsResponse()
+
+        client.list_key_rings(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListKeyRingsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_key_rings), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListKeyRingsResponse()
+        )
+
+        await client.list_key_rings(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_list_key_rings_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.list_key_rings), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListKeyRingsResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.list_key_rings(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+def test_list_key_rings_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.list_key_rings(
+            service.ListKeyRingsRequest(), parent="parent_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_key_rings), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListKeyRingsResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListKeyRingsResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.list_key_rings(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.list_key_rings(
+            service.ListKeyRingsRequest(), parent="parent_value",
+        )
+
+
+def test_list_key_rings_pager():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.list_key_rings), "__call__") as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListKeyRingsResponse(
+                key_rings=[
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListKeyRingsResponse(key_rings=[], next_page_token="def",),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(),], next_page_token="ghi",
+            ),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(), resources.KeyRing(),],
+            ),
+            RuntimeError,
+        )
+
+        metadata = ()
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", ""),)),
+        )
+        pager = client.list_key_rings(request={})
+
+        assert pager._metadata == metadata
+
+        results = [i for i in pager]
+        assert len(results) == 6
+        assert all(isinstance(i, resources.KeyRing) for i in results)
+
+
+def test_list_key_rings_pages():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.list_key_rings), "__call__") as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListKeyRingsResponse(
+                key_rings=[
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListKeyRingsResponse(key_rings=[], next_page_token="def",),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(),], next_page_token="ghi",
+            ),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(), resources.KeyRing(),],
+            ),
+            RuntimeError,
+        )
+        pages = list(client.list_key_rings(request={}).pages)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_async_pager():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_key_rings),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListKeyRingsResponse(
+                key_rings=[
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListKeyRingsResponse(key_rings=[], next_page_token="def",),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(),], next_page_token="ghi",
+            ),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(), resources.KeyRing(),],
+            ),
+            RuntimeError,
+        )
+        async_pager = await client.list_key_rings(request={},)
+        assert async_pager.next_page_token == "abc"
+        responses = []
+        async for response in async_pager:
+            responses.append(response)
+
+        assert len(responses) == 6
+        assert all(isinstance(i, resources.KeyRing) for i in responses)
+
+
+@pytest.mark.asyncio
+async def test_list_key_rings_async_pages():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_key_rings),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListKeyRingsResponse(
+                key_rings=[
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                    resources.KeyRing(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListKeyRingsResponse(key_rings=[], next_page_token="def",),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(),], next_page_token="ghi",
+            ),
+            service.ListKeyRingsResponse(
+                key_rings=[resources.KeyRing(), resources.KeyRing(),],
+            ),
+            RuntimeError,
+        )
+        pages = []
+        async for page in (await client.list_key_rings(request={})).pages:
+            pages.append(page)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+def test_list_crypto_keys(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListCryptoKeysRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeysResponse(
+            next_page_token="next_page_token_value", total_size=1086,
+        )
+
+        response = client.list_crypto_keys(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListCryptoKeysPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListCryptoKeysRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeysResponse(
+                next_page_token="next_page_token_value", total_size=1086,
+            )
+        )
+
+        response = await client.list_crypto_keys(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListCryptoKeysAsyncPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+def test_list_crypto_keys_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListCryptoKeysRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        call.return_value = service.ListCryptoKeysResponse()
+
+        client.list_crypto_keys(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListCryptoKeysRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeysResponse()
+        )
+
+        await client.list_crypto_keys(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_list_crypto_keys_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeysResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.list_crypto_keys(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+def test_list_crypto_keys_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.list_crypto_keys(
+            service.ListCryptoKeysRequest(), parent="parent_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeysResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeysResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.list_crypto_keys(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.list_crypto_keys(
+            service.ListCryptoKeysRequest(), parent="parent_value",
+        )
+
+
+def test_list_crypto_keys_pager():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeysResponse(
+                crypto_keys=[
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeysResponse(crypto_keys=[], next_page_token="def",),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(),], next_page_token="ghi",
+            ),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(), resources.CryptoKey(),],
+            ),
+            RuntimeError,
+        )
+
+        metadata = ()
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", ""),)),
+        )
+        pager = client.list_crypto_keys(request={})
+
+        assert pager._metadata == metadata
+
+        results = [i for i in pager]
+        assert len(results) == 6
+        assert all(isinstance(i, resources.CryptoKey) for i in results)
+
+
+def test_list_crypto_keys_pages():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_keys), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeysResponse(
+                crypto_keys=[
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeysResponse(crypto_keys=[], next_page_token="def",),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(),], next_page_token="ghi",
+            ),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(), resources.CryptoKey(),],
+            ),
+            RuntimeError,
+        )
+        pages = list(client.list_crypto_keys(request={}).pages)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_async_pager():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_keys),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeysResponse(
+                crypto_keys=[
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeysResponse(crypto_keys=[], next_page_token="def",),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(),], next_page_token="ghi",
+            ),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(), resources.CryptoKey(),],
+            ),
+            RuntimeError,
+        )
+        async_pager = await client.list_crypto_keys(request={},)
+        assert async_pager.next_page_token == "abc"
+        responses = []
+        async for response in async_pager:
+            responses.append(response)
+
+        assert len(responses) == 6
+        assert all(isinstance(i, resources.CryptoKey) for i in responses)
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_keys_async_pages():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_keys),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeysResponse(
+                crypto_keys=[
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                    resources.CryptoKey(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeysResponse(crypto_keys=[], next_page_token="def",),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(),], next_page_token="ghi",
+            ),
+            service.ListCryptoKeysResponse(
+                crypto_keys=[resources.CryptoKey(), resources.CryptoKey(),],
+            ),
+            RuntimeError,
+        )
+        pages = []
+        async for page in (await client.list_crypto_keys(request={})).pages:
+            pages.append(page)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+def test_list_crypto_key_versions(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListCryptoKeyVersionsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeyVersionsResponse(
+            next_page_token="next_page_token_value", total_size=1086,
+        )
+
+        response = client.list_crypto_key_versions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListCryptoKeyVersionsPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListCryptoKeyVersionsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeyVersionsResponse(
+                next_page_token="next_page_token_value", total_size=1086,
+            )
+        )
+
+        response = await client.list_crypto_key_versions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListCryptoKeyVersionsAsyncPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+def test_list_crypto_key_versions_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListCryptoKeyVersionsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        call.return_value = service.ListCryptoKeyVersionsResponse()
+
+        client.list_crypto_key_versions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListCryptoKeyVersionsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeyVersionsResponse()
+        )
+
+        await client.list_crypto_key_versions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_list_crypto_key_versions_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeyVersionsResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.list_crypto_key_versions(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+def test_list_crypto_key_versions_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.list_crypto_key_versions(
+            service.ListCryptoKeyVersionsRequest(), parent="parent_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListCryptoKeyVersionsResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListCryptoKeyVersionsResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.list_crypto_key_versions(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.list_crypto_key_versions(
+            service.ListCryptoKeyVersionsRequest(), parent="parent_value",
+        )
+
+
+def test_list_crypto_key_versions_pager():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[], next_page_token="def",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[resources.CryptoKeyVersion(),],
+                next_page_token="ghi",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+            ),
+            RuntimeError,
+        )
+
+        metadata = ()
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", ""),)),
+        )
+        pager = client.list_crypto_key_versions(request={})
+
+        assert pager._metadata == metadata
+
+        results = [i for i in pager]
+        assert len(results) == 6
+        assert all(isinstance(i, resources.CryptoKeyVersion) for i in results)
+
+
+def test_list_crypto_key_versions_pages():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_crypto_key_versions), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[], next_page_token="def",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[resources.CryptoKeyVersion(),],
+                next_page_token="ghi",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+            ),
+            RuntimeError,
+        )
+        pages = list(client.list_crypto_key_versions(request={}).pages)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_async_pager():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_key_versions),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[], next_page_token="def",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[resources.CryptoKeyVersion(),],
+                next_page_token="ghi",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+            ),
+            RuntimeError,
+        )
+        async_pager = await client.list_crypto_key_versions(request={},)
+        assert async_pager.next_page_token == "abc"
+        responses = []
+        async for response in async_pager:
+            responses.append(response)
+
+        assert len(responses) == 6
+        assert all(isinstance(i, resources.CryptoKeyVersion) for i in responses)
+
+
+@pytest.mark.asyncio
+async def test_list_crypto_key_versions_async_pages():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_crypto_key_versions),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[], next_page_token="def",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[resources.CryptoKeyVersion(),],
+                next_page_token="ghi",
+            ),
+            service.ListCryptoKeyVersionsResponse(
+                crypto_key_versions=[
+                    resources.CryptoKeyVersion(),
+                    resources.CryptoKeyVersion(),
+                ],
+            ),
+            RuntimeError,
+        )
+        pages = []
+        async for page in (await client.list_crypto_key_versions(request={})).pages:
+            pages.append(page)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+def test_list_import_jobs(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListImportJobsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListImportJobsResponse(
+            next_page_token="next_page_token_value", total_size=1086,
+        )
+
+        response = client.list_import_jobs(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListImportJobsPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ListImportJobsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListImportJobsResponse(
+                next_page_token="next_page_token_value", total_size=1086,
+            )
+        )
+
+        response = await client.list_import_jobs(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, pagers.ListImportJobsAsyncPager)
+
+    assert response.next_page_token == "next_page_token_value"
+
+    assert response.total_size == 1086
+
+
+def test_list_import_jobs_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListImportJobsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_import_jobs), "__call__"
+    ) as call:
+        call.return_value = service.ListImportJobsResponse()
+
+        client.list_import_jobs(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ListImportJobsRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_import_jobs), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListImportJobsResponse()
+        )
+
+        await client.list_import_jobs(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_list_import_jobs_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListImportJobsResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.list_import_jobs(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+def test_list_import_jobs_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.list_import_jobs(
+            service.ListImportJobsRequest(), parent="parent_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.ListImportJobsResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.ListImportJobsResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.list_import_jobs(parent="parent_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.list_import_jobs(
+            service.ListImportJobsRequest(), parent="parent_value",
+        )
+
+
+def test_list_import_jobs_pager():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListImportJobsResponse(
+                import_jobs=[
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListImportJobsResponse(import_jobs=[], next_page_token="def",),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(),], next_page_token="ghi",
+            ),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(), resources.ImportJob(),],
+            ),
+            RuntimeError,
+        )
+
+        metadata = ()
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("parent", ""),)),
+        )
+        pager = client.list_import_jobs(request={})
+
+        assert pager._metadata == metadata
+
+        results = [i for i in pager]
+        assert len(results) == 6
+        assert all(isinstance(i, resources.ImportJob) for i in results)
+
+
+def test_list_import_jobs_pages():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials,)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.list_import_jobs), "__call__"
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListImportJobsResponse(
+                import_jobs=[
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListImportJobsResponse(import_jobs=[], next_page_token="def",),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(),], next_page_token="ghi",
+            ),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(), resources.ImportJob(),],
+            ),
+            RuntimeError,
+        )
+        pages = list(client.list_import_jobs(request={}).pages)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_async_pager():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_import_jobs),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListImportJobsResponse(
+                import_jobs=[
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListImportJobsResponse(import_jobs=[], next_page_token="def",),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(),], next_page_token="ghi",
+            ),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(), resources.ImportJob(),],
+            ),
+            RuntimeError,
+        )
+        async_pager = await client.list_import_jobs(request={},)
+        assert async_pager.next_page_token == "abc"
+        responses = []
+        async for response in async_pager:
+            responses.append(response)
+
+        assert len(responses) == 6
+        assert all(isinstance(i, resources.ImportJob) for i in responses)
+
+
+@pytest.mark.asyncio
+async def test_list_import_jobs_async_pages():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials,
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.list_import_jobs),
+        "__call__",
+        new_callable=mock.AsyncMock,
+    ) as call:
+        # Set the response to a series of pages.
+        call.side_effect = (
+            service.ListImportJobsResponse(
+                import_jobs=[
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                    resources.ImportJob(),
+                ],
+                next_page_token="abc",
+            ),
+            service.ListImportJobsResponse(import_jobs=[], next_page_token="def",),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(),], next_page_token="ghi",
+            ),
+            service.ListImportJobsResponse(
+                import_jobs=[resources.ImportJob(), resources.ImportJob(),],
+            ),
+            RuntimeError,
+        )
+        pages = []
+        async for page in (await client.list_import_jobs(request={})).pages:
+            pages.append(page)
+        for page, token in zip(pages, ["abc", "def", "ghi", ""]):
+            assert page.raw_page.next_page_token == token
+
+
+def test_get_key_ring(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetKeyRingRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_key_ring), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing(name="name_value",)
+
+        response = client.get_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.KeyRing)
+
+    assert response.name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_key_ring_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetKeyRingRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_key_ring), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.KeyRing(name="name_value",)
+        )
+
+        response = await client.get_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.KeyRing)
+
+    assert response.name == "name_value"
+
+
+def test_get_key_ring_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetKeyRingRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_key_ring), "__call__") as call:
+        call.return_value = resources.KeyRing()
+
+        client.get_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_key_ring_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetKeyRingRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_key_ring), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.KeyRing())
+
+        await client.get_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_get_key_ring_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_key_ring), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.get_key_ring(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_get_key_ring_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.get_key_ring(
+            service.GetKeyRingRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_get_key_ring_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_key_ring), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.KeyRing())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.get_key_ring(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_key_ring_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.get_key_ring(
+            service.GetKeyRingRequest(), name="name_value",
+        )
+
+
+def test_get_crypto_key(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_crypto_key), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey(
+            name="name_value",
+            purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            rotation_period=duration.Duration(seconds=751),
+        )
+
+        response = client.get_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKey(
+                name="name_value",
+                purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            )
+        )
+
+        response = await client.get_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+def test_get_crypto_key_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetCryptoKeyRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_crypto_key), "__call__") as call:
+        call.return_value = resources.CryptoKey()
+
+        client.get_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetCryptoKeyRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+
+        await client.get_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_get_crypto_key_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_crypto_key), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.get_crypto_key(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_get_crypto_key_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.get_crypto_key(
+            service.GetCryptoKeyRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.get_crypto_key(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.get_crypto_key(
+            service.GetCryptoKeyRequest(), name="name_value",
+        )
+
+
+def test_get_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.get_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.get_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_get_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.get_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.get_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_get_crypto_key_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.get_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_get_crypto_key_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.get_crypto_key_version(
+            service.GetCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.get_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_crypto_key_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.get_crypto_key_version(
+            service.GetCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+def test_get_public_key(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetPublicKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_public_key), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.PublicKey(
+            pem="pem_value",
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+        )
+
+        response = client.get_public_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.PublicKey)
+
+    assert response.pem == "pem_value"
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+
+@pytest.mark.asyncio
+async def test_get_public_key_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetPublicKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_public_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.PublicKey(
+                pem="pem_value",
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            )
+        )
+
+        response = await client.get_public_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.PublicKey)
+
+    assert response.pem == "pem_value"
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+
+def test_get_public_key_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetPublicKeyRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_public_key), "__call__") as call:
+        call.return_value = resources.PublicKey()
+
+        client.get_public_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_public_key_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetPublicKeyRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_public_key), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.PublicKey())
+
+        await client.get_public_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_get_public_key_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_public_key), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.PublicKey()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.get_public_key(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_get_public_key_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.get_public_key(
+            service.GetPublicKeyRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_get_public_key_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_public_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.PublicKey()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.PublicKey())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.get_public_key(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_public_key_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.get_public_key(
+            service.GetPublicKeyRequest(), name="name_value",
+        )
+
+
+def test_get_import_job(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetImportJobRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_import_job), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob(
+            name="name_value",
+            import_method=resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            state=resources.ImportJob.ImportJobState.PENDING_GENERATION,
+        )
+
+        response = client.get_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.ImportJob)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.import_method
+        == resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert response.state == resources.ImportJob.ImportJobState.PENDING_GENERATION
+
+
+@pytest.mark.asyncio
+async def test_get_import_job_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.GetImportJobRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.ImportJob(
+                name="name_value",
+                import_method=resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                state=resources.ImportJob.ImportJobState.PENDING_GENERATION,
+            )
+        )
+
+        response = await client.get_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.ImportJob)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.import_method
+        == resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert response.state == resources.ImportJob.ImportJobState.PENDING_GENERATION
+
+
+def test_get_import_job_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetImportJobRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_import_job), "__call__") as call:
+        call.return_value = resources.ImportJob()
+
+        client.get_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_import_job_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.GetImportJobRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_import_job), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.ImportJob())
+
+        await client.get_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_get_import_job_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_import_job), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.get_import_job(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_get_import_job_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.get_import_job(
+            service.GetImportJobRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_get_import_job_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.ImportJob())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.get_import_job(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_get_import_job_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.get_import_job(
+            service.GetImportJobRequest(), name="name_value",
+        )
+
+
+def test_create_key_ring(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateKeyRingRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.create_key_ring), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing(name="name_value",)
+
+        response = client.create_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.KeyRing)
+
+    assert response.name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_create_key_ring_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateKeyRingRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_key_ring), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.KeyRing(name="name_value",)
+        )
+
+        response = await client.create_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.KeyRing)
+
+    assert response.name == "name_value"
+
+
+def test_create_key_ring_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateKeyRingRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.create_key_ring), "__call__") as call:
+        call.return_value = resources.KeyRing()
+
+        client.create_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_create_key_ring_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateKeyRingRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_key_ring), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.KeyRing())
+
+        await client.create_key_ring(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_create_key_ring_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.create_key_ring), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.create_key_ring(
+            parent="parent_value",
+            key_ring_id="key_ring_id_value",
+            key_ring=resources.KeyRing(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].key_ring_id == "key_ring_id_value"
+
+        assert args[0].key_ring == resources.KeyRing(name="name_value")
+
+
+def test_create_key_ring_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.create_key_ring(
+            service.CreateKeyRingRequest(),
+            parent="parent_value",
+            key_ring_id="key_ring_id_value",
+            key_ring=resources.KeyRing(name="name_value"),
+        )
+
+
+@pytest.mark.asyncio
+async def test_create_key_ring_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_key_ring), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.KeyRing()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.KeyRing())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.create_key_ring(
+            parent="parent_value",
+            key_ring_id="key_ring_id_value",
+            key_ring=resources.KeyRing(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].key_ring_id == "key_ring_id_value"
+
+        assert args[0].key_ring == resources.KeyRing(name="name_value")
+
+
+@pytest.mark.asyncio
+async def test_create_key_ring_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.create_key_ring(
+            service.CreateKeyRingRequest(),
+            parent="parent_value",
+            key_ring_id="key_ring_id_value",
+            key_ring=resources.KeyRing(name="name_value"),
+        )
+
+
+def test_create_crypto_key(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey(
+            name="name_value",
+            purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            rotation_period=duration.Duration(seconds=751),
+        )
+
+        response = client.create_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKey(
+                name="name_value",
+                purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            )
+        )
+
+        response = await client.create_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+def test_create_crypto_key_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateCryptoKeyRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKey()
+
+        client.create_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateCryptoKeyRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+
+        await client.create_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_create_crypto_key_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.create_crypto_key(
+            parent="parent_value",
+            crypto_key_id="crypto_key_id_value",
+            crypto_key=resources.CryptoKey(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].crypto_key_id == "crypto_key_id_value"
+
+        assert args[0].crypto_key == resources.CryptoKey(name="name_value")
+
+
+def test_create_crypto_key_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.create_crypto_key(
+            service.CreateCryptoKeyRequest(),
+            parent="parent_value",
+            crypto_key_id="crypto_key_id_value",
+            crypto_key=resources.CryptoKey(name="name_value"),
+        )
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.create_crypto_key(
+            parent="parent_value",
+            crypto_key_id="crypto_key_id_value",
+            crypto_key=resources.CryptoKey(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].crypto_key_id == "crypto_key_id_value"
+
+        assert args[0].crypto_key == resources.CryptoKey(name="name_value")
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.create_crypto_key(
+            service.CreateCryptoKeyRequest(),
+            parent="parent_value",
+            crypto_key_id="crypto_key_id_value",
+            crypto_key=resources.CryptoKey(name="name_value"),
+        )
+
+
+def test_create_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.create_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.create_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_create_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateCryptoKeyVersionRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.create_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateCryptoKeyVersionRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.create_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_create_crypto_key_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.create_crypto_key_version(
+            parent="parent_value",
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].crypto_key_version == resources.CryptoKeyVersion(
+            name="name_value"
+        )
+
+
+def test_create_crypto_key_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.create_crypto_key_version(
+            service.CreateCryptoKeyVersionRequest(),
+            parent="parent_value",
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+        )
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.create_crypto_key_version(
+            parent="parent_value",
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].crypto_key_version == resources.CryptoKeyVersion(
+            name="name_value"
+        )
+
+
+@pytest.mark.asyncio
+async def test_create_crypto_key_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.create_crypto_key_version(
+            service.CreateCryptoKeyVersionRequest(),
+            parent="parent_value",
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+        )
+
+
+def test_import_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ImportCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.import_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.import_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_import_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.ImportCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.import_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.import_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_import_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ImportCryptoKeyVersionRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.import_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.import_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_import_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.ImportCryptoKeyVersionRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.import_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.import_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_create_import_job(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateImportJobRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob(
+            name="name_value",
+            import_method=resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            state=resources.ImportJob.ImportJobState.PENDING_GENERATION,
+        )
+
+        response = client.create_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.ImportJob)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.import_method
+        == resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert response.state == resources.ImportJob.ImportJobState.PENDING_GENERATION
+
+
+@pytest.mark.asyncio
+async def test_create_import_job_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.CreateImportJobRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.ImportJob(
+                name="name_value",
+                import_method=resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                state=resources.ImportJob.ImportJobState.PENDING_GENERATION,
+            )
+        )
+
+        response = await client.create_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.ImportJob)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.import_method
+        == resources.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert response.state == resources.ImportJob.ImportJobState.PENDING_GENERATION
+
+
+def test_create_import_job_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateImportJobRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_import_job), "__call__"
+    ) as call:
+        call.return_value = resources.ImportJob()
+
+        client.create_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_create_import_job_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.CreateImportJobRequest()
+    request.parent = "parent/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_import_job), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.ImportJob())
+
+        await client.create_import_job(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"]
+
+
+def test_create_import_job_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.create_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.create_import_job(
+            parent="parent_value",
+            import_job_id="import_job_id_value",
+            import_job=resources.ImportJob(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].import_job_id == "import_job_id_value"
+
+        assert args[0].import_job == resources.ImportJob(name="name_value")
+
+
+def test_create_import_job_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.create_import_job(
+            service.CreateImportJobRequest(),
+            parent="parent_value",
+            import_job_id="import_job_id_value",
+            import_job=resources.ImportJob(name="name_value"),
+        )
+
+
+@pytest.mark.asyncio
+async def test_create_import_job_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.create_import_job), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.ImportJob()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.ImportJob())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.create_import_job(
+            parent="parent_value",
+            import_job_id="import_job_id_value",
+            import_job=resources.ImportJob(name="name_value"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].parent == "parent_value"
+
+        assert args[0].import_job_id == "import_job_id_value"
+
+        assert args[0].import_job == resources.ImportJob(name="name_value")
+
+
+@pytest.mark.asyncio
+async def test_create_import_job_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.create_import_job(
+            service.CreateImportJobRequest(),
+            parent="parent_value",
+            import_job_id="import_job_id_value",
+            import_job=resources.ImportJob(name="name_value"),
+        )
+
+
+def test_update_crypto_key(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey(
+            name="name_value",
+            purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            rotation_period=duration.Duration(seconds=751),
+        )
+
+        response = client.update_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKey(
+                name="name_value",
+                purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            )
+        )
+
+        response = await client.update_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+def test_update_crypto_key_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyRequest()
+    request.crypto_key.name = "crypto_key.name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKey()
+
+        client.update_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "crypto_key.name=crypto_key.name/value",) in kw[
+        "metadata"
+    ]
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyRequest()
+    request.crypto_key.name = "crypto_key.name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+
+        await client.update_crypto_key(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "crypto_key.name=crypto_key.name/value",) in kw[
+        "metadata"
+    ]
+
+
+def test_update_crypto_key_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.update_crypto_key(
+            crypto_key=resources.CryptoKey(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].crypto_key == resources.CryptoKey(name="name_value")
+
+        assert args[0].update_mask == field_mask.FieldMask(paths=["paths_value"])
+
+
+def test_update_crypto_key_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.update_crypto_key(
+            service.UpdateCryptoKeyRequest(),
+            crypto_key=resources.CryptoKey(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.update_crypto_key(
+            crypto_key=resources.CryptoKey(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].crypto_key == resources.CryptoKey(name="name_value")
+
+        assert args[0].update_mask == field_mask.FieldMask(paths=["paths_value"])
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.update_crypto_key(
+            service.UpdateCryptoKeyRequest(),
+            crypto_key=resources.CryptoKey(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+
+def test_update_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.update_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.update_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_update_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyVersionRequest()
+    request.crypto_key_version.name = "crypto_key_version.name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.update_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert (
+        "x-goog-request-params",
+        "crypto_key_version.name=crypto_key_version.name/value",
+    ) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyVersionRequest()
+    request.crypto_key_version.name = "crypto_key_version.name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.update_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert (
+        "x-goog-request-params",
+        "crypto_key_version.name=crypto_key_version.name/value",
+    ) in kw["metadata"]
+
+
+def test_update_crypto_key_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.update_crypto_key_version(
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].crypto_key_version == resources.CryptoKeyVersion(
+            name="name_value"
+        )
+
+        assert args[0].update_mask == field_mask.FieldMask(paths=["paths_value"])
+
+
+def test_update_crypto_key_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.update_crypto_key_version(
+            service.UpdateCryptoKeyVersionRequest(),
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.update_crypto_key_version(
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].crypto_key_version == resources.CryptoKeyVersion(
+            name="name_value"
+        )
+
+        assert args[0].update_mask == field_mask.FieldMask(paths=["paths_value"])
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.update_crypto_key_version(
+            service.UpdateCryptoKeyVersionRequest(),
+            crypto_key_version=resources.CryptoKeyVersion(name="name_value"),
+            update_mask=field_mask.FieldMask(paths=["paths_value"]),
+        )
+
+
+def test_encrypt(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.EncryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.encrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.EncryptResponse(
+            name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+        response = client.encrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.EncryptResponse)
+
+    assert response.name == "name_value"
+
+    assert response.ciphertext == b"ciphertext_blob"
+
+
+@pytest.mark.asyncio
+async def test_encrypt_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.EncryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.encrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.EncryptResponse(name="name_value", ciphertext=b"ciphertext_blob",)
+        )
+
+        response = await client.encrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.EncryptResponse)
+
+    assert response.name == "name_value"
+
+    assert response.ciphertext == b"ciphertext_blob"
+
+
+def test_encrypt_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.EncryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.encrypt), "__call__") as call:
+        call.return_value = service.EncryptResponse()
+
+        client.encrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_encrypt_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.EncryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.encrypt), "__call__") as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.EncryptResponse()
+        )
+
+        await client.encrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_encrypt_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.encrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.EncryptResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.encrypt(
+            name="name_value", plaintext=b"plaintext_blob",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].plaintext == b"plaintext_blob"
+
+
+def test_encrypt_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.encrypt(
+            service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob",
+        )
+
+
+@pytest.mark.asyncio
+async def test_encrypt_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.encrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.EncryptResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.EncryptResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.encrypt(name="name_value", plaintext=b"plaintext_blob",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].plaintext == b"plaintext_blob"
+
+
+@pytest.mark.asyncio
+async def test_encrypt_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.encrypt(
+            service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob",
+        )
+
+
+def test_decrypt(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.DecryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.decrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.DecryptResponse(plaintext=b"plaintext_blob",)
+
+        response = client.decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.DecryptResponse)
+
+    assert response.plaintext == b"plaintext_blob"
+
+
+@pytest.mark.asyncio
+async def test_decrypt_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.DecryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.decrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.DecryptResponse(plaintext=b"plaintext_blob",)
+        )
+
+        response = await client.decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.DecryptResponse)
+
+    assert response.plaintext == b"plaintext_blob"
+
+
+def test_decrypt_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.DecryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.decrypt), "__call__") as call:
+        call.return_value = service.DecryptResponse()
+
+        client.decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_decrypt_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.DecryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.decrypt), "__call__") as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.DecryptResponse()
+        )
+
+        await client.decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_decrypt_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.decrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.DecryptResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.decrypt(
+            name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].ciphertext == b"ciphertext_blob"
+
+
+def test_decrypt_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.decrypt(
+            service.DecryptRequest(), name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+
+@pytest.mark.asyncio
+async def test_decrypt_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._client._transport.decrypt), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.DecryptResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.DecryptResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.decrypt(
+            name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].ciphertext == b"ciphertext_blob"
+
+
+@pytest.mark.asyncio
+async def test_decrypt_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.decrypt(
+            service.DecryptRequest(), name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+
+def test_asymmetric_sign(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.AsymmetricSignRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.asymmetric_sign), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricSignResponse(signature=b"signature_blob",)
+
+        response = client.asymmetric_sign(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.AsymmetricSignResponse)
+
+    assert response.signature == b"signature_blob"
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_sign_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.AsymmetricSignRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_sign), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricSignResponse(signature=b"signature_blob",)
+        )
+
+        response = await client.asymmetric_sign(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.AsymmetricSignResponse)
+
+    assert response.signature == b"signature_blob"
+
+
+def test_asymmetric_sign_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.AsymmetricSignRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.asymmetric_sign), "__call__") as call:
+        call.return_value = service.AsymmetricSignResponse()
+
+        client.asymmetric_sign(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_sign_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.AsymmetricSignRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_sign), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricSignResponse()
+        )
+
+        await client.asymmetric_sign(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_asymmetric_sign_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.asymmetric_sign), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricSignResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.asymmetric_sign(
+            name="name_value", digest=service.Digest(sha256=b"sha256_blob"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].digest == service.Digest(sha256=b"sha256_blob")
+
+
+def test_asymmetric_sign_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.asymmetric_sign(
+            service.AsymmetricSignRequest(),
+            name="name_value",
+            digest=service.Digest(sha256=b"sha256_blob"),
+        )
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_sign_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_sign), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricSignResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricSignResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.asymmetric_sign(
+            name="name_value", digest=service.Digest(sha256=b"sha256_blob"),
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].digest == service.Digest(sha256=b"sha256_blob")
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_sign_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.asymmetric_sign(
+            service.AsymmetricSignRequest(),
+            name="name_value",
+            digest=service.Digest(sha256=b"sha256_blob"),
+        )
+
+
+def test_asymmetric_decrypt(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.AsymmetricDecryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricDecryptResponse(
+            plaintext=b"plaintext_blob",
+        )
+
+        response = client.asymmetric_decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.AsymmetricDecryptResponse)
+
+    assert response.plaintext == b"plaintext_blob"
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_decrypt_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.AsymmetricDecryptRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricDecryptResponse(plaintext=b"plaintext_blob",)
+        )
+
+        response = await client.asymmetric_decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, service.AsymmetricDecryptResponse)
+
+    assert response.plaintext == b"plaintext_blob"
+
+
+def test_asymmetric_decrypt_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.AsymmetricDecryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        call.return_value = service.AsymmetricDecryptResponse()
+
+        client.asymmetric_decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_decrypt_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.AsymmetricDecryptRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricDecryptResponse()
+        )
+
+        await client.asymmetric_decrypt(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_asymmetric_decrypt_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricDecryptResponse()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.asymmetric_decrypt(
+            name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].ciphertext == b"ciphertext_blob"
+
+
+def test_asymmetric_decrypt_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.asymmetric_decrypt(
+            service.AsymmetricDecryptRequest(),
+            name="name_value",
+            ciphertext=b"ciphertext_blob",
+        )
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_decrypt_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.asymmetric_decrypt), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = service.AsymmetricDecryptResponse()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            service.AsymmetricDecryptResponse()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.asymmetric_decrypt(
+            name="name_value", ciphertext=b"ciphertext_blob",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].ciphertext == b"ciphertext_blob"
+
+
+@pytest.mark.asyncio
+async def test_asymmetric_decrypt_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.asymmetric_decrypt(
+            service.AsymmetricDecryptRequest(),
+            name="name_value",
+            ciphertext=b"ciphertext_blob",
+        )
+
+
+def test_update_crypto_key_primary_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyPrimaryVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey(
+            name="name_value",
+            purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            rotation_period=duration.Duration(seconds=751),
+        )
+
+        response = client.update_crypto_key_primary_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_primary_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.UpdateCryptoKeyPrimaryVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKey(
+                name="name_value",
+                purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT,
+            )
+        )
+
+        response = await client.update_crypto_key_primary_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKey)
+
+    assert response.name == "name_value"
+
+    assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
+
+
+def test_update_crypto_key_primary_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyPrimaryVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKey()
+
+        client.update_crypto_key_primary_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_primary_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.UpdateCryptoKeyPrimaryVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+
+        await client.update_crypto_key_primary_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_update_crypto_key_primary_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.update_crypto_key_primary_version(
+            name="name_value", crypto_key_version_id="crypto_key_version_id_value",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].crypto_key_version_id == "crypto_key_version_id_value"
+
+
+def test_update_crypto_key_primary_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.update_crypto_key_primary_version(
+            service.UpdateCryptoKeyPrimaryVersionRequest(),
+            name="name_value",
+            crypto_key_version_id="crypto_key_version_id_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_primary_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.update_crypto_key_primary_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKey()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey())
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.update_crypto_key_primary_version(
+            name="name_value", crypto_key_version_id="crypto_key_version_id_value",
+        )
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+        assert args[0].crypto_key_version_id == "crypto_key_version_id_value"
+
+
+@pytest.mark.asyncio
+async def test_update_crypto_key_primary_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.update_crypto_key_primary_version(
+            service.UpdateCryptoKeyPrimaryVersionRequest(),
+            name="name_value",
+            crypto_key_version_id="crypto_key_version_id_value",
+        )
+
+
+def test_destroy_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.DestroyCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.destroy_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_destroy_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.DestroyCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.destroy_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_destroy_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.DestroyCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.destroy_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_destroy_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.DestroyCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.destroy_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_destroy_crypto_key_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.destroy_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_destroy_crypto_key_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.destroy_crypto_key_version(
+            service.DestroyCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_destroy_crypto_key_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.destroy_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.destroy_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_destroy_crypto_key_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.destroy_crypto_key_version(
+            service.DestroyCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+def test_restore_crypto_key_version(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.RestoreCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion(
+            name="name_value",
+            state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+            protection_level=resources.ProtectionLevel.SOFTWARE,
+            algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+            import_job="import_job_value",
+            import_failure_reason="import_failure_reason_value",
+        )
+
+        response = client.restore_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+@pytest.mark.asyncio
+async def test_restore_crypto_key_version_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = service.RestoreCryptoKeyVersionRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion(
+                name="name_value",
+                state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION,
+                protection_level=resources.ProtectionLevel.SOFTWARE,
+                algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION,
+                import_job="import_job_value",
+                import_failure_reason="import_failure_reason_value",
+            )
+        )
+
+        response = await client.restore_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, resources.CryptoKeyVersion)
+
+    assert response.name == "name_value"
+
+    assert (
+        response.state
+        == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION
+    )
+
+    assert response.protection_level == resources.ProtectionLevel.SOFTWARE
+
+    assert (
+        response.algorithm
+        == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
+    )
+
+    assert response.import_job == "import_job_value"
+
+    assert response.import_failure_reason == "import_failure_reason_value"
+
+
+def test_restore_crypto_key_version_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.RestoreCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = resources.CryptoKeyVersion()
+
+        client.restore_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_restore_crypto_key_version_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = service.RestoreCryptoKeyVersionRequest()
+    request.name = "name/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+
+        await client.restore_crypto_key_version(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "name=name/value",) in kw["metadata"]
+
+
+def test_restore_crypto_key_version_flattened():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        client.restore_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+def test_restore_crypto_key_version_flattened_error():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        client.restore_crypto_key_version(
+            service.RestoreCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+@pytest.mark.asyncio
+async def test_restore_crypto_key_version_flattened_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.restore_crypto_key_version), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = resources.CryptoKeyVersion()
+
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            resources.CryptoKeyVersion()
+        )
+        # Call the method with a truthy value for each flattened field,
+        # using the keyword arguments to the method.
+        response = await client.restore_crypto_key_version(name="name_value",)
+
+        # Establish that the underlying call was made with the expected
+        # request object values.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0].name == "name_value"
+
+
+@pytest.mark.asyncio
+async def test_restore_crypto_key_version_flattened_error_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Attempting to call a method with both a request object and flattened
+    # fields is an error.
+    with pytest.raises(ValueError):
+        await client.restore_crypto_key_version(
+            service.RestoreCryptoKeyVersionRequest(), name="name_value",
+        )
+
+
+def test_credentials_transport_error():
+    # It is an error to provide credentials and a transport instance.
+    transport = transports.KeyManagementServiceGrpcTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    with pytest.raises(ValueError):
+        client = KeyManagementServiceClient(
+            credentials=credentials.AnonymousCredentials(), transport=transport,
+        )
+
+    # It is an error to provide a credentials file and a transport instance.
+    transport = transports.KeyManagementServiceGrpcTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    with pytest.raises(ValueError):
+        client = KeyManagementServiceClient(
+            client_options={"credentials_file": "credentials.json"},
+            transport=transport,
+        )
+
+    # It is an error to provide scopes and a transport instance.
+    transport = transports.KeyManagementServiceGrpcTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    with pytest.raises(ValueError):
+        client = KeyManagementServiceClient(
+            client_options={"scopes": ["1", "2"]}, transport=transport,
+        )
+
+
+def test_transport_instance():
+    # A client may be instantiated with a custom transport instance.
+    transport = transports.KeyManagementServiceGrpcTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    client = KeyManagementServiceClient(transport=transport)
+    assert client._transport is transport
+
+
+def test_transport_get_channel():
+    # A client may be instantiated with a custom transport instance.
+    transport = transports.KeyManagementServiceGrpcTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    channel = transport.grpc_channel
+    assert channel
+
+    transport = transports.KeyManagementServiceGrpcAsyncIOTransport(
+        credentials=credentials.AnonymousCredentials(),
+    )
+    channel = transport.grpc_channel
+    assert channel
+
+
+def test_transport_grpc_default():
+    # A client should use the gRPC transport by default.
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+    assert isinstance(client._transport, transports.KeyManagementServiceGrpcTransport,)
+
+
+def test_key_management_service_base_transport_error():
+    # Passing both a credentials object and credentials_file should raise an error
+    with pytest.raises(exceptions.DuplicateCredentialArgs):
+        transport = transports.KeyManagementServiceTransport(
+            credentials=credentials.AnonymousCredentials(),
+            credentials_file="credentials.json",
+        )
+
+
+def test_key_management_service_base_transport():
+    # Instantiate the base transport.
+    with mock.patch(
+        "google.cloud.kms_v1.services.key_management_service.transports.KeyManagementServiceTransport.__init__"
+    ) as Transport:
+        Transport.return_value = None
+        transport = transports.KeyManagementServiceTransport(
+            credentials=credentials.AnonymousCredentials(),
+        )
+
+    # Every method on the transport should just blindly
+    # raise NotImplementedError.
+    methods = (
+        "list_key_rings",
+        "list_crypto_keys",
+        "list_crypto_key_versions",
+        "list_import_jobs",
+        "get_key_ring",
+        "get_crypto_key",
+        "get_crypto_key_version",
+        "get_public_key",
+        "get_import_job",
+        "create_key_ring",
+        "create_crypto_key",
+        "create_crypto_key_version",
+        "import_crypto_key_version",
+        "create_import_job",
+        "update_crypto_key",
+        "update_crypto_key_version",
+        "encrypt",
+        "decrypt",
+        "asymmetric_sign",
+        "asymmetric_decrypt",
+        "update_crypto_key_primary_version",
+        "destroy_crypto_key_version",
+        "restore_crypto_key_version",
+        "set_iam_policy",
+        "get_iam_policy",
+        "test_iam_permissions",
+    )
+    for method in methods:
+        with pytest.raises(NotImplementedError):
+            getattr(transport, method)(request=object())
+
+
+def test_key_management_service_base_transport_with_credentials_file():
+    # Instantiate the base transport with a credentials file
+    with mock.patch.object(
+        auth, "load_credentials_from_file"
+    ) as load_creds, mock.patch(
+        "google.cloud.kms_v1.services.key_management_service.transports.KeyManagementServiceTransport._prep_wrapped_messages"
+    ) as Transport:
+        Transport.return_value = None
+        load_creds.return_value = (credentials.AnonymousCredentials(), None)
+        transport = transports.KeyManagementServiceTransport(
+            credentials_file="credentials.json", quota_project_id="octopus",
+        )
+        load_creds.assert_called_once_with(
+            "credentials.json",
+            scopes=(
+                "https://www.googleapis.com/auth/cloud-platform",
+                "https://www.googleapis.com/auth/cloudkms",
+            ),
+            quota_project_id="octopus",
+        )
+
+
+def test_key_management_service_auth_adc():
+    # If no credentials are provided, we should use ADC credentials.
+    with mock.patch.object(auth, "default") as adc:
+        adc.return_value = (credentials.AnonymousCredentials(), None)
+        KeyManagementServiceClient()
+        adc.assert_called_once_with(
+            scopes=(
+                "https://www.googleapis.com/auth/cloud-platform",
+                "https://www.googleapis.com/auth/cloudkms",
+            ),
+            quota_project_id=None,
+        )
+
+
+def test_key_management_service_transport_auth_adc():
+    # If credentials and host are not provided, the transport class should use
+    # ADC credentials.
+    with mock.patch.object(auth, "default") as adc:
+        adc.return_value = (credentials.AnonymousCredentials(), None)
+        transports.KeyManagementServiceGrpcTransport(
+            host="squid.clam.whelk", quota_project_id="octopus"
+        )
+        adc.assert_called_once_with(
+            scopes=(
+                "https://www.googleapis.com/auth/cloud-platform",
+                "https://www.googleapis.com/auth/cloudkms",
+            ),
+            quota_project_id="octopus",
+        )
+
+
+def test_key_management_service_host_no_port():
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(),
+        client_options=client_options.ClientOptions(
+            api_endpoint="cloudkms.googleapis.com"
+        ),
+    )
+    assert client._transport._host == "cloudkms.googleapis.com:443"
+
+
+def test_key_management_service_host_with_port():
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(),
+        client_options=client_options.ClientOptions(
+            api_endpoint="cloudkms.googleapis.com:8000"
+        ),
+    )
+    assert client._transport._host == "cloudkms.googleapis.com:8000"
+
+
+def test_key_management_service_grpc_transport_channel():
+    channel = grpc.insecure_channel("http://localhost/")
+
+    # Check that if channel is provided, mtls endpoint and client_cert_source
+    # won't be used.
+    callback = mock.MagicMock()
+    transport = transports.KeyManagementServiceGrpcTransport(
+        host="squid.clam.whelk",
+        channel=channel,
+        api_mtls_endpoint="mtls.squid.clam.whelk",
+        client_cert_source=callback,
+    )
+    assert transport.grpc_channel == channel
+    assert transport._host == "squid.clam.whelk:443"
+    assert not callback.called
+
+
+def test_key_management_service_grpc_asyncio_transport_channel():
+    channel = aio.insecure_channel("http://localhost/")
+
+    # Check that if channel is provided, mtls endpoint and client_cert_source
+    # won't be used.
+    callback = mock.MagicMock()
+    transport = transports.KeyManagementServiceGrpcAsyncIOTransport(
+        host="squid.clam.whelk",
+        channel=channel,
+        api_mtls_endpoint="mtls.squid.clam.whelk",
+        client_cert_source=callback,
+    )
+    assert transport.grpc_channel == channel
+    assert transport._host == "squid.clam.whelk:443"
+    assert not callback.called
+
+
+@mock.patch("grpc.ssl_channel_credentials", autospec=True)
+@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True)
+def test_key_management_service_grpc_transport_channel_mtls_with_client_cert_source(
+    grpc_create_channel, grpc_ssl_channel_cred
+):
+    # Check that if channel is None, but api_mtls_endpoint and client_cert_source
+    # are provided, then a mTLS channel will be created.
+    mock_cred = mock.Mock()
+
+    mock_ssl_cred = mock.Mock()
+    grpc_ssl_channel_cred.return_value = mock_ssl_cred
+
+    mock_grpc_channel = mock.Mock()
+    grpc_create_channel.return_value = mock_grpc_channel
+
+    transport = transports.KeyManagementServiceGrpcTransport(
+        host="squid.clam.whelk",
+        credentials=mock_cred,
+        api_mtls_endpoint="mtls.squid.clam.whelk",
+        client_cert_source=client_cert_source_callback,
+    )
+    grpc_ssl_channel_cred.assert_called_once_with(
+        certificate_chain=b"cert bytes", private_key=b"key bytes"
+    )
+    grpc_create_channel.assert_called_once_with(
+        "mtls.squid.clam.whelk:443",
+        credentials=mock_cred,
+        credentials_file=None,
+        scopes=(
+            "https://www.googleapis.com/auth/cloud-platform",
+            "https://www.googleapis.com/auth/cloudkms",
+        ),
+        ssl_credentials=mock_ssl_cred,
+        quota_project_id=None,
+    )
+    assert transport.grpc_channel == mock_grpc_channel
+
+
+@mock.patch("grpc.ssl_channel_credentials", autospec=True)
+@mock.patch("google.api_core.grpc_helpers_async.create_channel", autospec=True)
+def test_key_management_service_grpc_asyncio_transport_channel_mtls_with_client_cert_source(
+    grpc_create_channel, grpc_ssl_channel_cred
+):
+    # Check that if channel is None, but api_mtls_endpoint and client_cert_source
+    # are provided, then a mTLS channel will be created.
+    mock_cred = mock.Mock()
+
+    mock_ssl_cred = mock.Mock()
+    grpc_ssl_channel_cred.return_value = mock_ssl_cred
+
+    mock_grpc_channel = mock.Mock()
+    grpc_create_channel.return_value = mock_grpc_channel
+
+    transport = transports.KeyManagementServiceGrpcAsyncIOTransport(
+        host="squid.clam.whelk",
+        credentials=mock_cred,
+        api_mtls_endpoint="mtls.squid.clam.whelk",
+        client_cert_source=client_cert_source_callback,
+    )
+    grpc_ssl_channel_cred.assert_called_once_with(
+        certificate_chain=b"cert bytes", private_key=b"key bytes"
+    )
+    grpc_create_channel.assert_called_once_with(
+        "mtls.squid.clam.whelk:443",
+        credentials=mock_cred,
+        credentials_file=None,
+        scopes=(
+            "https://www.googleapis.com/auth/cloud-platform",
+            "https://www.googleapis.com/auth/cloudkms",
+        ),
+        ssl_credentials=mock_ssl_cred,
+        quota_project_id=None,
+    )
+    assert transport.grpc_channel == mock_grpc_channel
+
+
+@pytest.mark.parametrize(
+    "api_mtls_endpoint", ["mtls.squid.clam.whelk", "mtls.squid.clam.whelk:443"]
+)
+@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True)
+def test_key_management_service_grpc_transport_channel_mtls_with_adc(
+    grpc_create_channel, api_mtls_endpoint
+):
+    # Check that if channel and client_cert_source are None, but api_mtls_endpoint
+    # is provided, then a mTLS channel will be created with SSL ADC.
+    mock_grpc_channel = mock.Mock()
+    grpc_create_channel.return_value = mock_grpc_channel
+
+    # Mock google.auth.transport.grpc.SslCredentials class.
+    mock_ssl_cred = mock.Mock()
+    with mock.patch.multiple(
+        "google.auth.transport.grpc.SslCredentials",
+        __init__=mock.Mock(return_value=None),
+        ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred),
+    ):
+        mock_cred = mock.Mock()
+        transport = transports.KeyManagementServiceGrpcTransport(
+            host="squid.clam.whelk",
+            credentials=mock_cred,
+            api_mtls_endpoint=api_mtls_endpoint,
+            client_cert_source=None,
+        )
+        grpc_create_channel.assert_called_once_with(
+            "mtls.squid.clam.whelk:443",
+            credentials=mock_cred,
+            credentials_file=None,
+            scopes=(
+                "https://www.googleapis.com/auth/cloud-platform",
+                "https://www.googleapis.com/auth/cloudkms",
+            ),
+            ssl_credentials=mock_ssl_cred,
+            quota_project_id=None,
+        )
+        assert transport.grpc_channel == mock_grpc_channel
+
+
+@pytest.mark.parametrize(
+    "api_mtls_endpoint", ["mtls.squid.clam.whelk", "mtls.squid.clam.whelk:443"]
+)
+@mock.patch("google.api_core.grpc_helpers_async.create_channel", autospec=True)
+def test_key_management_service_grpc_asyncio_transport_channel_mtls_with_adc(
+    grpc_create_channel, api_mtls_endpoint
+):
+    # Check that if channel and client_cert_source are None, but api_mtls_endpoint
+    # is provided, then a mTLS channel will be created with SSL ADC.
+    mock_grpc_channel = mock.Mock()
+    grpc_create_channel.return_value = mock_grpc_channel
+
+    # Mock google.auth.transport.grpc.SslCredentials class.
+    mock_ssl_cred = mock.Mock()
+    with mock.patch.multiple(
+        "google.auth.transport.grpc.SslCredentials",
+        __init__=mock.Mock(return_value=None),
+        ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred),
+    ):
+        mock_cred = mock.Mock()
+        transport = transports.KeyManagementServiceGrpcAsyncIOTransport(
+            host="squid.clam.whelk",
+            credentials=mock_cred,
+            api_mtls_endpoint=api_mtls_endpoint,
+            client_cert_source=None,
+        )
+        grpc_create_channel.assert_called_once_with(
+            "mtls.squid.clam.whelk:443",
+            credentials=mock_cred,
+            credentials_file=None,
+            scopes=(
+                "https://www.googleapis.com/auth/cloud-platform",
+                "https://www.googleapis.com/auth/cloudkms",
+            ),
+            ssl_credentials=mock_ssl_cred,
+            quota_project_id=None,
+        )
+        assert transport.grpc_channel == mock_grpc_channel
+
+
+def test_crypto_key_version_path():
+    project = "squid"
+    location = "clam"
+    key_ring = "whelk"
+    crypto_key = "octopus"
+    crypto_key_version = "oyster"
+
+    expected = "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}".format(
+        project=project,
+        location=location,
+        key_ring=key_ring,
+        crypto_key=crypto_key,
+        crypto_key_version=crypto_key_version,
+    )
+    actual = KeyManagementServiceClient.crypto_key_version_path(
+        project, location, key_ring, crypto_key, crypto_key_version
+    )
+    assert expected == actual
+
+
+def test_parse_crypto_key_version_path():
+    expected = {
+        "project": "nudibranch",
+        "location": "cuttlefish",
+        "key_ring": "mussel",
+        "crypto_key": "winkle",
+        "crypto_key_version": "nautilus",
+    }
+    path = KeyManagementServiceClient.crypto_key_version_path(**expected)
+
+    # Check that the path construction is reversible.
+    actual = KeyManagementServiceClient.parse_crypto_key_version_path(path)
+    assert expected == actual
+
+
+def test_key_ring_path():
+    project = "squid"
+    location = "clam"
+    key_ring = "whelk"
+
+    expected = "projects/{project}/locations/{location}/keyRings/{key_ring}".format(
+        project=project, location=location, key_ring=key_ring,
+    )
+    actual = KeyManagementServiceClient.key_ring_path(project, location, key_ring)
+    assert expected == actual
+
+
+def test_parse_key_ring_path():
+    expected = {
+        "project": "octopus",
+        "location": "oyster",
+        "key_ring": "nudibranch",
+    }
+    path = KeyManagementServiceClient.key_ring_path(**expected)
+
+    # Check that the path construction is reversible.
+    actual = KeyManagementServiceClient.parse_key_ring_path(path)
+    assert expected == actual
+
+
+def test_crypto_key_path():
+    project = "squid"
+    location = "clam"
+    key_ring = "whelk"
+    crypto_key = "octopus"
+
+    expected = "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}".format(
+        project=project, location=location, key_ring=key_ring, crypto_key=crypto_key,
+    )
+    actual = KeyManagementServiceClient.crypto_key_path(
+        project, location, key_ring, crypto_key
+    )
+    assert expected == actual
+
+
+def test_parse_crypto_key_path():
+    expected = {
+        "project": "oyster",
+        "location": "nudibranch",
+        "key_ring": "cuttlefish",
+        "crypto_key": "mussel",
+    }
+    path = KeyManagementServiceClient.crypto_key_path(**expected)
+
+    # Check that the path construction is reversible.
+    actual = KeyManagementServiceClient.parse_crypto_key_path(path)
+    assert expected == actual
+
+
+def test_import_job_path():
+    project = "squid"
+    location = "clam"
+    key_ring = "whelk"
+    import_job = "octopus"
+
+    expected = "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}".format(
+        project=project, location=location, key_ring=key_ring, import_job=import_job,
+    )
+    actual = KeyManagementServiceClient.import_job_path(
+        project, location, key_ring, import_job
+    )
+    assert expected == actual
+
+
+def test_parse_import_job_path():
+    expected = {
+        "project": "oyster",
+        "location": "nudibranch",
+        "key_ring": "cuttlefish",
+        "import_job": "mussel",
+    }
+    path = KeyManagementServiceClient.import_job_path(**expected)
+
+    # Check that the path construction is reversible.
+    actual = KeyManagementServiceClient.parse_import_job_path(path)
+    assert expected == actual
+
+
+def test_set_iam_policy(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.SetIamPolicyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.set_iam_policy), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = policy.Policy(version=774, etag=b"etag_blob",)
+
+        response = client.set_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, policy.Policy)
+
+    assert response.version == 774
+
+    assert response.etag == b"etag_blob"
+
+
+@pytest.mark.asyncio
+async def test_set_iam_policy_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.SetIamPolicyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.set_iam_policy), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            policy.Policy(version=774, etag=b"etag_blob",)
+        )
+
+        response = await client.set_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, policy.Policy)
+
+    assert response.version == 774
+
+    assert response.etag == b"etag_blob"
+
+
+def test_set_iam_policy_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.SetIamPolicyRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.set_iam_policy), "__call__") as call:
+        call.return_value = policy.Policy()
+
+        client.set_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_set_iam_policy_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.SetIamPolicyRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.set_iam_policy), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(policy.Policy())
+
+        await client.set_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+def test_set_iam_policy_from_dict():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.set_iam_policy), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = policy.Policy()
+
+        response = client.set_iam_policy(
+            request={
+                "resource": "resource_value",
+                "policy": policy.Policy(version=774),
+            }
+        )
+        call.assert_called()
+
+
+def test_get_iam_policy(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.GetIamPolicyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_iam_policy), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = policy.Policy(version=774, etag=b"etag_blob",)
+
+        response = client.get_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, policy.Policy)
+
+    assert response.version == 774
+
+    assert response.etag == b"etag_blob"
+
+
+@pytest.mark.asyncio
+async def test_get_iam_policy_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.GetIamPolicyRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_iam_policy), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            policy.Policy(version=774, etag=b"etag_blob",)
+        )
+
+        response = await client.get_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, policy.Policy)
+
+    assert response.version == 774
+
+    assert response.etag == b"etag_blob"
+
+
+def test_get_iam_policy_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.GetIamPolicyRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_iam_policy), "__call__") as call:
+        call.return_value = policy.Policy()
+
+        client.get_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_get_iam_policy_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.GetIamPolicyRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.get_iam_policy), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(policy.Policy())
+
+        await client.get_iam_policy(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+def test_get_iam_policy_from_dict():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(type(client._transport.get_iam_policy), "__call__") as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = policy.Policy()
+
+        response = client.get_iam_policy(
+            request={
+                "resource": "resource_value",
+                "options": options.GetPolicyOptions(requested_policy_version=2598),
+            }
+        )
+        call.assert_called()
+
+
+def test_test_iam_permissions(transport: str = "grpc"):
+    client = KeyManagementServiceClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.TestIamPermissionsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.test_iam_permissions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = iam_policy.TestIamPermissionsResponse(
+            permissions=["permissions_value"],
+        )
+
+        response = client.test_iam_permissions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, iam_policy.TestIamPermissionsResponse)
+
+    assert response.permissions == ["permissions_value"]
+
+
+@pytest.mark.asyncio
+async def test_test_iam_permissions_async(transport: str = "grpc_asyncio"):
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(), transport=transport,
+    )
+
+    # Everything is optional in proto3 as far as the runtime is concerned,
+    # and we are mocking out the actual API, so just send an empty request.
+    request = iam_policy.TestIamPermissionsRequest()
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.test_iam_permissions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            iam_policy.TestIamPermissionsResponse(permissions=["permissions_value"],)
+        )
+
+        response = await client.test_iam_permissions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+
+        assert args[0] == request
+
+    # Establish that the response is the type that we expect.
+    assert isinstance(response, iam_policy.TestIamPermissionsResponse)
+
+    assert response.permissions == ["permissions_value"]
+
+
+def test_test_iam_permissions_field_headers():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.TestIamPermissionsRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.test_iam_permissions), "__call__"
+    ) as call:
+        call.return_value = iam_policy.TestIamPermissionsResponse()
+
+        client.test_iam_permissions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls) == 1
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+@pytest.mark.asyncio
+async def test_test_iam_permissions_field_headers_async():
+    client = KeyManagementServiceAsyncClient(
+        credentials=credentials.AnonymousCredentials(),
+    )
+
+    # Any value that is part of the HTTP/1.1 URI should be sent as
+    # a field header. Set these to a non-empty value.
+    request = iam_policy.TestIamPermissionsRequest()
+    request.resource = "resource/value"
+
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._client._transport.test_iam_permissions), "__call__"
+    ) as call:
+        call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(
+            iam_policy.TestIamPermissionsResponse()
+        )
+
+        await client.test_iam_permissions(request)
+
+        # Establish that the underlying gRPC stub method was called.
+        assert len(call.mock_calls)
+        _, args, _ = call.mock_calls[0]
+        assert args[0] == request
+
+    # Establish that the field header was sent.
+    _, _, kw = call.mock_calls[0]
+    assert ("x-goog-request-params", "resource=resource/value",) in kw["metadata"]
+
+
+def test_test_iam_permissions_from_dict():
+    client = KeyManagementServiceClient(credentials=credentials.AnonymousCredentials(),)
+    # Mock the actual call within the gRPC stub, and fake the request.
+    with mock.patch.object(
+        type(client._transport.test_iam_permissions), "__call__"
+    ) as call:
+        # Designate an appropriate return value for the call.
+        call.return_value = iam_policy.TestIamPermissionsResponse()
+
+        response = client.test_iam_permissions(
+            request={
+                "resource": "resource_value",
+                "permissions": ["permissions_value"],
+            }
+        )
+        call.assert_called()
diff --git a/packages/google-cloud-kms/tests/unit/gapic/v1/test_key_management_service_client_v1.py b/packages/google-cloud-kms/tests/unit/gapic/v1/test_key_management_service_client_v1.py
deleted file mode 100644
index 24c6e292863b..000000000000
--- a/packages/google-cloud-kms/tests/unit/gapic/v1/test_key_management_service_client_v1.py
+++ /dev/null
@@ -1,1328 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Unit tests."""
-
-import mock
-import pytest
-
-from google.cloud import kms_v1
-from google.cloud.kms_v1 import enums
-from google.cloud.kms_v1.proto import resources_pb2
-from google.cloud.kms_v1.proto import service_pb2
-from google.iam.v1 import iam_policy_pb2
-from google.iam.v1 import policy_pb2
-from google.protobuf import duration_pb2
-from google.protobuf import field_mask_pb2
-from google.protobuf import timestamp_pb2
-
-
-class MultiCallableStub(object):
-    """Stub for the grpc.UnaryUnaryMultiCallable interface."""
-
-    def __init__(self, method, channel_stub):
-        self.method = method
-        self.channel_stub = channel_stub
-
-    def __call__(self, request, timeout=None, metadata=None, credentials=None):
-        self.channel_stub.requests.append((self.method, request))
-
-        response = None
-        if self.channel_stub.responses:
-            response = self.channel_stub.responses.pop()
-
-        if isinstance(response, Exception):
-            raise response
-
-        if response:
-            return response
-
-
-class ChannelStub(object):
-    """Stub for the grpc.Channel interface."""
-
-    def __init__(self, responses=[]):
-        self.responses = responses
-        self.requests = []
-
-    def unary_unary(self, method, request_serializer=None, response_deserializer=None):
-        return MultiCallableStub(method, self)
-
-
-class CustomException(Exception):
-    pass
-
-
-class TestKeyManagementServiceClient(object):
-    def test_list_key_rings(self):
-        # Setup Expected Response
-        next_page_token = ""
-        total_size = 705419236
-        key_rings_element = {}
-        key_rings = [key_rings_element]
-        expected_response = {
-            "next_page_token": next_page_token,
-            "total_size": total_size,
-            "key_rings": key_rings,
-        }
-        expected_response = service_pb2.ListKeyRingsResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.location_path("[PROJECT]", "[LOCATION]")
-
-        paged_list_response = client.list_key_rings(parent)
-        resources = list(paged_list_response)
-        assert len(resources) == 1
-
-        assert expected_response.key_rings[0] == resources[0]
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.ListKeyRingsRequest(parent=parent)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_list_key_rings_exception(self):
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.location_path("[PROJECT]", "[LOCATION]")
-
-        paged_list_response = client.list_key_rings(parent)
-        with pytest.raises(CustomException):
-            list(paged_list_response)
-
-    def test_list_import_jobs(self):
-        # Setup Expected Response
-        next_page_token = ""
-        total_size = 705419236
-        import_jobs_element = {}
-        import_jobs = [import_jobs_element]
-        expected_response = {
-            "next_page_token": next_page_token,
-            "total_size": total_size,
-            "import_jobs": import_jobs,
-        }
-        expected_response = service_pb2.ListImportJobsResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        paged_list_response = client.list_import_jobs(parent)
-        resources = list(paged_list_response)
-        assert len(resources) == 1
-
-        assert expected_response.import_jobs[0] == resources[0]
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.ListImportJobsRequest(parent=parent)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_list_import_jobs_exception(self):
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        paged_list_response = client.list_import_jobs(parent)
-        with pytest.raises(CustomException):
-            list(paged_list_response)
-
-    def test_list_crypto_keys(self):
-        # Setup Expected Response
-        next_page_token = ""
-        total_size = 705419236
-        crypto_keys_element = {}
-        crypto_keys = [crypto_keys_element]
-        expected_response = {
-            "next_page_token": next_page_token,
-            "total_size": total_size,
-            "crypto_keys": crypto_keys,
-        }
-        expected_response = service_pb2.ListCryptoKeysResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        paged_list_response = client.list_crypto_keys(parent)
-        resources = list(paged_list_response)
-        assert len(resources) == 1
-
-        assert expected_response.crypto_keys[0] == resources[0]
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.ListCryptoKeysRequest(parent=parent)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_list_crypto_keys_exception(self):
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        paged_list_response = client.list_crypto_keys(parent)
-        with pytest.raises(CustomException):
-            list(paged_list_response)
-
-    def test_list_crypto_key_versions(self):
-        # Setup Expected Response
-        next_page_token = ""
-        total_size = 705419236
-        crypto_key_versions_element = {}
-        crypto_key_versions = [crypto_key_versions_element]
-        expected_response = {
-            "next_page_token": next_page_token,
-            "total_size": total_size,
-            "crypto_key_versions": crypto_key_versions,
-        }
-        expected_response = service_pb2.ListCryptoKeyVersionsResponse(
-            **expected_response
-        )
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-
-        paged_list_response = client.list_crypto_key_versions(parent)
-        resources = list(paged_list_response)
-        assert len(resources) == 1
-
-        assert expected_response.crypto_key_versions[0] == resources[0]
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.ListCryptoKeyVersionsRequest(parent=parent)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_list_crypto_key_versions_exception(self):
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-
-        paged_list_response = client.list_crypto_key_versions(parent)
-        with pytest.raises(CustomException):
-            list(paged_list_response)
-
-    def test_get_key_ring(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        expected_response = {"name": name_2}
-        expected_response = resources_pb2.KeyRing(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        response = client.get_key_ring(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.GetKeyRingRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_key_ring_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-
-        with pytest.raises(CustomException):
-            client.get_key_ring(name)
-
-    def test_get_import_job(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        expected_response = {"name": name_2}
-        expected_response = resources_pb2.ImportJob(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.import_job_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[IMPORT_JOB]"
-        )
-
-        response = client.get_import_job(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.GetImportJobRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_import_job_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.import_job_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[IMPORT_JOB]"
-        )
-
-        with pytest.raises(CustomException):
-            client.get_import_job(name)
-
-    def test_get_crypto_key(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        expected_response = {"name": name_2}
-        expected_response = resources_pb2.CryptoKey(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-
-        response = client.get_crypto_key(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.GetCryptoKeyRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_crypto_key_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-
-        with pytest.raises(CustomException):
-            client.get_crypto_key(name)
-
-    def test_get_crypto_key_version(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        import_job = "importJob2125587491"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name_2,
-            "import_job": import_job,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        response = client.get_crypto_key_version(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.GetCryptoKeyVersionRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        with pytest.raises(CustomException):
-            client.get_crypto_key_version(name)
-
-    def test_create_key_ring(self):
-        # Setup Expected Response
-        name = "name3373707"
-        expected_response = {"name": name}
-        expected_response = resources_pb2.KeyRing(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.location_path("[PROJECT]", "[LOCATION]")
-        key_ring_id = "keyRingId-2056646742"
-        key_ring = {}
-
-        response = client.create_key_ring(parent, key_ring_id, key_ring)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.CreateKeyRingRequest(
-            parent=parent, key_ring_id=key_ring_id, key_ring=key_ring
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_create_key_ring_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.location_path("[PROJECT]", "[LOCATION]")
-        key_ring_id = "keyRingId-2056646742"
-        key_ring = {}
-
-        with pytest.raises(CustomException):
-            client.create_key_ring(parent, key_ring_id, key_ring)
-
-    def test_create_import_job(self):
-        # Setup Expected Response
-        name = "name3373707"
-        expected_response = {"name": name}
-        expected_response = resources_pb2.ImportJob(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-        import_job_id = "my-import-job"
-        import_method = enums.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
-        protection_level = enums.ProtectionLevel.HSM
-        import_job = {
-            "import_method": import_method,
-            "protection_level": protection_level,
-        }
-
-        response = client.create_import_job(parent, import_job_id, import_job)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.CreateImportJobRequest(
-            parent=parent, import_job_id=import_job_id, import_job=import_job
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_create_import_job_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-        import_job_id = "my-import-job"
-        import_method = enums.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
-        protection_level = enums.ProtectionLevel.HSM
-        import_job = {
-            "import_method": import_method,
-            "protection_level": protection_level,
-        }
-
-        with pytest.raises(CustomException):
-            client.create_import_job(parent, import_job_id, import_job)
-
-    def test_create_crypto_key(self):
-        # Setup Expected Response
-        name = "name3373707"
-        expected_response = {"name": name}
-        expected_response = resources_pb2.CryptoKey(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-        crypto_key_id = "my-app-key"
-        purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-        seconds = 2147483647
-        next_rotation_time = {"seconds": seconds}
-        seconds_2 = 604800
-        rotation_period = {"seconds": seconds_2}
-        crypto_key = {
-            "purpose": purpose,
-            "next_rotation_time": next_rotation_time,
-            "rotation_period": rotation_period,
-        }
-
-        response = client.create_crypto_key(parent, crypto_key_id, crypto_key)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.CreateCryptoKeyRequest(
-            parent=parent, crypto_key_id=crypto_key_id, crypto_key=crypto_key
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_create_crypto_key_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.key_ring_path("[PROJECT]", "[LOCATION]", "[KEY_RING]")
-        crypto_key_id = "my-app-key"
-        purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
-        seconds = 2147483647
-        next_rotation_time = {"seconds": seconds}
-        seconds_2 = 604800
-        rotation_period = {"seconds": seconds_2}
-        crypto_key = {
-            "purpose": purpose,
-            "next_rotation_time": next_rotation_time,
-            "rotation_period": rotation_period,
-        }
-
-        with pytest.raises(CustomException):
-            client.create_crypto_key(parent, crypto_key_id, crypto_key)
-
-    def test_create_crypto_key_version(self):
-        # Setup Expected Response
-        name = "name3373707"
-        import_job = "importJob2125587491"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name,
-            "import_job": import_job,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        crypto_key_version = {}
-
-        response = client.create_crypto_key_version(parent, crypto_key_version)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.CreateCryptoKeyVersionRequest(
-            parent=parent, crypto_key_version=crypto_key_version
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_create_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        crypto_key_version = {}
-
-        with pytest.raises(CustomException):
-            client.create_crypto_key_version(parent, crypto_key_version)
-
-    def test_import_crypto_key_version(self):
-        # Setup Expected Response
-        name = "name3373707"
-        import_job_2 = "importJob2-1714851050"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name,
-            "import_job": import_job_2,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        algorithm = (
-            enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
-        )
-        import_job = "importJob2125587491"
-
-        response = client.import_crypto_key_version(parent, algorithm, import_job)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.ImportCryptoKeyVersionRequest(
-            parent=parent, algorithm=algorithm, import_job=import_job
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_import_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        parent = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        algorithm = (
-            enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
-        )
-        import_job = "importJob2125587491"
-
-        with pytest.raises(CustomException):
-            client.import_crypto_key_version(parent, algorithm, import_job)
-
-    def test_update_crypto_key(self):
-        # Setup Expected Response
-        name = "name3373707"
-        expected_response = {"name": name}
-        expected_response = resources_pb2.CryptoKey(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        crypto_key = {}
-        update_mask = {}
-
-        response = client.update_crypto_key(crypto_key, update_mask)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.UpdateCryptoKeyRequest(
-            crypto_key=crypto_key, update_mask=update_mask
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_update_crypto_key_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        crypto_key = {}
-        update_mask = {}
-
-        with pytest.raises(CustomException):
-            client.update_crypto_key(crypto_key, update_mask)
-
-    def test_update_crypto_key_version(self):
-        # Setup Expected Response
-        name = "name3373707"
-        import_job = "importJob2125587491"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name,
-            "import_job": import_job,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        crypto_key_version = {}
-        update_mask = {}
-
-        response = client.update_crypto_key_version(crypto_key_version, update_mask)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.UpdateCryptoKeyVersionRequest(
-            crypto_key_version=crypto_key_version, update_mask=update_mask
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_update_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        crypto_key_version = {}
-        update_mask = {}
-
-        with pytest.raises(CustomException):
-            client.update_crypto_key_version(crypto_key_version, update_mask)
-
-    def test_encrypt(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        ciphertext = b"-72"
-        expected_response = {"name": name_2, "ciphertext": ciphertext}
-        expected_response = service_pb2.EncryptResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = "name3373707"
-        plaintext = b"-9"
-
-        response = client.encrypt(name, plaintext)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.EncryptRequest(name=name, plaintext=plaintext)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_encrypt_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = "name3373707"
-        plaintext = b"-9"
-
-        with pytest.raises(CustomException):
-            client.encrypt(name, plaintext)
-
-    def test_decrypt(self):
-        # Setup Expected Response
-        plaintext = b"-9"
-        expected_response = {"plaintext": plaintext}
-        expected_response = service_pb2.DecryptResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        ciphertext = b"-72"
-
-        response = client.decrypt(name, ciphertext)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.DecryptRequest(name=name, ciphertext=ciphertext)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_decrypt_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        ciphertext = b"-72"
-
-        with pytest.raises(CustomException):
-            client.decrypt(name, ciphertext)
-
-    def test_update_crypto_key_primary_version(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        expected_response = {"name": name_2}
-        expected_response = resources_pb2.CryptoKey(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        crypto_key_version_id = "cryptoKeyVersionId729489152"
-
-        response = client.update_crypto_key_primary_version(name, crypto_key_version_id)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.UpdateCryptoKeyPrimaryVersionRequest(
-            name=name, crypto_key_version_id=crypto_key_version_id
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_update_crypto_key_primary_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_path(
-            "[PROJECT]", "[LOCATION]", "[KEY_RING]", "[CRYPTO_KEY]"
-        )
-        crypto_key_version_id = "cryptoKeyVersionId729489152"
-
-        with pytest.raises(CustomException):
-            client.update_crypto_key_primary_version(name, crypto_key_version_id)
-
-    def test_destroy_crypto_key_version(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        import_job = "importJob2125587491"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name_2,
-            "import_job": import_job,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        response = client.destroy_crypto_key_version(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.DestroyCryptoKeyVersionRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_destroy_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        with pytest.raises(CustomException):
-            client.destroy_crypto_key_version(name)
-
-    def test_restore_crypto_key_version(self):
-        # Setup Expected Response
-        name_2 = "name2-1052831874"
-        import_job = "importJob2125587491"
-        import_failure_reason = "importFailureReason-494073229"
-        expected_response = {
-            "name": name_2,
-            "import_job": import_job,
-            "import_failure_reason": import_failure_reason,
-        }
-        expected_response = resources_pb2.CryptoKeyVersion(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        response = client.restore_crypto_key_version(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.RestoreCryptoKeyVersionRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_restore_crypto_key_version_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        with pytest.raises(CustomException):
-            client.restore_crypto_key_version(name)
-
-    def test_get_public_key(self):
-        # Setup Expected Response
-        pem = "pem110872"
-        expected_response = {"pem": pem}
-        expected_response = resources_pb2.PublicKey(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        response = client.get_public_key(name)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.GetPublicKeyRequest(name=name)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_public_key_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-
-        with pytest.raises(CustomException):
-            client.get_public_key(name)
-
-    def test_asymmetric_decrypt(self):
-        # Setup Expected Response
-        plaintext = b"-9"
-        expected_response = {"plaintext": plaintext}
-        expected_response = service_pb2.AsymmetricDecryptResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-        ciphertext = b"-72"
-
-        response = client.asymmetric_decrypt(name, ciphertext)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.AsymmetricDecryptRequest(
-            name=name, ciphertext=ciphertext
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_asymmetric_decrypt_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-        ciphertext = b"-72"
-
-        with pytest.raises(CustomException):
-            client.asymmetric_decrypt(name, ciphertext)
-
-    def test_asymmetric_sign(self):
-        # Setup Expected Response
-        signature = b"-100"
-        expected_response = {"signature": signature}
-        expected_response = service_pb2.AsymmetricSignResponse(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-        digest = {}
-
-        response = client.asymmetric_sign(name, digest)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = service_pb2.AsymmetricSignRequest(name=name, digest=digest)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_asymmetric_sign_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        name = client.crypto_key_version_path(
-            "[PROJECT]",
-            "[LOCATION]",
-            "[KEY_RING]",
-            "[CRYPTO_KEY]",
-            "[CRYPTO_KEY_VERSION]",
-        )
-        digest = {}
-
-        with pytest.raises(CustomException):
-            client.asymmetric_sign(name, digest)
-
-    def test_set_iam_policy(self):
-        # Setup Expected Response
-        version = 351608024
-        etag = b"21"
-        expected_response = {"version": version, "etag": etag}
-        expected_response = policy_pb2.Policy(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        resource = "resource-341064690"
-        policy = {}
-
-        response = client.set_iam_policy(resource, policy)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = iam_policy_pb2.SetIamPolicyRequest(
-            resource=resource, policy=policy
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_set_iam_policy_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        resource = "resource-341064690"
-        policy = {}
-
-        with pytest.raises(CustomException):
-            client.set_iam_policy(resource, policy)
-
-    def test_get_iam_policy(self):
-        # Setup Expected Response
-        version = 351608024
-        etag = b"21"
-        expected_response = {"version": version, "etag": etag}
-        expected_response = policy_pb2.Policy(**expected_response)
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        resource = "resource-341064690"
-
-        response = client.get_iam_policy(resource)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = iam_policy_pb2.GetIamPolicyRequest(resource=resource)
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_get_iam_policy_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        resource = "resource-341064690"
-
-        with pytest.raises(CustomException):
-            client.get_iam_policy(resource)
-
-    def test_test_iam_permissions(self):
-        # Setup Expected Response
-        expected_response = {}
-        expected_response = iam_policy_pb2.TestIamPermissionsResponse(
-            **expected_response
-        )
-
-        # Mock the API response
-        channel = ChannelStub(responses=[expected_response])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup Request
-        resource = "resource-341064690"
-        permissions = []
-
-        response = client.test_iam_permissions(resource, permissions)
-        assert expected_response == response
-
-        assert len(channel.requests) == 1
-        expected_request = iam_policy_pb2.TestIamPermissionsRequest(
-            resource=resource, permissions=permissions
-        )
-        actual_request = channel.requests[0][1]
-        assert expected_request == actual_request
-
-    def test_test_iam_permissions_exception(self):
-        # Mock the API response
-        channel = ChannelStub(responses=[CustomException()])
-        patch = mock.patch("google.api_core.grpc_helpers.create_channel")
-        with patch as create_channel:
-            create_channel.return_value = channel
-            client = kms_v1.KeyManagementServiceClient()
-
-        # Setup request
-        resource = "resource-341064690"
-        permissions = []
-
-        with pytest.raises(CustomException):
-            client.test_iam_permissions(resource, permissions)