---
title: High Google KMS crypto key rotation period
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > High Google KMS crypto key rotation period
---

# High Google KMS crypto key rotation period

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f9b7086b-deb8-4034-9330-d7fd38f1b8de`

**Cloud Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Secret Management

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html)

### Description{% #description %}

KMS crypto keys must have a `rotation_period` of 90 days or less to limit key lifetime and reduce the blast radius if a key is compromised.

For Ansible resources using `google.cloud.gcp_kms_crypto_key` or `gcp_kms_crypto_key`, the `rotation_period` property must be a duration string in seconds ending with an `s`. The numeric value must be less than or equal to `7776000` (90 days). Resources missing `rotation_period`, lacking the `s` suffix, or with a value greater than `7776000` are flagged.

Secure configuration example:

```yaml
- name: Create KMS crypto key with 90-day rotation
  google.cloud.gcp_kms_crypto_key:
    name: my-key
    key_ring: projects/my-project/locations/global/keyRings/my-keyring
    purpose: ENCRYPT_DECRYPT
    rotation_period: "7776000s"
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a key ring
  google.cloud.gcp_kms_key_ring:
    name: key-key-ring
    location: us-central1
    project: '{{ gcp_project }}'
    auth_kind: '{{ gcp_cred_kind }}'
    service_account_file: '{{ gcp_cred_file }}'
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: 7776000s
    service_account_file: /tmp/auth.pem
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: create a key ring
  google.cloud.gcp_kms_key_ring:
    name: key-key-ring
    location: us-central1
    project: "{{ gcp_project }}"
    auth_kind: "{{ gcp_cred_kind }}"
    service_account_file: "{{ gcp_cred_file }}"
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: "315356000s"
    service_account_file: "/tmp/auth.pem"
    state: present

- name: create a crypto key2
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```