# `Cartouche.CloudKMS`
[🔗](https://github.com/zenhive/cartouche/blob/main/lib/cartouche/cloud_kms.ex#L1)

Shared helpers for the Google Cloud KMS signer backends
(`Cartouche.Signer.CloudKMS` and `Cartouche.Solana.Signer.CloudKMS`).

The HTTP transport (`get_public_key/3`, `asymmetric_sign/4`) is identical for
both the secp256k1 (Ethereum) and Ed25519 (Solana) signers — only the request
body and the public-key parsing differ, and those stay in the signer modules.
Goth credential resolution stays in the signers too, since `Goth` is an
optional dependency and this module is always loaded.

`config_key` is the signer module (passed as `__MODULE__`); it selects that
signer's `Application.get_env(:cartouche, config_key)` block, so per-signer
`:req_options` continue to resolve under their existing keys.

# `asymmetric_sign`

```elixir
@spec asymmetric_sign(String.t(), String.t(), map(), module()) ::
  {:ok, map()} | {:error, term()}
```

Calls `asymmetricSign` on a KMS key version. `body` is the signer-specific
request payload (`%{digest: ...}` for secp256k1, `%{data: ...}` for Ed25519).

# `get_public_key`

```elixir
@spec get_public_key(String.t(), String.t(), module()) ::
  {:ok, map()} | {:error, term()}
```

Fetches the PEM-encoded public key for a KMS key version. Returns the raw KMS
JSON map (`%{"algorithm" => _, "pem" => _}`); the caller parses the PEM for its
curve.

# `key_version_name`

```elixir
@spec key_version_name(
  String.t(),
  String.t(),
  String.t(),
  String.t(),
  String.t() | non_neg_integer()
) ::
  String.t()
```

Builds the fully-qualified Cloud KMS crypto-key-version resource name from its
component parts, e.g.
`projects/p/locations/l/keyRings/kc/cryptoKeys/k/cryptoKeyVersions/v`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*