From 7badd9df534096cc7d3fa85a1415708965ec19f5 Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Tue, 26 Nov 2024 17:16:59 +0000
Subject: [PATCH] docs: A comment for enum `CryptoKeyVersionAlgorithm` is
 changed

PiperOrigin-RevId: 700331075

Source-Link: https://github.com/googleapis/googleapis/commit/3b7310bebab65971237b68c6320fa55ebf192fb8

Source-Link: https://github.com/googleapis/googleapis-gen/commit/9eda366d22f320ed4d4d5ca9f1d58bbe6efb8805
Copy-Tag: eyJwIjoiS21zLy5Pd2xCb3QueWFtbCIsImgiOiI5ZWRhMzY2ZDIyZjMyMGVkNGQ0ZDVjYTlmMWQ1OGJiZTZlZmI4ODA1In0=
---
 .../Google/Cloud/Kms/V1/Autokey.php           |   65 +
 .../Google/Cloud/Kms/V1/AutokeyAdmin.php      |  Bin 0 -> 2547 bytes
 .../Google/Cloud/Kms/V1/EkmService.php        |  Bin 0 -> 5224 bytes
 .../Google/Cloud/Kms/V1/Resources.php         |  Bin 0 -> 7700 bytes
 .../Google/Cloud/Kms/V1/Service.php           |  Bin 0 -> 15249 bytes
 .../src/Google/Cloud/Kms/V1/AccessReason.php  |  149 +
 .../Cloud/Kms/V1/AsymmetricDecryptRequest.php |  317 ++
 .../Kms/V1/AsymmetricDecryptResponse.php      |  339 +++
 .../Cloud/Kms/V1/AsymmetricSignRequest.php    |  568 ++++
 .../Cloud/Kms/V1/AsymmetricSignResponse.php   |  463 +++
 .../src/Google/Cloud/Kms/V1/AutokeyConfig.php |  179 ++
 .../Cloud/Kms/V1/AutokeyConfig/State.php      |   73 +
 .../src/Google/Cloud/Kms/V1/Certificate.php   |  388 +++
 .../Cloud/Kms/V1/CreateCryptoKeyRequest.php   |  241 ++
 .../Kms/V1/CreateCryptoKeyVersionRequest.php  |  143 +
 .../Kms/V1/CreateEkmConnectionRequest.php     |  184 ++
 .../Cloud/Kms/V1/CreateImportJobRequest.php   |  184 ++
 .../Cloud/Kms/V1/CreateKeyHandleMetadata.php  |   35 +
 .../Cloud/Kms/V1/CreateKeyHandleRequest.php   |  184 ++
 .../Cloud/Kms/V1/CreateKeyRingRequest.php     |  184 ++
 .../src/Google/Cloud/Kms/V1/CryptoKey.php     |  748 +++++
 .../Kms/V1/CryptoKey/CryptoKeyPurpose.php     |  104 +
 .../Google/Cloud/Kms/V1/CryptoKeyVersion.php  |  819 ++++++
 .../CryptoKeyVersionAlgorithm.php             |  336 +++
 .../CryptoKeyVersionState.php                 |  154 +
 .../CryptoKeyVersion/CryptoKeyVersionView.php |   67 +
 .../Cloud/Kms/V1/CryptoKeyVersionTemplate.php |  150 +
 .../Google/Cloud/Kms/V1/DecryptRequest.php    |  529 ++++
 .../Google/Cloud/Kms/V1/DecryptResponse.php   |  315 ++
 .../Kms/V1/DestroyCryptoKeyVersionRequest.php |   87 +
 .../proto/src/Google/Cloud/Kms/V1/Digest.php  |  141 +
 .../src/Google/Cloud/Kms/V1/EkmConfig.php     |  123 +
 .../src/Google/Cloud/Kms/V1/EkmConnection.php |  314 ++
 .../V1/EkmConnection/KeyManagementMode.php    |   90 +
 .../Kms/V1/EkmConnection/ServiceResolver.php  |  206 ++
 .../Google/Cloud/Kms/V1/EncryptRequest.php    |  625 ++++
 .../Google/Cloud/Kms/V1/EncryptResponse.php   |  471 +++
 .../Kms/V1/ExternalProtectionLevelOptions.php |  122 +
 .../Kms/V1/GenerateRandomBytesRequest.php     |  179 ++
 .../Kms/V1/GenerateRandomBytesResponse.php    |  211 ++
 .../Cloud/Kms/V1/GetAutokeyConfigRequest.php  |   87 +
 .../Cloud/Kms/V1/GetCryptoKeyRequest.php      |   87 +
 .../Kms/V1/GetCryptoKeyVersionRequest.php     |   87 +
 .../Cloud/Kms/V1/GetEkmConfigRequest.php      |   87 +
 .../Cloud/Kms/V1/GetEkmConnectionRequest.php  |   87 +
 .../Cloud/Kms/V1/GetImportJobRequest.php      |   87 +
 .../Cloud/Kms/V1/GetKeyHandleRequest.php      |   91 +
 .../Google/Cloud/Kms/V1/GetKeyRingRequest.php |   87 +
 .../Cloud/Kms/V1/GetPublicKeyRequest.php      |   87 +
 .../Kms/V1/ImportCryptoKeyVersionRequest.php  |  491 ++++
 .../src/Google/Cloud/Kms/V1/ImportJob.php     |  549 ++++
 .../Cloud/Kms/V1/ImportJob/ImportJobState.php |   79 +
 .../Cloud/Kms/V1/ImportJob/ImportMethod.php   |  120 +
 .../Kms/V1/ImportJob/WrappingPublicKey.php    |   88 +
 .../Kms/V1/KeyAccessJustificationsPolicy.php  |   87 +
 .../src/Google/Cloud/Kms/V1/KeyHandle.php     |  196 ++
 .../Cloud/Kms/V1/KeyOperationAttestation.php  |  151 +
 .../AttestationFormat.php                     |   68 +
 .../CertificateChains.php                     |  140 +
 .../proto/src/Google/Cloud/Kms/V1/KeyRing.php |  124 +
 .../Kms/V1/ListCryptoKeyVersionsRequest.php   |  314 ++
 .../Kms/V1/ListCryptoKeyVersionsResponse.php  |  152 +
 .../Cloud/Kms/V1/ListCryptoKeysRequest.php    |  309 ++
 .../Cloud/Kms/V1/ListCryptoKeysResponse.php   |  148 +
 .../Kms/V1/ListEkmConnectionsRequest.php      |  280 ++
 .../Kms/V1/ListEkmConnectionsResponse.php     |  148 +
 .../Cloud/Kms/V1/ListImportJobsRequest.php    |  275 ++
 .../Cloud/Kms/V1/ListImportJobsResponse.php   |  148 +
 .../Cloud/Kms/V1/ListKeyHandlesRequest.php    |  234 ++
 .../Cloud/Kms/V1/ListKeyHandlesResponse.php   |  110 +
 .../Cloud/Kms/V1/ListKeyRingsRequest.php      |  280 ++
 .../Cloud/Kms/V1/ListKeyRingsResponse.php     |  148 +
 .../Google/Cloud/Kms/V1/LocationMetadata.php  |  126 +
 .../Google/Cloud/Kms/V1/MacSignRequest.php    |  300 ++
 .../Google/Cloud/Kms/V1/MacSignResponse.php   |  377 +++
 .../Google/Cloud/Kms/V1/MacVerifyRequest.php  |  508 ++++
 .../Google/Cloud/Kms/V1/MacVerifyResponse.php |  386 +++
 .../Google/Cloud/Kms/V1/ProtectionLevel.php   |   77 +
 .../src/Google/Cloud/Kms/V1/PublicKey.php     |  354 +++
 .../Google/Cloud/Kms/V1/RawDecryptRequest.php |  707 +++++
 .../Cloud/Kms/V1/RawDecryptResponse.php       |  511 ++++
 .../Google/Cloud/Kms/V1/RawEncryptRequest.php |  743 +++++
 .../Cloud/Kms/V1/RawEncryptResponse.php       |  744 +++++
 .../Kms/V1/RestoreCryptoKeyVersionRequest.php |   87 +
 .../V1/ShowEffectiveAutokeyConfigRequest.php  |   92 +
 .../V1/ShowEffectiveAutokeyConfigResponse.php |   72 +
 .../Kms/V1/UpdateAutokeyConfigRequest.php     |  152 +
 .../UpdateCryptoKeyPrimaryVersionRequest.php  |  128 +
 .../Cloud/Kms/V1/UpdateCryptoKeyRequest.php   |  137 +
 .../Kms/V1/UpdateCryptoKeyVersionRequest.php  |  142 +
 .../Cloud/Kms/V1/UpdateEkmConfigRequest.php   |  137 +
 .../Kms/V1/UpdateEkmConnectionRequest.php     |  142 +
 .../Kms/V1/VerifyConnectivityRequest.php      |   87 +
 .../Kms/V1/VerifyConnectivityResponse.php     |   34 +
 .../AutokeyAdminClient/get_autokey_config.php |   73 +
 .../V1/AutokeyAdminClient/get_iam_policy.php  |   72 +
 .../V1/AutokeyAdminClient/get_location.php    |   57 +
 .../V1/AutokeyAdminClient/list_locations.php  |   62 +
 .../V1/AutokeyAdminClient/set_iam_policy.php  |   77 +
 .../show_effective_autokey_config.php         |   73 +
 .../test_iam_permissions.php                  |   84 +
 .../update_autokey_config.php                 |   68 +
 .../V1/AutokeyClient/create_key_handle.php    |  101 +
 .../V1/AutokeyClient/get_iam_policy.php       |   72 +
 .../V1/AutokeyClient/get_key_handle.php       |   73 +
 .../samples/V1/AutokeyClient/get_location.php |   57 +
 .../V1/AutokeyClient/list_key_handles.php     |   78 +
 .../V1/AutokeyClient/list_locations.php       |   62 +
 .../V1/AutokeyClient/set_iam_policy.php       |   77 +
 .../V1/AutokeyClient/test_iam_permissions.php |   84 +
 .../create_ekm_connection.php                 |   80 +
 .../V1/EkmServiceClient/get_ekm_config.php    |   73 +
 .../EkmServiceClient/get_ekm_connection.php   |   73 +
 .../V1/EkmServiceClient/get_iam_policy.php    |   72 +
 .../V1/EkmServiceClient/get_location.php      |   57 +
 .../EkmServiceClient/list_ekm_connections.php |   78 +
 .../V1/EkmServiceClient/list_locations.php    |   62 +
 .../V1/EkmServiceClient/set_iam_policy.php    |   77 +
 .../EkmServiceClient/test_iam_permissions.php |   84 +
 .../V1/EkmServiceClient/update_ekm_config.php |   63 +
 .../update_ekm_connection.php                 |   62 +
 .../EkmServiceClient/verify_connectivity.php  |   76 +
 .../asymmetric_decrypt.php                    |   88 +
 .../asymmetric_sign.php                       |   86 +
 .../create_crypto_key.php                     |   83 +
 .../create_crypto_key_version.php             |   85 +
 .../create_import_job.php                     |  106 +
 .../create_key_ring.php                       |   80 +
 .../V1/KeyManagementServiceClient/decrypt.php |   85 +
 .../destroy_crypto_key_version.php            |   98 +
 .../V1/KeyManagementServiceClient/encrypt.php |   92 +
 .../generate_random_bytes.php                 |   58 +
 .../get_crypto_key.php                        |   79 +
 .../get_crypto_key_version.php                |   79 +
 .../get_iam_policy.php                        |   72 +
 .../get_import_job.php                        |   77 +
 .../get_key_ring.php                          |   72 +
 .../get_location.php                          |   57 +
 .../get_public_key.php                        |   83 +
 .../import_crypto_key_version.php             |  103 +
 .../list_crypto_key_versions.php              |   83 +
 .../list_crypto_keys.php                      |   77 +
 .../list_import_jobs.php                      |   77 +
 .../list_key_rings.php                        |   78 +
 .../list_locations.php                        |   62 +
 .../KeyManagementServiceClient/mac_sign.php   |   85 +
 .../KeyManagementServiceClient/mac_verify.php |   90 +
 .../raw_decrypt.php                           |   84 +
 .../raw_encrypt.php                           |   88 +
 .../restore_crypto_key_version.php            |   86 +
 .../set_iam_policy.php                        |   77 +
 .../test_iam_permissions.php                  |   84 +
 .../update_crypto_key.php                     |   62 +
 .../update_crypto_key_primary_version.php     |   88 +
 .../update_crypto_key_version.php             |   73 +
 .../v1/src/V1/Client/AutokeyAdminClient.php   |  479 +++
 .../Kms/v1/src/V1/Client/AutokeyClient.php    |  568 ++++
 .../Kms/v1/src/V1/Client/EkmServiceClient.php |  635 ++++
 .../V1/Client/KeyManagementServiceClient.php  | 1374 +++++++++
 .../Kms/v1/src/V1/gapic_metadata.json         |  350 +++
 .../autokey_admin_client_config.json          |   75 +
 .../autokey_admin_descriptor_config.php       |  142 +
 .../autokey_admin_rest_client_config.php      |  203 ++
 .../V1/resources/autokey_client_config.json   |   85 +
 .../resources/autokey_descriptor_config.php   |  157 +
 .../resources/autokey_rest_client_config.php  |  199 ++
 .../resources/ekm_service_client_config.json  |   95 +
 .../ekm_service_descriptor_config.php         |  201 ++
 .../ekm_service_rest_client_config.php        |  256 ++
 .../key_management_service_client_config.json |  210 ++
 ...y_management_service_descriptor_config.php |  478 +++
 ..._management_service_rest_client_config.php |  509 ++++
 .../Unit/V1/Client/AutokeyAdminClientTest.php |  638 ++++
 .../Unit/V1/Client/AutokeyClientTest.php      |  761 +++++
 .../Unit/V1/Client/EkmServiceClientTest.php   |  948 ++++++
 .../Client/KeyManagementServiceClientTest.php | 2573 +++++++++++++++++
 176 files changed, 36596 insertions(+)
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Autokey.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/AutokeyAdmin.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/EkmService.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Resources.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Service.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AccessReason.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig/State.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Certificate.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateEkmConnectionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateImportJobRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleMetadata.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyRingRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey/CryptoKeyPurpose.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionAlgorithm.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionState.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionView.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersionTemplate.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DestroyCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Digest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConfig.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/KeyManagementMode.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/ServiceResolver.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ExternalProtectionLevelOptions.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetAutokeyConfigRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConfigRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConnectionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetImportJobRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyHandleRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyRingRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetPublicKeyRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportJobState.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportMethod.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/WrappingPublicKey.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyAccessJustificationsPolicy.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyHandle.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/AttestationFormat.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/CertificateChains.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyRing.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/LocationMetadata.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ProtectionLevel.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/PublicKey.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RestoreCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateAutokeyConfigRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyPrimaryVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyVersionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConfigRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConnectionRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityRequest.php
 create mode 100644 owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityResponse.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_autokey_config.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_location.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/list_locations.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/set_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/show_effective_autokey_config.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/test_iam_permissions.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/update_autokey_config.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/create_key_handle.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_key_handle.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_location.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_key_handles.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_locations.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/set_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/test_iam_permissions.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/create_ekm_connection.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_config.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_connection.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_location.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_ekm_connections.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_locations.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/set_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/test_iam_permissions.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_config.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_connection.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/verify_connectivity.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_decrypt.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_sign.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_import_job.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_key_ring.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/decrypt.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/destroy_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/encrypt.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/generate_random_bytes.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_import_job.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_key_ring.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_location.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_public_key.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/import_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_key_versions.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_keys.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_import_jobs.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_key_rings.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_locations.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_sign.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_verify.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_decrypt.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_encrypt.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/restore_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/set_iam_policy.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/test_iam_permissions.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_primary_version.php
 create mode 100644 owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_version.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/Client/AutokeyAdminClient.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/Client/AutokeyClient.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/Client/EkmServiceClient.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/Client/KeyManagementServiceClient.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/gapic_metadata.json
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_client_config.json
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_descriptor_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_rest_client_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_client_config.json
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_descriptor_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/autokey_rest_client_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_client_config.json
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_descriptor_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_rest_client_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_client_config.json
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_descriptor_config.php
 create mode 100644 owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_rest_client_config.php
 create mode 100644 owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyAdminClientTest.php
 create mode 100644 owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyClientTest.php
 create mode 100644 owl-bot-staging/Kms/v1/tests/Unit/V1/Client/EkmServiceClientTest.php
 create mode 100644 owl-bot-staging/Kms/v1/tests/Unit/V1/Client/KeyManagementServiceClientTest.php

diff --git a/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Autokey.php b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Autokey.php
new file mode 100644
index 000000000000..ef11d5b06ac3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Autokey.php
@@ -0,0 +1,65 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace GPBMetadata\Google\Cloud\Kms\V1;
+
+class Autokey
+{
+    public static $is_initialized = false;
+
+    public static function initOnce() {
+        $pool = \Google\Protobuf\Internal\DescriptorPool::getGeneratedPool();
+
+        if (static::$is_initialized == true) {
+          return;
+        }
+        \GPBMetadata\Google\Api\Annotations::initOnce();
+        \GPBMetadata\Google\Api\Client::initOnce();
+        \GPBMetadata\Google\Api\FieldBehavior::initOnce();
+        \GPBMetadata\Google\Api\Resource::initOnce();
+        \GPBMetadata\Google\Longrunning\Operations::initOnce();
+        $pool->internalAddGeneratedFile(
+            '
+â
+!google/cloud/kms/v1/autokey.protogoogle.cloud.kms.v1google/api/client.protogoogle/api/field_behavior.protogoogle/api/resource.proto#google/longrunning/operations.proto"¨

+CreateKeyHandleRequest9
+parent
 
(	B)àAúA#
+!locations.googleapis.com/Location
+
key_handle_id 
(	BàA
7
+
+key_handle 
(2.google.cloud.kms.v1.KeyHandleBàA"N
+GetKeyHandleRequest7
+name
 
(	B)àAúA#
+!cloudkms.googleapis.com/KeyHandle"ÿ

+	KeyHandle
+name
 
(	BàA:
+kms_key 
(	B)àAúA#
+!cloudkms.googleapis.com/CryptoKey#
+resource_type_selector 
(	BàA:~êA{
+!cloudkms.googleapis.com/KeyHandle?projects/{project}/locations/{location}/keyHandles/{key_handle}*
+keyHandles2	keyHandle"
+CreateKeyHandleMetadata"˜

+ListKeyHandlesRequest9
+parent
 
(	B)àAúA#
+!locations.googleapis.com/Location
+	page_size 
(BàA

+
+page_token 
(	BàA

+filter 
(	BàA
"f
+ListKeyHandlesResponse3
+key_handles
 (2.google.cloud.kms.v1.KeyHandle
+next_page_token 
(	2´
+Autokeyë

+CreateKeyHandle+.google.cloud.kms.v1.CreateKeyHandleRequest.google.longrunning.Operation"‹
ÊA$
+	KeyHandleCreateKeyHandleMetadataÚAparent,key_handle,key_handle_id‚Óä“<"./v1/{parent=projects/*/locations/*}/keyHandles:
+key_handle—

+GetKeyHandle(.google.cloud.kms.v1.GetKeyHandleRequest.google.cloud.kms.v1.KeyHandle"=ÚAname‚Óä“0./v1/{name=projects/*/locations/*/keyHandles/*}ª

+ListKeyHandles*.google.cloud.kms.v1.ListKeyHandlesRequest+.google.cloud.kms.v1.ListKeyHandlesResponse"?ÚAparent‚Óä“0./v1/{parent=projects/*/locations/*}/keyHandlestÊAcloudkms.googleapis.comÒAWhttps://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkmsBT
+com.google.cloud.kms.v1BAutokeyProtoP
Z)cloud.google.com/go/kms/apiv1/kmspb;kmspbbproto3'
+        , true);
+
+        static::$is_initialized = true;
+    }
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/AutokeyAdmin.php b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/AutokeyAdmin.php
new file mode 100644
index 0000000000000000000000000000000000000000..947aaed125acfed891276928647c4642d5124313
GIT binary patch
literal 2547
zcmb7GK~LjG6mG(TmZ7Y`s0z)Yopq@Q6l^8CYE`pz<s=5By9*Hns$E%%CeAo<aXhX)
z25nI;{R?~OKk2Ras>kh(Qx84$C-l^rv7Jp=XB9Yv*naQL_rC9YFMjgW@B82jc!)h5
zAd0)N^BU4VhJHXOv4{&hk!|AuT4dlmE)En3>&NiuxCM=RqxF!bh9n9stic{3Jr}E%
zOQNoNF$mSmvWg-~F7WF%>JA)F5j6qu&;W-%vM@YsR$pL>x`-n4P^6nRo^C!Hgywm9
z4*<(WVF>lOjLxfoYXI4wA9Y;Ef+0ne{o8QDw&OX}L9X*NYhoYT$PF<o@P4cvc@}ku
z2YJG=XW`NojBE1P4WF>4_hE{s$$4NLm<^BOz(cNC$DtKCJ|#hug=$(4(-C|8PH8JS
zmX~vESc)-f+It}PAq^rtemaB!rcvPS3EaHEaP-a0U`zKMQ};Z=Ss-4hY43V^S7KUX
z&2_Lx@0N4mV7FVveRS!N;BKiWIC09%AV=JbQ(vI)BKt(4+3t5vqLAM0js!Vio-K_i
z<b-a5-<E;7Iip*pwKz}_wpN&}mCJImkYpp@VSeW<#@;S|KK8)oRJA(^S4qI9V*x=z
zNb)EhATcG(acW#(z}k)@<Tp7`JoDMK;A9|b#Iv2=3H~X<A(ftj2kE?7;=y_j=1NNy
zS;^=@nJ7`6`&-XTkHJzT%D4HU>v@q~OtVv5%18~7C7*-BA*K`MQbc>;9v^mrW3jr+
z&iGF^H^G;JOwMHtjL{e>Y{94#MdaV}V0q$>v^r6bVZJY|gC)LT7`Pv?MFr+Xjw>fU
z0rPzF@cKR0$Ad~K?PFZYNfwk-9?!GqSXcAnO8Nw>p0@Os(LOsmZ5p-4LBpu8d?W#|
zpx0WBb7LhZ6~Njv<7K;fa{RqfYqjgfbECzA@(l0t*-_)D(Q4?=8?V@{InDW3w`U|k
z`phP77YCtw9e)|7`!v>lJC!@W3@ghh-jngQ+y@U&`{c@C`<pGi%WTusz=Dqg=HNu6
zM?$1s@Rgt`wdeqOsK=K7Exp))a@OT<f&8J9LZ9s>EUisS#m%```C}e@oQN#eyYw~(
z)-p^kshRp^L?-4d&R~1lzR`;bY3+DscE%>)m%sjbldo0E{Fm%{GECvV-cR+}o)l)N
zrOG5lrC)Pk<@S(BJDDBb4!cV`<r`fLoB+Nd$pZKXk#f3=)3uYn&crx9Aw~Pmo%3Ro
z$h8|iF{EhXu~ZRF#2(#G#ynKFhgvw*+eP}PUYN3D-s(T}DfL55Rj;nD5|pC_#6<4L
zZ!o*Qi>OV4!Ol$KY?)PGf&yD&S&dg$$1TpLhLUFP)mFTT(&fzdUyq0vCkBT(j+OK~
jd*ZXRz#6CI(dOuvY$two7<<#0`j#Og<F|n!7y|G=_A+BM

literal 0
HcmV?d00001

diff --git a/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/EkmService.php b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/EkmService.php
new file mode 100644
index 0000000000000000000000000000000000000000..44bbb50c4508a40f8c196dc879a037567888e021
GIT binary patch
literal 5224
zcmbtY&vVm86s{ZyWW&!*n;#wu!oZM(U{72Mt<#iI9Ft)ZCn*VO>3BvX%j-mqEUD7k
zG);Zs(Eb7Rf9OoFy>xo%p_dN5wYN;C!!SKD{R=qt?P{e+wgL`t2%7cVr|*65y>FlP
zqub7wgD%Mn#3HUnNlmWq$aIUyj%!m}w@ta)tk;Pv>vqF2OyXu`d45G+URjq*^LN)T
z!dB02x;iPyo3_1alALbZ&021|;pJM>IkMeQJ>s?uon*O3ge<K=JV(=sys$b~CRD3w
zRI4oT&6OhCTv=>*m5u2cgmhE$Jh`;pSo3|LT_nRlr&%=(UG}I(;lIm<ry7<)4b3#Z
zh5%;ex@LL=ws+gso0d)u+mhLa6-y`M6SD7<*<N;R2zXWw(5x~JApXi-ixSt;%*s6R
zbk}gG?XH4pp|DA4$Q)Z4pAfHQ?u@!T?qe(zx<Jm#)NPXJ+hy4$wCP$i95-{&4xcIs
zTq%xGQ7p@5EZCM;DD20y@8Y11MbjV_J=~r<1~F@MWJ_xqwtKj(_lT&Ho<WA(^S72Y
zZ@c$5hI`iys5PoJoaDVc-`77jM0S;0EllPesP*xXewK`@=)a5TN>4?OhkUav?}aS%
zLbf%X9ua#r$ABhb^!qK5z7YAL&Nx=9f@EPZ7BO%Ilj5hK>v(fPspfnK4dAQ8duTxe
zQhbBVPZAniGCT@xR<tdP@CNbjkuRIT9sUsYJDLk%M<rPrADEkXs-#{hm(WGi*8RfE
z`sg4mFAFM>TM|FuVKm@qn?&`XEk{$Z`{-QXQ$@lf2=R4lZxd^@kGthR459wIVM42o
z9@$@f2OYQF8gbR?&gju_IrFWA(n+X22YP|v8FZRykG>xe;O`qB%x47LSZ=bh*a6^a
zi+n}Z2ucQj0AqwG^qc92#E>7&Y@m?^5+^U<ZU!A;YA2Yx&Y7!RMOS!Pu&U@_E`}oW
zGelT)35arRJ#hX8i8+tX#>r8Q8c)ywOHc~mMyKMx^Cb1e9e0p<4AAd8AneJ|yZy7;
z>fJxSfd-r0y~+xmLm$kigUkk%o(-kLN41QG!c5hT&49>Tu`Gr4{qiKi{>*n08jeO8
z^N9q5u*ma2m_Hxji>iXCJh1Yqf4#_lO`*Xeaj8)^peYG{8y$1ChbnXpfA<OBH?$YD
zvPb+}A7_hw7#0oBYl3Cih<$9o*Q|a4Qn25NeRvYRD^^vFb*TmY-y&+w@>G7PLwojt
zLU6YqKnvLvgsg76L}ijQ+Rt;`ouyEu{hhbaDYjFq!yEjK$9mhCMkis^fGI$=nvE(1
zbR6~xI2RE1wzT~FH`TgfZ4%dULG(ulLW9h+qv&L;&G6Y+S@57BIXZ7h9~aYvq_XP>
z=pH&NMj(}mx7i}D2V^rb%D<!}gb-)N=)+D>wv~}2F>o+BZAJtUZ=j)VvI7laf#x<q
zu+@fL^I1QYztO{s7RgRI++2pe{;NPNbaw|v9+gjRAc}Nrl%<4IE2aOD(CH40_#PSy
zLarGul#%W31aqKJ!yH$`2~@c%EJH&9H9Sv*b9@dY-Kse@WDc^(j|r~IK1?_!wrr1b
zy$vflh3C)^^ADw@@AroXRn6#^6IqEg5_6r(tf8}A+~7;-!eZ%xT2_{og;Ke+ysnm4
z=1c1R<+asP@$Q|wrTH^&!Ew<K2KSYvGZH?D28v57_vh8c^4ghH!F#SaJ)Q)30Thij
zqnFziPwiZI{N{Fp$2J?cBS&~{H?HFC%<mE!@T(jIC#k~AXt+k|TGOOze6Khj;0%*q
zC_SHHg$K`-4RrC9Qi`V!7a^d}e1^t0pxx^`LBuVC?gX0tW+(4ClumN(j~4mA2N41i
zgR=ZZLb!Vn!P&&x>NXUJ)487QeHfYIo+2i*M}PhMICTT(*$3CIKdjA$d`?CxWwNtE
z@DCC?6P}4eaqv_kluok%cn<?rM%h#NBosr+TJ->&orOHv#!n?QlrRn9WZn`i4}+KP
zL5=%NPR08GCZ&!Q9@Bj0HP|n7Oj-CD#26hYf`lZ;m|%IB7+ZTvIv(3pWTxU#t>qP7
zQ*pEGp%T{><o6Of5!Mouq4AfO8<+%Py<&pO6ryEz9be<%UyT;t(8j;PF&1T%A-k4{
zti!5TaQdDyEQkc(U0l!SZ$`NWlOA|x$P1B46aN8X)Gb{Hh*7s;5KD5wCD{uxT8}cn
zfJ;3xAAD@)CfkKpmzbyN6J_Lpv*S<Y(=AFJuaL_<eE3l0DI6KJCf)KcqOLopMqvhR
zO!Z_AA7yioQfLIeW0P_}ce)e`|0=s2T9rPZ@W*-oQ;vTCZ`%C&3($ZdgGZ-2!~g!6
z8d~7jT-hSK=E^R@7vRS9lVG(XZol~T7u<h6SH3yKbo5E6_^+4|SU>Pd4yK9lxt$YJ
l7%YmXcC{Z|Qv1ED;WfyVe`giB;yUnpi(C5FP;Jyk=zq6|?D7Br

literal 0
HcmV?d00001

diff --git a/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Resources.php b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Resources.php
new file mode 100644
index 0000000000000000000000000000000000000000..0684ba4e7ddbfd035c8494963531af111007e3b1
GIT binary patch
literal 7700
zcmc&(Uvt~W5f4RK5?8VeK~797u?^AxWW^>;`cECINd_VziMA-907b>ACN~fWNw7(R
z1A<DFj2=4Eet^EVeeQ!h)0s}EU!rfF=?Ca^rZ4#jed^vF08$iWDRE}%2MfHt-M!n}
zKfl}i`RASe4&0Ph?Y8ZizTJ>^4kdrzmO7s6yO!IOc6z(JwkKI`tK&3nFDpr9RoYN%
zl2WeJ=8?7Q_B_ijN_(!m*R*q1)9p2KuUp;RK|bf%oZ8JYc>ry*Wp_KKWlO8ta@F?D
zhUuHztBiHKL|M0Aw7T2%{1SlGG`n3%4@JOtAmP7GZ>Q;4Qr9<q{Bz6c5~uC>j@fj+
z#npc*?V8Q5joc^a?)KW2@3?J=GN^6KUbrW5nRM>0j*GkfR0<cPQ3K%Sw<~Sm_S$B1
zyKHwY&*}KCr{UCManJT6v(b@-dx2Ui&e@d~_!^7F6N~&*^1Yrts9lmg+wXbpCAMxV
z;3)dqjxm+oakf_+yV+Q__ss*x^@_#*uKGewV-1aZey+$I<sSM8TJcA))*L*1-)wb$
z1n-t-b~?7#jb~+t_uw-pI4Zf(h)!k&y>=n8CAI8b_{S5tc@B3KXZfTo^XV-5boL-W
zcQxQNJ5J=^+`Z?n2PEd~=sUSaV61?CW0>xT7CBA8*TJ?qJ@dB&jK8oCb*H^2&cG;*
zrgTC|EToo`|B{p9W0<r&8^f4T!RZmCOcv&{!7jp8WutRoTt)MH`75}=_DHwLXXEa=
zSq%DIsBQ__U)h%5&3zYq9p##?#e4zB!q21JYrZ}l!!P3DQjapfoq$xyJH*&Qad9hO
zg7J>$v`p_XSoQ62)q}RrMl$N?3h0D<+X^!GypG$o(@EU&bRqY4=Drw>vr#b@hOKwu
zT-Fnxg4njd@d>62W(#im@w1pw+ogyF9oumm=?TVkHC%jjUSY_sy(g}MaKN`te7n_Y
z;#sFB8QX)9?X3o@1x#WQ#+v4i-R!18N}`u6zMVb0&L%5u-#Zl3FzK{9uICfC-8@WR
zMEw)ogv&73z!3M`L(;YO?MAO@H%J%+>FG1}$7S3G(PFMbsQ>Jk)@!@nNMAzU)N%^X
z>A!Lk5{se<5~Z7#Wp}&eRj=ziyH4Paq~l_ZI84tlg@xFyp(DzS_xUkajd9YIB<3E#
z<lwd^A&DA!yond#!hzZB@gPeTN1i1zze|7+IcVTnVg|04^p{#qB`=hhMBCIg)lkUh
zhM_5?%1T8k3-5`ua7o!<vq)KCe}x1cl#Q3ws#4P{C1O-oH-rn~2Otg%hLgv{D=@3e
zTVz<uxHt~Us$3FM#qYkCzk&JFf;?KbXuLz1=lHpyWij~sXLz(c3p0_ghklXyYXZ`d
z-XNYM_xub5>i(E-Fv>~OKCqk2@Y97`v8Sm;lh^57aSKvrbI<i0f4>zZh0kLdhgZ<g
z4Z)J+Pz?2nk<4F`a0NH0V#u;^mwlhsG`dXDfU#ZIYngs}6diB6@L8<JQ@FDOl2(`$
zsxT>DhH=Zqy4Lp7G$T#%(JwI5+Zce>zUj2P=`rT$KTKZ<`FY6LB_@SQo@>C&2?{P^
z%0igYYZ0ooi${@MNQqZrh8GKBnO-9xjWE)6_#hy4OjN^8k+UW#J@Xo7PVAS)id?HH
zMoq3&)D5zt>Q%Wm6f0@CT$1aR%_^zqNlC40x?&g@MM=y`5v4Fl8O{7^b|5f=V~s09
z&*1_+%CL$o#U9_84r5ReVkyRfX;C<*1M^cp=EcCce+n;7iYqW__8m7UJojVwdy2dA
z1r7lY>h@;?4lJ1$_k#Ndua>-mods0HComOO7lv=nS)rFe4B0R@w0*9Vhs>EeuK)zK
z?v=a4Dp((D1q8MhTA$9b^$ffpaP68-v*+0a@mkkyrv>B>B;SFnfq7`|8=5!UpZ5@M
zBJf~$6T&vw<JoeE<8q(lE0~WshSMu?J2XnWLD75^>kLYuZz$cWoK?JzdEO58XE&Wa
zXQyeWMbyvWK{E62akx4hKT&=a@591CsjMryL9>9ozN+e#+FEre5!`?eS5<X&T_OD{
z8Pq>y!vcB<CS}DS`NA`@TB-{7!hyn*r)*$09H28w%Oznk9H2Akz{lYLn^Dt+`{4ka
zfddc3k07lZGON!-GYnFA`1lzy)?}O^jGUl8dib+KNKKxgK7RPg(~vrPD)mXeAY4LI
z&-L}bC>i-<nlHrA2X&9d&<C}TzlBcq3*v`xCDKo!hZe0t_~;ZOU4U@y6e86wTo)zy
zh>8u64N+x9JGQZj*cpRcOU2F@+#I}h2HoCFxc%65<b~U@^l%k<;Z7_)Tti;izDp6C
z!eJfJs5b>JGj)vc=-FdRz(2x8>JK4@p_C}oi+sp-gJH-(o>DG6d6NG`SfJjzhVU<(
zB_V1}g#&qEevnReWCjPQ9c~T|6bg@pTjD%iQ@*Gv`i8t7A9!Ns_apHBaFp|+xB$0e
zBAnLyVMvTXS5r31m5o)hs%$7aLj(wbCt+OKkeAo7;wQu@m?&2a{%eHpt&G?~S6?zX
z@IK50KZ#LVQ_7o^XH*nnIuu-~YN}on#t;fz<lkgPuFz@YB69cjhQrMHLhi^4Ov`48
zLKYz<Vp@u$gd!kQL6{QWgaa&6ckHjl?YnR@#yItgvNe?XCSY`BbA4S%6yGGim;ac6
zg)?D&2ztK7tp8&#@u#8t{&=9}82Bd#{JMIS`9l&?8f)Gmq`-qrcI;MgnbHT*I_+9a
z7v2@;h&cdMKrGLCRIu0;V6yOGSk!3oqs_f6Hus)BuG5PgdK2%bP!N+6<1Qc+Z=4gq
z75|J!^CofnjjL~oUnl;5hmzynR6LN(Ke0tqVYm9{?oK>9z8IADmhJCjyMiCo$DvJ+
z^&KKfS^kBsUSwGw!z&bRwXDRT<J9@B8_5~MpS1gP4iI(%f1VS!qBi@Rj)S1>hrrJw
z%miEm=#zr^bF5SjZzL40P8Z^PJj1re^JD3jL-Y#90gF1?PD%5=)Wb8*j5S-aaThr$
z7xfd}8s;RJIicZLLdg6l0aJsHBVL26L5jwP$eLOnN{Im)VsIfU!-T>=io+6NIcD^z
z3`g{l5D*;Wr&T$WkUTaclrT7Bl-@rnbQzX`MQe~Uz$=VpESQc?kC#XUK*2_ztIOp4
zr7<A_jLBGq>I&jcS|-2HDmtx%XS9AI{qNTLal+Jr*`I$Cyf7VQehJslxHP0eh%P1Q
zqNL|JL0Px~SM1lA!rgW|XarGu$MpAE?nz~K;2Nf`)7yBW3?G=yru#K^A%jLCzi#mk
z#&lsmHW0W#on6cpU%{oJ+Ya>wO;>9QtNCPIsVnP4{)ouLP*-YOvaX=_VH0l6sN%8U
za0m{tVIja&_>0uFk}$gXrzA`bDyRKEU6BpE1|9DhqQ93mjhb3jbW+)<)GCOe%EZ{z
z7@|o~tQcI52B?Z&uau~FAhotu(aS`W_1a5PmTNN6m0xTkdctKPvOmGAD-?$ye8M=4
zQ7o5A*o8q)zYX&zc#W4vO{o%93sD?zSMqJ)Ln1*>MN=}^bq6w4waogW<a9j~Vip#o
zd1ot3F>n>k!+w#bZeR}<Te5hHWscnNnyDZb1aT4WM2h82Of`DtOEm44s=ruSSGS14
ztcbW&m|Xr%0<Pc_Nt_QY&)_p=_{!F$4&-WyFYoah8NA2P*Ofh&J(c2X3%-`(>q}>6
ziT(d(WOkK3ie^jnQ8bIvvi1Dm!_n>Ft&}~M;%n*77(+CV?nVz?_xTg!z>8#;b}6lx
P*GM*#zZo9E5y1ZdZWu)I

literal 0
HcmV?d00001

diff --git a/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Service.php b/owl-bot-staging/Kms/v1/proto/src/GPBMetadata/Google/Cloud/Kms/V1/Service.php
new file mode 100644
index 0000000000000000000000000000000000000000..edd8f8bcd703e721811fef1e0e61e4b432476348
GIT binary patch
literal 15249
zcmd5@U5p!774A6A#=g7xyPIS;n?GlgG@G!o6DMg}hopFu=CAo#rTL+ii#u!I^-kCJ
zxHIETw`B#QRJ<Tjsc)c4hzEp_DuD#N@Pc@w2oOIK(mtRHRpJd*JeBeQ=l;%&J!6l(
z4$y}*8J~OSJLi1oo-^mneEzxSViO%oUnLD<8!oA&=U3A1B1t!G%eBf@Ej`~_SRi(~
zY}K1)jo6uV`tqIh?K}6<&tJZN?;tF7td?CS`E=E?sx^`=*Q{10yHt0w%crsqv6sy<
z$*|oJY8Z9mG>tMzU!9x1MO>p|xJL0RTUfkA7ZzWrJH-d5&LdQ=8IF^Fk#B(BLTUJ~
z*_yAJ<+S4(F8uGX>6FZd>6%8(d=rpgNG}*QhrrrS*@af4?3z|1O&8p0l*#n5G~biT
z9&TEo>4mg}GDnpM#f#S)F0mU%t$3L@W!r4JmOTfe`FxeQ%4GD)^f7T;x}CX@p5_?y
z`3{g5(yrYi{=28sHgQ{a<2=JnH&|7FD~1@V&@_vMM#G|3uo_N2@9E@i5w-AA%_I%C
zzcp7(Qmf38MPu2t?EaSCC4wHYLHcP>l*{{2Qu&UdzGXN|@e!-F4{f8_BzDAY8C_0X
zGzB>dm5SoR6^M~(<vr@lqv+2TI@mKf@HiLAu=vS9{A89-O-+b(M$?4AqMqZSG<CrD
z!vb|rX<qn82<-L=*un|or$geWK%`0;M+nJqW|0e_kmYx&gFS`BezA>`cqEL*f7d_I
z(D+T$abF-Scg;rCxl3Me5y!>PqLHRygDR6+TANPI9{Z?}_^faU9jsYp&gcx^8I*Q1
zaPDMpiXZSUlxiAPQgR^PClj!G<Lriy3L2h3h+TKBCDNGOz_w*SjH8hSvj#Cd`J{Jo
zCrVm&h1jL}mC23jvi@%k?WA}w*((s|fLb9w*M_)wltDg-4lol^U$r3?I`<EF4vj4X
z?;x&A%O-imU~kFg#r^?uWE9W`d_~8F2e1S7OyKE?{U#XkOz_nN+8Z!|*jZU3(sxmY
zP#F6+#WnQg|G)&mTE>Fw^`>RJH>`Q3`+t!Ip3i#I)<rvlQRXxuDG;1RsU@;fvT5i+
zq-~fU&Fu}Pk>u(G+S(v*xFugC(GW{vjF1b-rpCjLM%PCDO|&aO6tI%G?`bqzW)W0^
z+sixe552QTj=t{wu7>snZtk&EV3<YY9)^+#D2e4rcPwHvI8*vJho3Z_IZQ^S(rdsa
z;fQc^sMY=5`v%&6mB>?89<pcAleE|pM{Mi^OTUfAVKe0zx!t+IcIw3L8TERxh^G7-
z3hT;!F9!BK$&S_IXu9XVVjKNFgFDB{Lds*2V%EDYw}SGA+_q0EsP+1HHMHZBO`yIO
z!6tW%JWqS)!bvm=0mkCHWL8)<OwnwZz^74C{=#x$kHBY(^xtS`7l#<){9wY4%_cmB
zHv8f*i1Hki`0AVxIK$&Y0pjW%LHnE~vnfk|8Q!HbH83PjmeZ5^_u!OhQ>cx6k;d;y
zKYRsY54=Rcd@!1ecfN3|f097^I8Bt2!vlFU6eLgg5Ng_Ig+4+JKSU{`R<&%?U92-r
zx8$CSb&__JB?Y++_a_u@raB?LIxT^L;k=}*&{Q&+gv2vOmuOf=<F;dz4C0jh612eK
z64#!X-Gz4eek;`>_-uGm)W5HYuHsWh<KP({i0<jo7LGu4@3*c*SAaM<z5z(@H{lVP
zC~|m6{lP=)=+RuP;5mavTWm`(h_fUZJ0<-nOZkj?cH&6hhgfPu(nizpfZ)LT2nakF
zzPB}WxDDT&ZPpEYr444EC%CdZFm7jOzy}?zzl!!lo4~cL6}7JI_Up|{a0jTfpb6nI
zV#s&+r-rsX-(adru1y4Tbc*HZ4M;oAD*Bp1pMu|T8IxG-CGc^y&!|+OFJnRHq-3<9
zoz#GS4ec(KXv2rafQaNg+SZhNzzJSHohwgnVszfqK}u-GJbmVYQEL%?3fxAAyWU6c
zM-PtCT+jXV?<CNc%Os%tz<hy2t!y?IiM<}<oJZTeO{6yTkc*)Wj%yv74`S@6|22WO
z-!&e!kz;#+9IX7H59!jS!=wd$6p8^fw&HOO38AmLjI6+bd|!qboTQc$G`@oNhRR5%
z#iX?UDK~N(3qy=N6n;f&Mole(nLhj()l!W#s_r5ytv2FNUdH56Z1==88I)q(O&>S<
zznMTg3(iWtPF&k8zi3t)@&H`tsf|yfk&0P`b6X^TbrP{UQ?&XrmzfAZ+0LQOe1+ss
zT<!x?*a_>S=2<jKFUg%^npOXih9*68v=MT>774PKb`%8LLYWm)dHvgvyKWgnb)B>)
zZG;GjZT6(#W1LF*#~RuO;2>R_3&VO&#Y2OKx1kMnqs*#rq30Qd;EJS8%)?Uux<;S(
z`7G(K(WqGU*%g<l9@;jPlux$2HGy}aF@Cl{Hx>k0!q|u}LRkPa7&vF4h=9XqnbcVD
zY{?y#WkDc#=9KVFDyzSfKwDL&5}lYaf2yKQEibq7G=-lI%eTGRhYzCN%hazX6gVpN
z`7M{kXVD2I602yT5u6OQ1C8LgcKES|wyM|_cG&LE&$L1x19Y8L7^Qr7VpHF>9I7*~
zwV8*)F;gSP#r(krg#CqvfE{!g$GtBqHM4kSjY}_gvBu@VJ}&e~Gra?(J59L1`=$vc
zLlU1rM-;od)**<A%SfQ9F%`<OR3HBOL4x_~@zHFZhXFjhO)2YmF)!njQgeX#r2g*1
z@XWpX-{FbgORBua@S@Uzn!|uWFz?#3s8p9E+89x}AMH}=2CE1f0ZA;qPZdw$y=aFg
z?W+^GeqpAks>F@uUukH!r|{#WNOu==y~A|r=Un<ZoTZS#174H1q{mSTkMbnS51(ux
zfA%gDB0a$g8it<wD6S`duc7UL{(-1JLUZC)w8?3e%f#VnI2j3v8*~pESJd&93LLNB
zBVtqN*t(<&4MaY64bK$)u<I4HC$!e^lw-v(&lM+wb#QNo=-1E)FUp}h8gUkl+}WpD
z(K2@J33280GiP||pst)fmE-LV=s+fA-LHQEZId%>`PK`JU^g#1^^&n{m^EX*#)Cdd
zFOwzzWy+>x?%fR90keZ!Mg!*Gb?B#v7h^EAxyStTKRg{;Ao)eabIsJT7?RwS`h~TE
zm;rq4j~~C6$lw|JcF$XUj(-74wb!6jbF#;?vbux6uV$fZ%O?N$r%;&(CUy=!9(i-s
zJd;)9)aPQ!3aB@NP|xFMdqY)7DQeaLV)K9em-bfzAbjX--odAOLz1%6+_`?12xYz$
zROSx8)t53pT>_d(Xv#6F^W4obo{&^2+A)6FVL8TBBYFHS4IyvniJuBJttTMyb{&B0
z=hq5sXd0k6ouWn%+|L>ohyFolL>&4>B&r^bd;OXpm*jIiTtNchU&AXoeguLCI2&a@
z6^lYrLXOwchv}~$x@7MF&^<jQb%D?L7jX80I%@nIZF40e6$rPv64Mv_z+b`-S=bE=
zc(y4A){-_VT%uJ_BHdL`V(X%f7i!ebKhx0W!1x-6r;dP(gxNjjC`0z}G%_QH)-YC4
ze`m4yjNVte$*b`<{vFh8Z9`xjerUBxN%Y}7QDLE5YlQ;>KF=F;R7n-^{>4<dst=xq
z^1fLg{+AkGDiAV?!xK!KVuJ<pJK9=dcc-4qJRLF(%ldG0Q$A$Ej{gMObB4#%K3rIO
zH|8-`VhX;b-y3T3&GR73!z9h4DaQ-1opq(Dl9Gyq(^QH1Y0B?P-$tS|_5L*=P5B1&
zJ-NJZ%#Go3V{6+)HbSE|sqPvnuj{X`6?S<sHq-Kk+DwtVxy#I1o=9eZ(|a`#dhaDV
z=JDM_uT8bVLhpSDz5SjV@@10_jhAz;wrMOy2hlt<;f99fKRVwH2+rQ|v!T^Rn{k3`
z;<8|QtuRIX>N{?w*1&GYgctSOgC_6QJf~F<8x2@^Fqnv#_2bi_>PARQMPr^sRexFX
zvVMP1&BEPV;cqWU1tVTHh)^&>`u|Eno4-6k75s^YHi-!VJ{0OPH9ugltxtsy9+Z&x
zz_x`EQq2LxxjH+jtB$Yc34b9&!WM0`2-vF0)(y52@?dY}aim^aV7Ra7g+Xzz<}3VN
z3JUv|@Vw^r^dp|vJON3X;?Ypg_yvUmWd`>Z{fmRb4UY(0z3|}ELfSw4sT05{>v9)F
zYoP=myB6Y3REv+G8RPY2X*)Bb850zeJ_#?M+hv79t+m1^;}vg2Gbb7FSU6lS8G*4q
z)$tSPc6yMc!%l><sY6a`nu#kel>PErAvB08dg*cL>vJoF*e21QjyM@q^Sax~poD}{
zwY5Tudk}^L%zr~qJJ36(ETn$>t%g#704gPzlH>5CsD77z3Xemdm{7%DD{NM(%)nil
zI>n+s+^73I?93IQ8vTv6Tsj8gku8@FNvY+@P&Rhyf9v(N!c(#zJL4a+&$Q3hnISHU
zM^w2aqU*H^-#&JL1Wl*h4+|3!Z%+TA@Nm&}n@&EPee~#&P(*#+Mc)wQpN*b?tm!UT
zc6}z6IDB|D`xP_+pNNIoW;O}mlF}CgtU2xFWBhdi{+Sm0sH|$Sk5mB#bh2Tm=KOi~
z=ck(X!^HSi_DyQ$68$DM1N&qiocd5+Es9T7*|)0jvFiK?wWoFZsQT`2hJWMf`y@2-
Pb5JJ9KigbIs|fuEMCcR{

literal 0
HcmV?d00001

diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AccessReason.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AccessReason.php
new file mode 100644
index 000000000000..1e1bf9f0ff2e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AccessReason.php
@@ -0,0 +1,149 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use UnexpectedValueException;
+
+/**
+ * Describes the reason for a data access. Please refer to
+ * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+ * for the detailed semantic meaning of justification reason codes.
+ *
+ * Protobuf type <code>google.cloud.kms.v1.AccessReason</code>
+ */
+class AccessReason
+{
+    /**
+     * Unspecified access reason.
+     *
+     * Generated from protobuf enum <code>REASON_UNSPECIFIED = 0;</code>
+     */
+    const REASON_UNSPECIFIED = 0;
+    /**
+     * Customer-initiated support.
+     *
+     * Generated from protobuf enum <code>CUSTOMER_INITIATED_SUPPORT = 1;</code>
+     */
+    const CUSTOMER_INITIATED_SUPPORT = 1;
+    /**
+     * Google-initiated access for system management and troubleshooting.
+     *
+     * Generated from protobuf enum <code>GOOGLE_INITIATED_SERVICE = 2;</code>
+     */
+    const GOOGLE_INITIATED_SERVICE = 2;
+    /**
+     * Google-initiated access in response to a legal request or legal process.
+     *
+     * Generated from protobuf enum <code>THIRD_PARTY_DATA_REQUEST = 3;</code>
+     */
+    const THIRD_PARTY_DATA_REQUEST = 3;
+    /**
+     * Google-initiated access for security, fraud, abuse, or compliance purposes.
+     *
+     * Generated from protobuf enum <code>GOOGLE_INITIATED_REVIEW = 4;</code>
+     */
+    const GOOGLE_INITIATED_REVIEW = 4;
+    /**
+     * Customer uses their account to perform any access to their own data which
+     * their IAM policy authorizes.
+     *
+     * Generated from protobuf enum <code>CUSTOMER_INITIATED_ACCESS = 5;</code>
+     */
+    const CUSTOMER_INITIATED_ACCESS = 5;
+    /**
+     * Google systems access customer data to help optimize the structure of the
+     * data or quality for future uses by the customer.
+     *
+     * Generated from protobuf enum <code>GOOGLE_INITIATED_SYSTEM_OPERATION = 6;</code>
+     */
+    const GOOGLE_INITIATED_SYSTEM_OPERATION = 6;
+    /**
+     * No reason is expected for this key request.
+     *
+     * Generated from protobuf enum <code>REASON_NOT_EXPECTED = 7;</code>
+     */
+    const REASON_NOT_EXPECTED = 7;
+    /**
+     * Customer uses their account to perform any access to their own data which
+     * their IAM policy authorizes, and one of the following is true:
+     * * A Google administrator has reset the root-access account associated with
+     *   the user's organization within the past 7 days.
+     * * A Google-initiated emergency access operation has interacted with a
+     *   resource in the same project or folder as the currently accessed resource
+     *   within the past 7 days.
+     *
+     * Generated from protobuf enum <code>MODIFIED_CUSTOMER_INITIATED_ACCESS = 8;</code>
+     */
+    const MODIFIED_CUSTOMER_INITIATED_ACCESS = 8;
+    /**
+     * Google systems access customer data to help optimize the structure of the
+     * data or quality for future uses by the customer, and one of the following
+     * is true:
+     * * A Google administrator has reset the root-access account associated with
+     *   the user's organization within the past 7 days.
+     * * A Google-initiated emergency access operation has interacted with a
+     *   resource in the same project or folder as the currently accessed resource
+     *   within the past 7 days.
+     *
+     * Generated from protobuf enum <code>MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION = 9;</code>
+     */
+    const MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION = 9;
+    /**
+     * Google-initiated access to maintain system reliability.
+     *
+     * Generated from protobuf enum <code>GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 10;</code>
+     */
+    const GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 10;
+    /**
+     * One of the following operations is being executed while simultaneously
+     * encountering an internal technical issue which prevented a more precise
+     * justification code from being generated:
+     * * Your account has been used to perform any access to your own data which
+     *   your IAM policy authorizes.
+     * * An automated Google system operates on encrypted customer data which your
+     *   IAM policy authorizes.
+     * * Customer-initiated Google support access.
+     * * Google-initiated support access to protect system reliability.
+     *
+     * Generated from protobuf enum <code>CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING = 11;</code>
+     */
+    const CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING = 11;
+
+    private static $valueToName = [
+        self::REASON_UNSPECIFIED => 'REASON_UNSPECIFIED',
+        self::CUSTOMER_INITIATED_SUPPORT => 'CUSTOMER_INITIATED_SUPPORT',
+        self::GOOGLE_INITIATED_SERVICE => 'GOOGLE_INITIATED_SERVICE',
+        self::THIRD_PARTY_DATA_REQUEST => 'THIRD_PARTY_DATA_REQUEST',
+        self::GOOGLE_INITIATED_REVIEW => 'GOOGLE_INITIATED_REVIEW',
+        self::CUSTOMER_INITIATED_ACCESS => 'CUSTOMER_INITIATED_ACCESS',
+        self::GOOGLE_INITIATED_SYSTEM_OPERATION => 'GOOGLE_INITIATED_SYSTEM_OPERATION',
+        self::REASON_NOT_EXPECTED => 'REASON_NOT_EXPECTED',
+        self::MODIFIED_CUSTOMER_INITIATED_ACCESS => 'MODIFIED_CUSTOMER_INITIATED_ACCESS',
+        self::MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION => 'MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION',
+        self::GOOGLE_RESPONSE_TO_PRODUCTION_ALERT => 'GOOGLE_RESPONSE_TO_PRODUCTION_ALERT',
+        self::CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING => 'CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptRequest.php
new file mode 100644
index 000000000000..d091cf22284b
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptRequest.php
@@ -0,0 +1,317 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.AsymmetricDecryptRequest</code>
+ */
+class AsymmetricDecryptRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The data encrypted with the named
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+     * OAEP.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ciphertext = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     * is equal to
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $ciphertext_crc32c = null;
+
+    /**
+     * @param string $name       Required. The resource name of the
+     *                           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *                           decryption. Please see
+     *                           {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     * @param string $ciphertext Required. The data encrypted with the named
+     *                           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+     *                           OAEP.
+     *
+     * @return \Google\Cloud\Kms\V1\AsymmetricDecryptRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $ciphertext): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setCiphertext($ciphertext);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           decryption.
+     *     @type string $ciphertext
+     *           Required. The data encrypted with the named
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+     *           OAEP.
+     *     @type \Google\Protobuf\Int64Value $ciphertext_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     *           is equal to
+     *           [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The data encrypted with the named
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+     * OAEP.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getCiphertext()
+    {
+        return $this->ciphertext;
+    }
+
+    /**
+     * Required. The data encrypted with the named
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+     * OAEP.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCiphertext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->ciphertext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     * is equal to
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getCiphertextCrc32C()
+    {
+        return $this->ciphertext_crc32c;
+    }
+
+    public function hasCiphertextCrc32C()
+    {
+        return isset($this->ciphertext_crc32c);
+    }
+
+    public function clearCiphertextCrc32C()
+    {
+        unset($this->ciphertext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getCiphertextCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     * is equal to
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getCiphertextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("ciphertext_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     * is equal to
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setCiphertextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
+     * is equal to
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setCiphertextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("ciphertext_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptResponse.php
new file mode 100644
index 000000000000..a50201e6aac9
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricDecryptResponse.php
@@ -0,0 +1,339 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.AsymmetricDecryptResponse</code>
+ */
+class AsymmetricDecryptResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The decrypted data originally encrypted with the matching public key.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     */
+    protected $plaintext = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     * An integrity check of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     */
+    protected $plaintext_crc32c = null;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
+     * false value of this field indicates either that
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 3;</code>
+     */
+    protected $verified_ciphertext_crc32c = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $plaintext
+     *           The decrypted data originally encrypted with the matching public key.
+     *     @type \Google\Protobuf\Int64Value $plaintext_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     *           An integrity check of
+     *           [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     *           can be performed by computing the CRC32C checksum of
+     *           [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     *           and comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type bool $verified_ciphertext_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
+     *           false value of this field indicates either that
+     *           [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           decryption.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The decrypted data originally encrypted with the matching public key.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @return string
+     */
+    public function getPlaintext()
+    {
+        return $this->plaintext;
+    }
+
+    /**
+     * The decrypted data originally encrypted with the matching public key.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPlaintext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->plaintext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     * An integrity check of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPlaintextCrc32C()
+    {
+        return $this->plaintext_crc32c;
+    }
+
+    public function hasPlaintextCrc32C()
+    {
+        return isset($this->plaintext_crc32c);
+    }
+
+    public function clearPlaintextCrc32C()
+    {
+        unset($this->plaintext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPlaintextCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     * An integrity check of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return int|string|null
+     */
+    public function getPlaintextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("plaintext_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     * An integrity check of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPlaintextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
+     * An integrity check of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPlaintextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("plaintext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
+     * false value of this field indicates either that
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 3;</code>
+     * @return bool
+     */
+    public function getVerifiedCiphertextCrc32C()
+    {
+        return $this->verified_ciphertext_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
+     * false value of this field indicates either that
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 3;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedCiphertextCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignRequest.php
new file mode 100644
index 000000000000..2dae2bd9fd19
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignRequest.php
@@ -0,0 +1,568 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.AsymmetricSignRequest</code>
+ */
+class AsymmetricSignRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Optional. The digest of the data to sign. The digest must be produced with
+     * the same digest algorithm as specified by the key version's
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+     * This field may not be supplied if
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.Digest digest = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $digest = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     * is equal to
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value digest_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $digest_crc32c = null;
+    /**
+     * Optional. The data to sign.
+     * It can't be supplied if
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>bytes data = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     * is equal to
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $data_crc32c = null;
+
+    /**
+     * @param string                      $name   Required. The resource name of the
+     *                                            [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *                                            signing. Please see
+     *                                            {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     * @param \Google\Cloud\Kms\V1\Digest $digest Optional. The digest of the data to sign. The digest must be produced with
+     *                                            the same digest algorithm as specified by the key version's
+     *                                            [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+     *
+     *                                            This field may not be supplied if
+     *                                            [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     *                                            is supplied.
+     *
+     * @return \Google\Cloud\Kms\V1\AsymmetricSignRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, \Google\Cloud\Kms\V1\Digest $digest): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setDigest($digest);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           signing.
+     *     @type \Google\Cloud\Kms\V1\Digest $digest
+     *           Optional. The digest of the data to sign. The digest must be produced with
+     *           the same digest algorithm as specified by the key version's
+     *           [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+     *           This field may not be supplied if
+     *           [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     *           is supplied.
+     *     @type \Google\Protobuf\Int64Value $digest_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     *           is equal to
+     *           [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     *     @type string $data
+     *           Optional. The data to sign.
+     *           It can't be supplied if
+     *           [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     *           is supplied.
+     *     @type \Google\Protobuf\Int64Value $data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     *           is equal to
+     *           [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. The digest of the data to sign. The digest must be produced with
+     * the same digest algorithm as specified by the key version's
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+     * This field may not be supplied if
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.Digest digest = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Cloud\Kms\V1\Digest|null
+     */
+    public function getDigest()
+    {
+        return $this->digest;
+    }
+
+    public function hasDigest()
+    {
+        return isset($this->digest);
+    }
+
+    public function clearDigest()
+    {
+        unset($this->digest);
+    }
+
+    /**
+     * Optional. The digest of the data to sign. The digest must be produced with
+     * the same digest algorithm as specified by the key version's
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+     * This field may not be supplied if
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.Digest digest = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Cloud\Kms\V1\Digest $var
+     * @return $this
+     */
+    public function setDigest($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\Digest::class);
+        $this->digest = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     * is equal to
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value digest_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getDigestCrc32C()
+    {
+        return $this->digest_crc32c;
+    }
+
+    public function hasDigestCrc32C()
+    {
+        return isset($this->digest_crc32c);
+    }
+
+    public function clearDigestCrc32C()
+    {
+        unset($this->digest_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getDigestCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     * is equal to
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value digest_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getDigestCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("digest_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     * is equal to
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value digest_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setDigestCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->digest_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
+     * is equal to
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value digest_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setDigestCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("digest_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. The data to sign.
+     * It can't be supplied if
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>bytes data = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getData()
+    {
+        return $this->data;
+    }
+
+    /**
+     * Optional. The data to sign.
+     * It can't be supplied if
+     * [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
+     * is supplied.
+     *
+     * Generated from protobuf field <code>bytes data = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     * is equal to
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getDataCrc32C()
+    {
+        return $this->data_crc32c;
+    }
+
+    public function hasDataCrc32C()
+    {
+        return isset($this->data_crc32c);
+    }
+
+    public function clearDataCrc32C()
+    {
+        unset($this->data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     * is equal to
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     * is equal to
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+     * is equal to
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("data_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignResponse.php
new file mode 100644
index 000000000000..efec99a14768
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AsymmetricSignResponse.php
@@ -0,0 +1,463 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.AsymmetricSignResponse</code>
+ */
+class AsymmetricSignResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes signature = 1;</code>
+     */
+    protected $signature = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     * An integrity check of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value signature_crc32c = 2;</code>
+     */
+    protected $signature_crc32c = null;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
+     * of this field indicates either that
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_digest_crc32c = 3;</code>
+     */
+    protected $verified_digest_crc32c = false;
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     */
+    protected $name = '';
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
+     * this field indicates either that
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 5;</code>
+     */
+    protected $verified_data_crc32c = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $signature
+     *           The created signature.
+     *     @type \Google\Protobuf\Int64Value $signature_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     *           An integrity check of
+     *           [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     *           can be performed by computing the CRC32C checksum of
+     *           [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     *           and comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type bool $verified_digest_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
+     *           of this field indicates either that
+     *           [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type string $name
+     *           The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *           Check this field to verify that the intended resource was used for signing.
+     *     @type bool $verified_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
+     *           this field indicates either that
+     *           [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes signature = 1;</code>
+     * @return string
+     */
+    public function getSignature()
+    {
+        return $this->signature;
+    }
+
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes signature = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSignature($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->signature = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     * An integrity check of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value signature_crc32c = 2;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getSignatureCrc32C()
+    {
+        return $this->signature_crc32c;
+    }
+
+    public function hasSignatureCrc32C()
+    {
+        return isset($this->signature_crc32c);
+    }
+
+    public function clearSignatureCrc32C()
+    {
+        unset($this->signature_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getSignatureCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     * An integrity check of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value signature_crc32c = 2;</code>
+     * @return int|string|null
+     */
+    public function getSignatureCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("signature_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     * An integrity check of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value signature_crc32c = 2;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setSignatureCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->signature_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
+     * An integrity check of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * can be performed by computing the CRC32C checksum of
+     * [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value signature_crc32c = 2;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setSignatureCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("signature_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
+     * of this field indicates either that
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_digest_crc32c = 3;</code>
+     * @return bool
+     */
+    public function getVerifiedDigestCrc32C()
+    {
+        return $this->verified_digest_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
+     * of this field indicates either that
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_digest_crc32c = 3;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedDigestCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_digest_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
+     * this field indicates either that
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 5;</code>
+     * @return bool
+     */
+    public function getVerifiedDataCrc32C()
+    {
+        return $this->verified_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
+     * this field indicates either that
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 5;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig.php
new file mode 100644
index 000000000000..4473493d8774
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig.php
@@ -0,0 +1,179 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Cloud KMS Autokey configuration for a folder.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.AutokeyConfig</code>
+ */
+class AutokeyConfig extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     */
+    protected $name = '';
+    /**
+     * Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
+     * `projects/{PROJECT_NUMBER}`, where Cloud KMS Autokey will provision a new
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] when a
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] is created. On
+     * [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig],
+     * the caller will require `cloudkms.cryptoKeys.setIamPolicy` permission on
+     * this key project. Once configured, for Cloud KMS Autokey to function
+     * properly, this key project must have the Cloud KMS API activated and the
+     * Cloud KMS Service Agent for this key project must be granted the
+     * `cloudkms.admin` role (or pertinent permissions). A request with an empty
+     * key project field will clear the configuration.
+     *
+     * Generated from protobuf field <code>string key_project = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $key_project = '';
+    /**
+     * Output only. The state for the AutokeyConfig.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig.State state = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $state = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     *           resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *     @type string $key_project
+     *           Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
+     *           `projects/{PROJECT_NUMBER}`, where Cloud KMS Autokey will provision a new
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] when a
+     *           [KeyHandle][google.cloud.kms.v1.KeyHandle] is created. On
+     *           [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig],
+     *           the caller will require `cloudkms.cryptoKeys.setIamPolicy` permission on
+     *           this key project. Once configured, for Cloud KMS Autokey to function
+     *           properly, this key project must have the Cloud KMS API activated and the
+     *           Cloud KMS Service Agent for this key project must be granted the
+     *           `cloudkms.admin` role (or pertinent permissions). A request with an empty
+     *           key project field will clear the configuration.
+     *     @type int $state
+     *           Output only. The state for the AutokeyConfig.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\AutokeyAdmin::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Identifier. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
+     * `projects/{PROJECT_NUMBER}`, where Cloud KMS Autokey will provision a new
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] when a
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] is created. On
+     * [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig],
+     * the caller will require `cloudkms.cryptoKeys.setIamPolicy` permission on
+     * this key project. Once configured, for Cloud KMS Autokey to function
+     * properly, this key project must have the Cloud KMS API activated and the
+     * Cloud KMS Service Agent for this key project must be granted the
+     * `cloudkms.admin` role (or pertinent permissions). A request with an empty
+     * key project field will clear the configuration.
+     *
+     * Generated from protobuf field <code>string key_project = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getKeyProject()
+    {
+        return $this->key_project;
+    }
+
+    /**
+     * Optional. Name of the key project, e.g. `projects/{PROJECT_ID}` or
+     * `projects/{PROJECT_NUMBER}`, where Cloud KMS Autokey will provision a new
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] when a
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] is created. On
+     * [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig],
+     * the caller will require `cloudkms.cryptoKeys.setIamPolicy` permission on
+     * this key project. Once configured, for Cloud KMS Autokey to function
+     * properly, this key project must have the Cloud KMS API activated and the
+     * Cloud KMS Service Agent for this key project must be granted the
+     * `cloudkms.admin` role (or pertinent permissions). A request with an empty
+     * key project field will clear the configuration.
+     *
+     * Generated from protobuf field <code>string key_project = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setKeyProject($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->key_project = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The state for the AutokeyConfig.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig.State state = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return int
+     */
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    /**
+     * Output only. The state for the AutokeyConfig.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig.State state = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setState($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\AutokeyConfig\State::class);
+        $this->state = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig/State.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig/State.php
new file mode 100644
index 000000000000..6e3ef05f500e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/AutokeyConfig/State.php
@@ -0,0 +1,73 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1\AutokeyConfig;
+
+use UnexpectedValueException;
+
+/**
+ * The states AutokeyConfig can be in.
+ *
+ * Protobuf type <code>google.cloud.kms.v1.AutokeyConfig.State</code>
+ */
+class State
+{
+    /**
+     * The state of the AutokeyConfig is unspecified.
+     *
+     * Generated from protobuf enum <code>STATE_UNSPECIFIED = 0;</code>
+     */
+    const STATE_UNSPECIFIED = 0;
+    /**
+     * The AutokeyConfig is currently active.
+     *
+     * Generated from protobuf enum <code>ACTIVE = 1;</code>
+     */
+    const ACTIVE = 1;
+    /**
+     * A previously configured key project has been deleted and the current
+     * AutokeyConfig is unusable.
+     *
+     * Generated from protobuf enum <code>KEY_PROJECT_DELETED = 2;</code>
+     */
+    const KEY_PROJECT_DELETED = 2;
+    /**
+     * The AutokeyConfig is not yet initialized or has been reset to its default
+     * uninitialized state.
+     *
+     * Generated from protobuf enum <code>UNINITIALIZED = 3;</code>
+     */
+    const UNINITIALIZED = 3;
+
+    private static $valueToName = [
+        self::STATE_UNSPECIFIED => 'STATE_UNSPECIFIED',
+        self::ACTIVE => 'ACTIVE',
+        self::KEY_PROJECT_DELETED => 'KEY_PROJECT_DELETED',
+        self::UNINITIALIZED => 'UNINITIALIZED',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(State::class, \Google\Cloud\Kms\V1\AutokeyConfig_State::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Certificate.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Certificate.php
new file mode 100644
index 000000000000..db653c93c4a9
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Certificate.php
@@ -0,0 +1,388 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [Certificate][google.cloud.kms.v1.Certificate] represents an X.509
+ * certificate used to authenticate HTTPS connections to EKM replicas.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.Certificate</code>
+ */
+class Certificate extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The raw certificate bytes in DER format.
+     *
+     * Generated from protobuf field <code>bytes raw_der = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $raw_der = '';
+    /**
+     * Output only. True if the certificate was parsed successfully.
+     *
+     * Generated from protobuf field <code>bool parsed = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $parsed = false;
+    /**
+     * Output only. The issuer distinguished name in RFC 2253 format. Only present
+     * if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string issuer = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $issuer = '';
+    /**
+     * Output only. The subject distinguished name in RFC 2253 format. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string subject = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $subject = '';
+    /**
+     * Output only. The subject Alternative DNS names. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>repeated string subject_alternative_dns_names = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    private $subject_alternative_dns_names;
+    /**
+     * Output only. The certificate is not valid before this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_before_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $not_before_time = null;
+    /**
+     * Output only. The certificate is not valid after this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_after_time = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $not_after_time = null;
+    /**
+     * Output only. The certificate serial number as a hex string. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string serial_number = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $serial_number = '';
+    /**
+     * Output only. The SHA-256 certificate fingerprint as a hex string. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string sha256_fingerprint = 9 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $sha256_fingerprint = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $raw_der
+     *           Required. The raw certificate bytes in DER format.
+     *     @type bool $parsed
+     *           Output only. True if the certificate was parsed successfully.
+     *     @type string $issuer
+     *           Output only. The issuer distinguished name in RFC 2253 format. Only present
+     *           if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type string $subject
+     *           Output only. The subject distinguished name in RFC 2253 format. Only
+     *           present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type array<string>|\Google\Protobuf\Internal\RepeatedField $subject_alternative_dns_names
+     *           Output only. The subject Alternative DNS names. Only present if
+     *           [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type \Google\Protobuf\Timestamp $not_before_time
+     *           Output only. The certificate is not valid before this time. Only present if
+     *           [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type \Google\Protobuf\Timestamp $not_after_time
+     *           Output only. The certificate is not valid after this time. Only present if
+     *           [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type string $serial_number
+     *           Output only. The certificate serial number as a hex string. Only present if
+     *           [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *     @type string $sha256_fingerprint
+     *           Output only. The SHA-256 certificate fingerprint as a hex string. Only
+     *           present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The raw certificate bytes in DER format.
+     *
+     * Generated from protobuf field <code>bytes raw_der = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getRawDer()
+    {
+        return $this->raw_der;
+    }
+
+    /**
+     * Required. The raw certificate bytes in DER format.
+     *
+     * Generated from protobuf field <code>bytes raw_der = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setRawDer($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->raw_der = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. True if the certificate was parsed successfully.
+     *
+     * Generated from protobuf field <code>bool parsed = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return bool
+     */
+    public function getParsed()
+    {
+        return $this->parsed;
+    }
+
+    /**
+     * Output only. True if the certificate was parsed successfully.
+     *
+     * Generated from protobuf field <code>bool parsed = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setParsed($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->parsed = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The issuer distinguished name in RFC 2253 format. Only present
+     * if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string issuer = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getIssuer()
+    {
+        return $this->issuer;
+    }
+
+    /**
+     * Output only. The issuer distinguished name in RFC 2253 format. Only present
+     * if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string issuer = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setIssuer($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->issuer = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The subject distinguished name in RFC 2253 format. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string subject = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getSubject()
+    {
+        return $this->subject;
+    }
+
+    /**
+     * Output only. The subject distinguished name in RFC 2253 format. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string subject = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSubject($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->subject = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The subject Alternative DNS names. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>repeated string subject_alternative_dns_names = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getSubjectAlternativeDnsNames()
+    {
+        return $this->subject_alternative_dns_names;
+    }
+
+    /**
+     * Output only. The subject Alternative DNS names. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>repeated string subject_alternative_dns_names = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param array<string>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setSubjectAlternativeDnsNames($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::STRING);
+        $this->subject_alternative_dns_names = $arr;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The certificate is not valid before this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_before_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getNotBeforeTime()
+    {
+        return $this->not_before_time;
+    }
+
+    public function hasNotBeforeTime()
+    {
+        return isset($this->not_before_time);
+    }
+
+    public function clearNotBeforeTime()
+    {
+        unset($this->not_before_time);
+    }
+
+    /**
+     * Output only. The certificate is not valid before this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_before_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setNotBeforeTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->not_before_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The certificate is not valid after this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_after_time = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getNotAfterTime()
+    {
+        return $this->not_after_time;
+    }
+
+    public function hasNotAfterTime()
+    {
+        return isset($this->not_after_time);
+    }
+
+    public function clearNotAfterTime()
+    {
+        unset($this->not_after_time);
+    }
+
+    /**
+     * Output only. The certificate is not valid after this time. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp not_after_time = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setNotAfterTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->not_after_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The certificate serial number as a hex string. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string serial_number = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getSerialNumber()
+    {
+        return $this->serial_number;
+    }
+
+    /**
+     * Output only. The certificate serial number as a hex string. Only present if
+     * [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string serial_number = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSerialNumber($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->serial_number = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The SHA-256 certificate fingerprint as a hex string. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string sha256_fingerprint = 9 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getSha256Fingerprint()
+    {
+        return $this->sha256_fingerprint;
+    }
+
+    /**
+     * Output only. The SHA-256 certificate fingerprint as a hex string. Only
+     * present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+     *
+     * Generated from protobuf field <code>string sha256_fingerprint = 9 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSha256Fingerprint($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->sha256_fingerprint = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyRequest.php
new file mode 100644
index 000000000000..2eefa5ea5baa
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyRequest.php
@@ -0,0 +1,241 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateCryptoKeyRequest</code>
+ */
+class CreateCryptoKeyRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+     * associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string crypto_key_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key_id = '';
+    /**
+     * Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key = null;
+    /**
+     * If set to true, the request will create a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
+     * manually call
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or
+     * [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+     * before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>bool skip_initial_version_creation = 5;</code>
+     */
+    protected $skip_initial_version_creation = false;
+
+    /**
+     * @param string                         $parent      Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+     *                                                    associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. Please see
+     *                                                    {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+     * @param string                         $cryptoKeyId Required. It must be unique within a KeyRing and match the regular
+     *                                                    expression `[a-zA-Z0-9_-]{1,63}`
+     * @param \Google\Cloud\Kms\V1\CryptoKey $cryptoKey   Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
+     *                                                    values.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateCryptoKeyRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, string $cryptoKeyId, \Google\Cloud\Kms\V1\CryptoKey $cryptoKey): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setCryptoKeyId($cryptoKeyId)
+            ->setCryptoKey($cryptoKey);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+     *           associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *     @type string $crypto_key_id
+     *           Required. It must be unique within a KeyRing and match the regular
+     *           expression `[a-zA-Z0-9_-]{1,63}`
+     *     @type \Google\Cloud\Kms\V1\CryptoKey $crypto_key
+     *           Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
+     *           values.
+     *     @type bool $skip_initial_version_creation
+     *           If set to true, the request will create a
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+     *           [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
+     *           manually call
+     *           [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     *           or
+     *           [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+     *           before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+     * associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+     * associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string crypto_key_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getCryptoKeyId()
+    {
+        return $this->crypto_key_id;
+    }
+
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string crypto_key_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCryptoKeyId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->crypto_key_id = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKey|null
+     */
+    public function getCryptoKey()
+    {
+        return $this->crypto_key;
+    }
+
+    public function hasCryptoKey()
+    {
+        return isset($this->crypto_key);
+    }
+
+    public function clearCryptoKey()
+    {
+        unset($this->crypto_key);
+    }
+
+    /**
+     * Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKey $var
+     * @return $this
+     */
+    public function setCryptoKey($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKey::class);
+        $this->crypto_key = $var;
+
+        return $this;
+    }
+
+    /**
+     * If set to true, the request will create a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
+     * manually call
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or
+     * [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+     * before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>bool skip_initial_version_creation = 5;</code>
+     * @return bool
+     */
+    public function getSkipInitialVersionCreation()
+    {
+        return $this->skip_initial_version_creation;
+    }
+
+    /**
+     * If set to true, the request will create a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
+     * manually call
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or
+     * [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+     * before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>bool skip_initial_version_creation = 5;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setSkipInitialVersionCreation($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->skip_initial_version_creation = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..ed1c2af7bf26
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateCryptoKeyVersionRequest.php
@@ -0,0 +1,143 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateCryptoKeyVersionRequest</code>
+ */
+class CreateCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key_version = null;
+
+    /**
+     * @param string                                $parent           Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     *                                                                [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+     *                                                                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. Please see
+     *                                                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersion $cryptoKeyVersion Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     *                                                                initial field values.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateCryptoKeyVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, \Google\Cloud\Kms\V1\CryptoKeyVersion $cryptoKeyVersion): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setCryptoKeyVersion($cryptoKeyVersion);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+     *           [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *     @type \Google\Cloud\Kms\V1\CryptoKeyVersion $crypto_key_version
+     *           Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     *           initial field values.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKeyVersion|null
+     */
+    public function getCryptoKeyVersion()
+    {
+        return $this->crypto_key_version;
+    }
+
+    public function hasCryptoKeyVersion()
+    {
+        return isset($this->crypto_key_version);
+    }
+
+    public function clearCryptoKeyVersion()
+    {
+        unset($this->crypto_key_version);
+    }
+
+    /**
+     * Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersion $var
+     * @return $this
+     */
+    public function setCryptoKeyVersion($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKeyVersion::class);
+        $this->crypto_key_version = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateEkmConnectionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateEkmConnectionRequest.php
new file mode 100644
index 000000000000..0b087b989419
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateEkmConnectionRequest.php
@@ -0,0 +1,184 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.CreateEkmConnection][google.cloud.kms.v1.EkmService.CreateEkmConnection].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateEkmConnectionRequest</code>
+ */
+class CreateEkmConnectionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`.
+     *
+     * Generated from protobuf field <code>string ekm_connection_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ekm_connection_id = '';
+    /**
+     * Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ekm_connection = null;
+
+    /**
+     * @param string                             $parent          Required. The resource name of the location associated with the
+     *                                                            [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+     *                                                            `projects/&#42;/locations/*`. Please see
+     *                                                            {@see EkmServiceClient::locationName()} for help formatting this field.
+     * @param string                             $ekmConnectionId Required. It must be unique within a location and match the regular
+     *                                                            expression `[a-zA-Z0-9_-]{1,63}`.
+     * @param \Google\Cloud\Kms\V1\EkmConnection $ekmConnection   Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+     *                                                            initial field values.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateEkmConnectionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, string $ekmConnectionId, \Google\Cloud\Kms\V1\EkmConnection $ekmConnection): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setEkmConnectionId($ekmConnectionId)
+            ->setEkmConnection($ekmConnection);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the location associated with the
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+     *           `projects/&#42;&#47;locations/&#42;`.
+     *     @type string $ekm_connection_id
+     *           Required. It must be unique within a location and match the regular
+     *           expression `[a-zA-Z0-9_-]{1,63}`.
+     *     @type \Google\Cloud\Kms\V1\EkmConnection $ekm_connection
+     *           Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+     *           initial field values.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`.
+     *
+     * Generated from protobuf field <code>string ekm_connection_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getEkmConnectionId()
+    {
+        return $this->ekm_connection_id;
+    }
+
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`.
+     *
+     * Generated from protobuf field <code>string ekm_connection_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setEkmConnectionId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->ekm_connection_id = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\EkmConnection|null
+     */
+    public function getEkmConnection()
+    {
+        return $this->ekm_connection;
+    }
+
+    public function hasEkmConnection()
+    {
+        return isset($this->ekm_connection);
+    }
+
+    public function clearEkmConnection()
+    {
+        unset($this->ekm_connection);
+    }
+
+    /**
+     * Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+     * initial field values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\EkmConnection $var
+     * @return $this
+     */
+    public function setEkmConnection($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\EkmConnection::class);
+        $this->ekm_connection = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateImportJobRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateImportJobRequest.php
new file mode 100644
index 000000000000..cf82ffb0e04a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateImportJobRequest.php
@@ -0,0 +1,184 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateImportJobRequest</code>
+ */
+class CreateImportJobRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+     * [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string import_job_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $import_job_id = '';
+    /**
+     * Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob import_job = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $import_job = null;
+
+    /**
+     * @param string                         $parent      Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     *                                                    [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+     *                                                    [ImportJobs][google.cloud.kms.v1.ImportJob]. Please see
+     *                                                    {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+     * @param string                         $importJobId Required. It must be unique within a KeyRing and match the regular
+     *                                                    expression `[a-zA-Z0-9_-]{1,63}`
+     * @param \Google\Cloud\Kms\V1\ImportJob $importJob   Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
+     *                                                    values.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateImportJobRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, string $importJobId, \Google\Cloud\Kms\V1\ImportJob $importJob): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setImportJobId($importJobId)
+            ->setImportJob($importJob);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     *           [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+     *           [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *     @type string $import_job_id
+     *           Required. It must be unique within a KeyRing and match the regular
+     *           expression `[a-zA-Z0-9_-]{1,63}`
+     *     @type \Google\Cloud\Kms\V1\ImportJob $import_job
+     *           Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
+     *           values.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+     * [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+     * [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string import_job_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getImportJobId()
+    {
+        return $this->import_job_id;
+    }
+
+    /**
+     * Required. It must be unique within a KeyRing and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string import_job_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setImportJobId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->import_job_id = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob import_job = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\ImportJob|null
+     */
+    public function getImportJob()
+    {
+        return $this->import_job;
+    }
+
+    public function hasImportJob()
+    {
+        return isset($this->import_job);
+    }
+
+    public function clearImportJob()
+    {
+        unset($this->import_job);
+    }
+
+    /**
+     * Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob import_job = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\ImportJob $var
+     * @return $this
+     */
+    public function setImportJob($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\ImportJob::class);
+        $this->import_job = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleMetadata.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleMetadata.php
new file mode 100644
index 000000000000..c55a5d085cd8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleMetadata.php
@@ -0,0 +1,35 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Metadata message for
+ * [CreateKeyHandle][google.cloud.kms.v1.Autokey.CreateKeyHandle] long-running
+ * operation response.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateKeyHandleMetadata</code>
+ */
+class CreateKeyHandleMetadata extends \Google\Protobuf\Internal\Message
+{
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleRequest.php
new file mode 100644
index 000000000000..b8cdd62f5531
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyHandleRequest.php
@@ -0,0 +1,184 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [Autokey.CreateKeyHandle][google.cloud.kms.v1.Autokey.CreateKeyHandle].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateKeyHandleRequest</code>
+ */
+class CreateKeyHandleRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. Name of the resource project and location to create the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
+     * unique to the resource project and location. If not provided by the caller,
+     * a new UUID is used.
+     *
+     * Generated from protobuf field <code>string key_handle_id = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $key_handle_id = '';
+    /**
+     * Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyHandle key_handle = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $key_handle = null;
+
+    /**
+     * @param string                         $parent      Required. Name of the resource project and location to create the
+     *                                                    [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+     *                                                    `projects/{PROJECT_ID}/locations/{LOCATION}`. Please see
+     *                                                    {@see AutokeyClient::locationName()} for help formatting this field.
+     * @param \Google\Cloud\Kms\V1\KeyHandle $keyHandle   Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
+     * @param string                         $keyHandleId Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
+     *                                                    unique to the resource project and location. If not provided by the caller,
+     *                                                    a new UUID is used.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateKeyHandleRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, \Google\Cloud\Kms\V1\KeyHandle $keyHandle, string $keyHandleId): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setKeyHandle($keyHandle)
+            ->setKeyHandleId($keyHandleId);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. Name of the resource project and location to create the
+     *           [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+     *           `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *     @type string $key_handle_id
+     *           Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
+     *           unique to the resource project and location. If not provided by the caller,
+     *           a new UUID is used.
+     *     @type \Google\Cloud\Kms\V1\KeyHandle $key_handle
+     *           Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. Name of the resource project and location to create the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. Name of the resource project and location to create the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
+     * unique to the resource project and location. If not provided by the caller,
+     * a new UUID is used.
+     *
+     * Generated from protobuf field <code>string key_handle_id = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getKeyHandleId()
+    {
+        return $this->key_handle_id;
+    }
+
+    /**
+     * Optional. Id of the [KeyHandle][google.cloud.kms.v1.KeyHandle]. Must be
+     * unique to the resource project and location. If not provided by the caller,
+     * a new UUID is used.
+     *
+     * Generated from protobuf field <code>string key_handle_id = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setKeyHandleId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->key_handle_id = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyHandle key_handle = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\KeyHandle|null
+     */
+    public function getKeyHandle()
+    {
+        return $this->key_handle;
+    }
+
+    public function hasKeyHandle()
+    {
+        return isset($this->key_handle);
+    }
+
+    public function clearKeyHandle()
+    {
+        unset($this->key_handle);
+    }
+
+    /**
+     * Required. [KeyHandle][google.cloud.kms.v1.KeyHandle] to create.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyHandle key_handle = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\KeyHandle $var
+     * @return $this
+     */
+    public function setKeyHandle($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyHandle::class);
+        $this->key_handle = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyRingRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyRingRequest.php
new file mode 100644
index 000000000000..22c6f3b3054f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CreateKeyRingRequest.php
@@ -0,0 +1,184 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CreateKeyRingRequest</code>
+ */
+class CreateKeyRingRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string key_ring_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $key_ring_id = '';
+    /**
+     * Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyRing key_ring = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $key_ring = null;
+
+    /**
+     * @param string                       $parent    Required. The resource name of the location associated with the
+     *                                                [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     *                                                `projects/&#42;/locations/*`. Please see
+     *                                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
+     * @param string                       $keyRingId Required. It must be unique within a location and match the regular
+     *                                                expression `[a-zA-Z0-9_-]{1,63}`
+     * @param \Google\Cloud\Kms\V1\KeyRing $keyRing   Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
+     *                                                values.
+     *
+     * @return \Google\Cloud\Kms\V1\CreateKeyRingRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent, string $keyRingId, \Google\Cloud\Kms\V1\KeyRing $keyRing): self
+    {
+        return (new self())
+            ->setParent($parent)
+            ->setKeyRingId($keyRingId)
+            ->setKeyRing($keyRing);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the location associated with the
+     *           [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     *           `projects/&#42;&#47;locations/&#42;`.
+     *     @type string $key_ring_id
+     *           Required. It must be unique within a location and match the regular
+     *           expression `[a-zA-Z0-9_-]{1,63}`
+     *     @type \Google\Cloud\Kms\V1\KeyRing $key_ring
+     *           Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
+     *           values.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string key_ring_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getKeyRingId()
+    {
+        return $this->key_ring_id;
+    }
+
+    /**
+     * Required. It must be unique within a location and match the regular
+     * expression `[a-zA-Z0-9_-]{1,63}`
+     *
+     * Generated from protobuf field <code>string key_ring_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setKeyRingId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->key_ring_id = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyRing key_ring = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\KeyRing|null
+     */
+    public function getKeyRing()
+    {
+        return $this->key_ring;
+    }
+
+    public function hasKeyRing()
+    {
+        return isset($this->key_ring);
+    }
+
+    public function clearKeyRing()
+    {
+        unset($this->key_ring);
+    }
+
+    /**
+     * Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyRing key_ring = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\KeyRing $var
+     * @return $this
+     */
+    public function setKeyRing($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyRing::class);
+        $this->key_ring = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey.php
new file mode 100644
index 000000000000..e82ffe8ab6ec
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey.php
@@ -0,0 +1,748 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that
+ * can be used for cryptographic operations.
+ * A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more
+ * [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual
+ * key material used in cryptographic operations.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CryptoKey</code>
+ */
+class CryptoKey extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * Output only. A copy of the "primary"
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
+     * by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in
+     * [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+     * The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be
+     * updated via
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * may have a primary. For other keys, this field will be omitted.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion primary = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $primary = null;
+    /**
+     * Immutable. The immutable purpose of this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose purpose = 3 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     */
+    protected $purpose = 0;
+    /**
+     * Output only. The time at which this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $create_time = null;
+    /**
+     * At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time],
+     * the Key Management Service will automatically:
+     * 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     * 2. Mark the new version as primary.
+     * Key rotations performed manually via
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * and
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+     * do not affect
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * support automatic rotation. For other keys, this field must be omitted.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp next_rotation_time = 7;</code>
+     */
+    protected $next_rotation_time = null;
+    /**
+     * A template describing settings for new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The
+     * properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * instances created by either
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or auto-rotation are controlled by this template.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersionTemplate version_template = 11;</code>
+     */
+    protected $version_template = null;
+    /**
+     * Labels with user-defined metadata. For more information, see
+     * [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
+     *
+     * Generated from protobuf field <code>map<string, string> labels = 10;</code>
+     */
+    private $labels;
+    /**
+     * Immutable. Whether this key may contain imported versions only.
+     *
+     * Generated from protobuf field <code>bool import_only = 13 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     */
+    protected $import_only = false;
+    /**
+     * Immutable. The period of time that versions of this key spend in the
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+     * state before transitioning to
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     * If not specified at creation time, the default duration is 30 days.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Duration destroy_scheduled_duration = 14 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     */
+    protected $destroy_scheduled_duration = null;
+    /**
+     * Immutable. The resource name of the backend environment where the key
+     * material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and
+     * where all related cryptographic operations are performed. Only applicable
+     * if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+     * [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
+     * resource name in the format `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     * Note, this list is non-exhaustive and may apply to additional
+     * [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future.
+     *
+     * Generated from protobuf field <code>string crypto_key_backend = 15 [(.google.api.field_behavior) = IMMUTABLE, (.google.api.resource_reference) = {</code>
+     */
+    protected $crypto_key_backend = '';
+    /**
+     * Optional. The policy used for Key Access Justifications Policy Enforcement.
+     * If this field is present and this key is enrolled in Key Access
+     * Justifications Policy Enforcement, the policy will be evaluated in encrypt,
+     * decrypt, and sign operations, and the operation will fail if rejected by
+     * the policy. The policy is defined by specifying zero or more allowed
+     * justification codes.
+     * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+     * By default, this field is absent, and all justification codes are allowed.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyAccessJustificationsPolicy key_access_justifications_policy = 17 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $key_access_justifications_policy = null;
+    protected $rotation_schedule;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for this
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *     @type \Google\Cloud\Kms\V1\CryptoKeyVersion $primary
+     *           Output only. A copy of the "primary"
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
+     *           by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in
+     *           [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+     *           The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be
+     *           updated via
+     *           [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+     *           Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     *           [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     *           may have a primary. For other keys, this field will be omitted.
+     *     @type int $purpose
+     *           Immutable. The immutable purpose of this
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *     @type \Google\Protobuf\Timestamp $create_time
+     *           Output only. The time at which this
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+     *     @type \Google\Protobuf\Timestamp $next_rotation_time
+     *           At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time],
+     *           the Key Management Service will automatically:
+     *           1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *           2. Mark the new version as primary.
+     *           Key rotations performed manually via
+     *           [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     *           and
+     *           [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+     *           do not affect
+     *           [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+     *           Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     *           [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     *           support automatic rotation. For other keys, this field must be omitted.
+     *     @type \Google\Protobuf\Duration $rotation_period
+     *           [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     *           will be advanced by this period when the service automatically rotates a
+     *           key. Must be at least 24 hours and at most 876,000 hours.
+     *           If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is
+     *           set,
+     *           [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     *           must also be set.
+     *           Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     *           [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     *           support automatic rotation. For other keys, this field must be omitted.
+     *     @type \Google\Cloud\Kms\V1\CryptoKeyVersionTemplate $version_template
+     *           A template describing settings for new
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The
+     *           properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     *           instances created by either
+     *           [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     *           or auto-rotation are controlled by this template.
+     *     @type array|\Google\Protobuf\Internal\MapField $labels
+     *           Labels with user-defined metadata. For more information, see
+     *           [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
+     *     @type bool $import_only
+     *           Immutable. Whether this key may contain imported versions only.
+     *     @type \Google\Protobuf\Duration $destroy_scheduled_duration
+     *           Immutable. The period of time that versions of this key spend in the
+     *           [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+     *           state before transitioning to
+     *           [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     *           If not specified at creation time, the default duration is 30 days.
+     *     @type string $crypto_key_backend
+     *           Immutable. The resource name of the backend environment where the key
+     *           material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     *           associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and
+     *           where all related cryptographic operations are performed. Only applicable
+     *           if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a
+     *           [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+     *           [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
+     *           resource name in the format `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     *           Note, this list is non-exhaustive and may apply to additional
+     *           [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future.
+     *     @type \Google\Cloud\Kms\V1\KeyAccessJustificationsPolicy $key_access_justifications_policy
+     *           Optional. The policy used for Key Access Justifications Policy Enforcement.
+     *           If this field is present and this key is enrolled in Key Access
+     *           Justifications Policy Enforcement, the policy will be evaluated in encrypt,
+     *           decrypt, and sign operations, and the operation will fail if rejected by
+     *           the policy. The policy is defined by specifying zero or more allowed
+     *           justification codes.
+     *           https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+     *           By default, this field is absent, and all justification codes are allowed.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. A copy of the "primary"
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
+     * by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in
+     * [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+     * The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be
+     * updated via
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * may have a primary. For other keys, this field will be omitted.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion primary = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKeyVersion|null
+     */
+    public function getPrimary()
+    {
+        return $this->primary;
+    }
+
+    public function hasPrimary()
+    {
+        return isset($this->primary);
+    }
+
+    public function clearPrimary()
+    {
+        unset($this->primary);
+    }
+
+    /**
+     * Output only. A copy of the "primary"
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
+     * by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in
+     * [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+     * The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be
+     * updated via
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * may have a primary. For other keys, this field will be omitted.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion primary = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersion $var
+     * @return $this
+     */
+    public function setPrimary($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKeyVersion::class);
+        $this->primary = $var;
+
+        return $this;
+    }
+
+    /**
+     * Immutable. The immutable purpose of this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose purpose = 3 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @return int
+     */
+    public function getPurpose()
+    {
+        return $this->purpose;
+    }
+
+    /**
+     * Immutable. The immutable purpose of this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose purpose = 3 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPurpose($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose::class);
+        $this->purpose = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getCreateTime()
+    {
+        return $this->create_time;
+    }
+
+    public function hasCreateTime()
+    {
+        return isset($this->create_time);
+    }
+
+    public function clearCreateTime()
+    {
+        unset($this->create_time);
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setCreateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->create_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time],
+     * the Key Management Service will automatically:
+     * 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     * 2. Mark the new version as primary.
+     * Key rotations performed manually via
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * and
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+     * do not affect
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * support automatic rotation. For other keys, this field must be omitted.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp next_rotation_time = 7;</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getNextRotationTime()
+    {
+        return $this->next_rotation_time;
+    }
+
+    public function hasNextRotationTime()
+    {
+        return isset($this->next_rotation_time);
+    }
+
+    public function clearNextRotationTime()
+    {
+        unset($this->next_rotation_time);
+    }
+
+    /**
+     * At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time],
+     * the Key Management Service will automatically:
+     * 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     * 2. Mark the new version as primary.
+     * Key rotations performed manually via
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * and
+     * [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+     * do not affect
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * support automatic rotation. For other keys, this field must be omitted.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp next_rotation_time = 7;</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setNextRotationTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->next_rotation_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     * will be advanced by this period when the service automatically rotates a
+     * key. Must be at least 24 hours and at most 876,000 hours.
+     * If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is
+     * set,
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     * must also be set.
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * support automatic rotation. For other keys, this field must be omitted.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Duration rotation_period = 8;</code>
+     * @return \Google\Protobuf\Duration|null
+     */
+    public function getRotationPeriod()
+    {
+        return $this->readOneof(8);
+    }
+
+    public function hasRotationPeriod()
+    {
+        return $this->hasOneof(8);
+    }
+
+    /**
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     * will be advanced by this period when the service automatically rotates a
+     * key. Must be at least 24 hours and at most 876,000 hours.
+     * If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is
+     * set,
+     * [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]
+     * must also be set.
+     * Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]
+     * support automatic rotation. For other keys, this field must be omitted.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Duration rotation_period = 8;</code>
+     * @param \Google\Protobuf\Duration $var
+     * @return $this
+     */
+    public function setRotationPeriod($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Duration::class);
+        $this->writeOneof(8, $var);
+
+        return $this;
+    }
+
+    /**
+     * A template describing settings for new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The
+     * properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * instances created by either
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or auto-rotation are controlled by this template.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersionTemplate version_template = 11;</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKeyVersionTemplate|null
+     */
+    public function getVersionTemplate()
+    {
+        return $this->version_template;
+    }
+
+    public function hasVersionTemplate()
+    {
+        return isset($this->version_template);
+    }
+
+    public function clearVersionTemplate()
+    {
+        unset($this->version_template);
+    }
+
+    /**
+     * A template describing settings for new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The
+     * properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * instances created by either
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * or auto-rotation are controlled by this template.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersionTemplate version_template = 11;</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersionTemplate $var
+     * @return $this
+     */
+    public function setVersionTemplate($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKeyVersionTemplate::class);
+        $this->version_template = $var;
+
+        return $this;
+    }
+
+    /**
+     * Labels with user-defined metadata. For more information, see
+     * [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
+     *
+     * Generated from protobuf field <code>map<string, string> labels = 10;</code>
+     * @return \Google\Protobuf\Internal\MapField
+     */
+    public function getLabels()
+    {
+        return $this->labels;
+    }
+
+    /**
+     * Labels with user-defined metadata. For more information, see
+     * [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
+     *
+     * Generated from protobuf field <code>map<string, string> labels = 10;</code>
+     * @param array|\Google\Protobuf\Internal\MapField $var
+     * @return $this
+     */
+    public function setLabels($var)
+    {
+        $arr = GPBUtil::checkMapField($var, \Google\Protobuf\Internal\GPBType::STRING, \Google\Protobuf\Internal\GPBType::STRING);
+        $this->labels = $arr;
+
+        return $this;
+    }
+
+    /**
+     * Immutable. Whether this key may contain imported versions only.
+     *
+     * Generated from protobuf field <code>bool import_only = 13 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @return bool
+     */
+    public function getImportOnly()
+    {
+        return $this->import_only;
+    }
+
+    /**
+     * Immutable. Whether this key may contain imported versions only.
+     *
+     * Generated from protobuf field <code>bool import_only = 13 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setImportOnly($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->import_only = $var;
+
+        return $this;
+    }
+
+    /**
+     * Immutable. The period of time that versions of this key spend in the
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+     * state before transitioning to
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     * If not specified at creation time, the default duration is 30 days.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Duration destroy_scheduled_duration = 14 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @return \Google\Protobuf\Duration|null
+     */
+    public function getDestroyScheduledDuration()
+    {
+        return $this->destroy_scheduled_duration;
+    }
+
+    public function hasDestroyScheduledDuration()
+    {
+        return isset($this->destroy_scheduled_duration);
+    }
+
+    public function clearDestroyScheduledDuration()
+    {
+        unset($this->destroy_scheduled_duration);
+    }
+
+    /**
+     * Immutable. The period of time that versions of this key spend in the
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+     * state before transitioning to
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     * If not specified at creation time, the default duration is 30 days.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Duration destroy_scheduled_duration = 14 [(.google.api.field_behavior) = IMMUTABLE];</code>
+     * @param \Google\Protobuf\Duration $var
+     * @return $this
+     */
+    public function setDestroyScheduledDuration($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Duration::class);
+        $this->destroy_scheduled_duration = $var;
+
+        return $this;
+    }
+
+    /**
+     * Immutable. The resource name of the backend environment where the key
+     * material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and
+     * where all related cryptographic operations are performed. Only applicable
+     * if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+     * [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
+     * resource name in the format `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     * Note, this list is non-exhaustive and may apply to additional
+     * [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future.
+     *
+     * Generated from protobuf field <code>string crypto_key_backend = 15 [(.google.api.field_behavior) = IMMUTABLE, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getCryptoKeyBackend()
+    {
+        return $this->crypto_key_backend;
+    }
+
+    /**
+     * Immutable. The resource name of the backend environment where the key
+     * material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and
+     * where all related cryptographic operations are performed. Only applicable
+     * if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+     * [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the
+     * resource name in the format `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     * Note, this list is non-exhaustive and may apply to additional
+     * [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future.
+     *
+     * Generated from protobuf field <code>string crypto_key_backend = 15 [(.google.api.field_behavior) = IMMUTABLE, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCryptoKeyBackend($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->crypto_key_backend = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. The policy used for Key Access Justifications Policy Enforcement.
+     * If this field is present and this key is enrolled in Key Access
+     * Justifications Policy Enforcement, the policy will be evaluated in encrypt,
+     * decrypt, and sign operations, and the operation will fail if rejected by
+     * the policy. The policy is defined by specifying zero or more allowed
+     * justification codes.
+     * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+     * By default, this field is absent, and all justification codes are allowed.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyAccessJustificationsPolicy key_access_justifications_policy = 17 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Cloud\Kms\V1\KeyAccessJustificationsPolicy|null
+     */
+    public function getKeyAccessJustificationsPolicy()
+    {
+        return $this->key_access_justifications_policy;
+    }
+
+    public function hasKeyAccessJustificationsPolicy()
+    {
+        return isset($this->key_access_justifications_policy);
+    }
+
+    public function clearKeyAccessJustificationsPolicy()
+    {
+        unset($this->key_access_justifications_policy);
+    }
+
+    /**
+     * Optional. The policy used for Key Access Justifications Policy Enforcement.
+     * If this field is present and this key is enrolled in Key Access
+     * Justifications Policy Enforcement, the policy will be evaluated in encrypt,
+     * decrypt, and sign operations, and the operation will fail if rejected by
+     * the policy. The policy is defined by specifying zero or more allowed
+     * justification codes.
+     * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+     * By default, this field is absent, and all justification codes are allowed.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyAccessJustificationsPolicy key_access_justifications_policy = 17 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Cloud\Kms\V1\KeyAccessJustificationsPolicy $var
+     * @return $this
+     */
+    public function setKeyAccessJustificationsPolicy($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyAccessJustificationsPolicy::class);
+        $this->key_access_justifications_policy = $var;
+
+        return $this;
+    }
+
+    /**
+     * @return string
+     */
+    public function getRotationSchedule()
+    {
+        return $this->whichOneof("rotation_schedule");
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey/CryptoKeyPurpose.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey/CryptoKeyPurpose.php
new file mode 100644
index 000000000000..a941f6337534
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKey/CryptoKeyPurpose.php
@@ -0,0 +1,104 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\CryptoKey;
+
+use UnexpectedValueException;
+
+/**
+ * [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose]
+ * describes the cryptographic capabilities of a
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used
+ * for the operations allowed by its purpose. For more information, see [Key
+ * purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
+ *
+ * Protobuf type <code>google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose</code>
+ */
+class CryptoKeyPurpose
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0;</code>
+     */
+    const CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0;
+    /**
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used
+     * with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and
+     * [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+     *
+     * Generated from protobuf enum <code>ENCRYPT_DECRYPT = 1;</code>
+     */
+    const ENCRYPT_DECRYPT = 1;
+    /**
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used
+     * with
+     * [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]
+     * and
+     * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+     *
+     * Generated from protobuf enum <code>ASYMMETRIC_SIGN = 5;</code>
+     */
+    const ASYMMETRIC_SIGN = 5;
+    /**
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used
+     * with
+     * [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]
+     * and
+     * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+     *
+     * Generated from protobuf enum <code>ASYMMETRIC_DECRYPT = 6;</code>
+     */
+    const ASYMMETRIC_DECRYPT = 6;
+    /**
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used
+     * with [RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt]
+     * and [RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt].
+     * This purpose is meant to be used for interoperable symmetric
+     * encryption and does not support automatic CryptoKey rotation.
+     *
+     * Generated from protobuf enum <code>RAW_ENCRYPT_DECRYPT = 7;</code>
+     */
+    const RAW_ENCRYPT_DECRYPT = 7;
+    /**
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used
+     * with [MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
+     *
+     * Generated from protobuf enum <code>MAC = 9;</code>
+     */
+    const MAC = 9;
+
+    private static $valueToName = [
+        self::CRYPTO_KEY_PURPOSE_UNSPECIFIED => 'CRYPTO_KEY_PURPOSE_UNSPECIFIED',
+        self::ENCRYPT_DECRYPT => 'ENCRYPT_DECRYPT',
+        self::ASYMMETRIC_SIGN => 'ASYMMETRIC_SIGN',
+        self::ASYMMETRIC_DECRYPT => 'ASYMMETRIC_DECRYPT',
+        self::RAW_ENCRYPT_DECRYPT => 'RAW_ENCRYPT_DECRYPT',
+        self::MAC => 'MAC',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(CryptoKeyPurpose::class, \Google\Cloud\Kms\V1\CryptoKey_CryptoKeyPurpose::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion.php
new file mode 100644
index 000000000000..b88345be44c3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion.php
@@ -0,0 +1,819 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an
+ * individual cryptographic key, and the associated key material.
+ * An
+ * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+ * version can be used for cryptographic operations.
+ * For security reasons, the raw cryptographic key material represented by a
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed
+ * or exported. It can only be used to encrypt, decrypt, or sign data when an
+ * authorized user or application invokes Cloud KMS.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CryptoKeyVersion</code>
+ */
+class CryptoKeyVersion extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;&#47;cryptoKeyVersions/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * The current state of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState state = 3;</code>
+     */
+    protected $state = 0;
+    /**
+     * Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
+     * describing how crypto operations are performed with this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $protection_level = 0;
+    /**
+     * Output only. The
+     * [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * supports.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $algorithm = 0;
+    /**
+     * Output only. Statement that was generated and signed by the HSM at key
+     * creation time. Use this statement to verify attributes of the key as stored
+     * on the HSM, independently of Google. Only provided for key versions with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $attestation = null;
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $create_time = null;
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 11 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $generate_time = null;
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is
+     * scheduled for destruction. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $destroy_time = null;
+    /**
+     * Output only. The time this CryptoKeyVersion's key material was
+     * destroyed. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_event_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $destroy_event_time = null;
+    /**
+     * Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob]
+     * used in the most recent import of this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if
+     * the underlying key material was imported.
+     *
+     * Generated from protobuf field <code>string import_job = 14 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $import_job = '';
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * most recently imported.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp import_time = 15 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $import_time = null;
+    /**
+     * Output only. The root cause of the most recent import failure. Only present
+     * if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+     *
+     * Generated from protobuf field <code>string import_failure_reason = 16 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $import_failure_reason = '';
+    /**
+     * Output only. The root cause of the most recent generation failure. Only
+     * present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED].
+     *
+     * Generated from protobuf field <code>string generation_failure_reason = 19 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $generation_failure_reason = '';
+    /**
+     * Output only. The root cause of the most recent external destruction
+     * failure. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED].
+     *
+     * Generated from protobuf field <code>string external_destruction_failure_reason = 20 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $external_destruction_failure_reason = '';
+    /**
+     * ExternalProtectionLevelOptions stores a group of additional fields for
+     * configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
+     * are specific to the
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level
+     * and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC]
+     * protection levels.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ExternalProtectionLevelOptions external_protection_level_options = 17;</code>
+     */
+    protected $external_protection_level_options = null;
+    /**
+     * Output only. Whether or not this key version is eligible for reimport, by
+     * being specified as a target in
+     * [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version].
+     *
+     * Generated from protobuf field <code>bool reimport_eligible = 18 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $reimport_eligible = false;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;&#47;cryptoKeyVersions/&#42;`.
+     *     @type int $state
+     *           The current state of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *     @type int $protection_level
+     *           Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
+     *           describing how crypto operations are performed with this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *     @type int $algorithm
+     *           Output only. The
+     *           [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     *           that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     *           supports.
+     *     @type \Google\Cloud\Kms\V1\KeyOperationAttestation $attestation
+     *           Output only. Statement that was generated and signed by the HSM at key
+     *           creation time. Use this statement to verify attributes of the key as stored
+     *           on the HSM, independently of Google. Only provided for key versions with
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level]
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *     @type \Google\Protobuf\Timestamp $create_time
+     *           Output only. The time at which this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
+     *     @type \Google\Protobuf\Timestamp $generate_time
+     *           Output only. The time this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     *           generated.
+     *     @type \Google\Protobuf\Timestamp $destroy_time
+     *           Output only. The time this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is
+     *           scheduled for destruction. Only present if
+     *           [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     *           [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+     *     @type \Google\Protobuf\Timestamp $destroy_event_time
+     *           Output only. The time this CryptoKeyVersion's key material was
+     *           destroyed. Only present if
+     *           [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     *           [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     *     @type string $import_job
+     *           Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob]
+     *           used in the most recent import of this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if
+     *           the underlying key material was imported.
+     *     @type \Google\Protobuf\Timestamp $import_time
+     *           Output only. The time at which this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     *           most recently imported.
+     *     @type string $import_failure_reason
+     *           Output only. The root cause of the most recent import failure. Only present
+     *           if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     *           [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+     *     @type string $generation_failure_reason
+     *           Output only. The root cause of the most recent generation failure. Only
+     *           present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     *           [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED].
+     *     @type string $external_destruction_failure_reason
+     *           Output only. The root cause of the most recent external destruction
+     *           failure. Only present if
+     *           [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     *           [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED].
+     *     @type \Google\Cloud\Kms\V1\ExternalProtectionLevelOptions $external_protection_level_options
+     *           ExternalProtectionLevelOptions stores a group of additional fields for
+     *           configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
+     *           are specific to the
+     *           [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level
+     *           and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC]
+     *           protection levels.
+     *     @type bool $reimport_eligible
+     *           Output only. Whether or not this key version is eligible for reimport, by
+     *           being specified as a target in
+     *           [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;&#47;cryptoKeyVersions/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;&#47;cryptoKeyVersions/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * The current state of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState state = 3;</code>
+     * @return int
+     */
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    /**
+     * The current state of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState state = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setState($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionState::class);
+        $this->state = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
+     * describing how crypto operations are performed with this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
+     * describing how crypto operations are performed with this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The
+     * [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * supports.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return int
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * Output only. The
+     * [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * supports.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setAlgorithm($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm::class);
+        $this->algorithm = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. Statement that was generated and signed by the HSM at key
+     * creation time. Use this statement to verify attributes of the key as stored
+     * on the HSM, independently of Google. Only provided for key versions with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Cloud\Kms\V1\KeyOperationAttestation|null
+     */
+    public function getAttestation()
+    {
+        return $this->attestation;
+    }
+
+    public function hasAttestation()
+    {
+        return isset($this->attestation);
+    }
+
+    public function clearAttestation()
+    {
+        unset($this->attestation);
+    }
+
+    /**
+     * Output only. Statement that was generated and signed by the HSM at key
+     * creation time. Use this statement to verify attributes of the key as stored
+     * on the HSM, independently of Google. Only provided for key versions with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Cloud\Kms\V1\KeyOperationAttestation $var
+     * @return $this
+     */
+    public function setAttestation($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyOperationAttestation::class);
+        $this->attestation = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getCreateTime()
+    {
+        return $this->create_time;
+    }
+
+    public function hasCreateTime()
+    {
+        return isset($this->create_time);
+    }
+
+    public function clearCreateTime()
+    {
+        unset($this->create_time);
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setCreateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->create_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 11 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getGenerateTime()
+    {
+        return $this->generate_time;
+    }
+
+    public function hasGenerateTime()
+    {
+        return isset($this->generate_time);
+    }
+
+    public function clearGenerateTime()
+    {
+        unset($this->generate_time);
+    }
+
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 11 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setGenerateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->generate_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is
+     * scheduled for destruction. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getDestroyTime()
+    {
+        return $this->destroy_time;
+    }
+
+    public function hasDestroyTime()
+    {
+        return isset($this->destroy_time);
+    }
+
+    public function clearDestroyTime()
+    {
+        unset($this->destroy_time);
+    }
+
+    /**
+     * Output only. The time this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is
+     * scheduled for destruction. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setDestroyTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->destroy_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time this CryptoKeyVersion's key material was
+     * destroyed. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_event_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getDestroyEventTime()
+    {
+        return $this->destroy_event_time;
+    }
+
+    public function hasDestroyEventTime()
+    {
+        return isset($this->destroy_event_time);
+    }
+
+    public function clearDestroyEventTime()
+    {
+        unset($this->destroy_event_time);
+    }
+
+    /**
+     * Output only. The time this CryptoKeyVersion's key material was
+     * destroyed. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp destroy_event_time = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setDestroyEventTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->destroy_event_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob]
+     * used in the most recent import of this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if
+     * the underlying key material was imported.
+     *
+     * Generated from protobuf field <code>string import_job = 14 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getImportJob()
+    {
+        return $this->import_job;
+    }
+
+    /**
+     * Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob]
+     * used in the most recent import of this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if
+     * the underlying key material was imported.
+     *
+     * Generated from protobuf field <code>string import_job = 14 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setImportJob($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->import_job = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * most recently imported.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp import_time = 15 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getImportTime()
+    {
+        return $this->import_time;
+    }
+
+    public function hasImportTime()
+    {
+        return isset($this->import_time);
+    }
+
+    public function clearImportTime()
+    {
+        unset($this->import_time);
+    }
+
+    /**
+     * Output only. The time at which this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+     * most recently imported.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp import_time = 15 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setImportTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->import_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The root cause of the most recent import failure. Only present
+     * if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+     *
+     * Generated from protobuf field <code>string import_failure_reason = 16 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getImportFailureReason()
+    {
+        return $this->import_failure_reason;
+    }
+
+    /**
+     * Output only. The root cause of the most recent import failure. Only present
+     * if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+     *
+     * Generated from protobuf field <code>string import_failure_reason = 16 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setImportFailureReason($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->import_failure_reason = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The root cause of the most recent generation failure. Only
+     * present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED].
+     *
+     * Generated from protobuf field <code>string generation_failure_reason = 19 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getGenerationFailureReason()
+    {
+        return $this->generation_failure_reason;
+    }
+
+    /**
+     * Output only. The root cause of the most recent generation failure. Only
+     * present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED].
+     *
+     * Generated from protobuf field <code>string generation_failure_reason = 19 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setGenerationFailureReason($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->generation_failure_reason = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The root cause of the most recent external destruction
+     * failure. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED].
+     *
+     * Generated from protobuf field <code>string external_destruction_failure_reason = 20 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getExternalDestructionFailureReason()
+    {
+        return $this->external_destruction_failure_reason;
+    }
+
+    /**
+     * Output only. The root cause of the most recent external destruction
+     * failure. Only present if
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+     * [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED].
+     *
+     * Generated from protobuf field <code>string external_destruction_failure_reason = 20 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setExternalDestructionFailureReason($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->external_destruction_failure_reason = $var;
+
+        return $this;
+    }
+
+    /**
+     * ExternalProtectionLevelOptions stores a group of additional fields for
+     * configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
+     * are specific to the
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level
+     * and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC]
+     * protection levels.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ExternalProtectionLevelOptions external_protection_level_options = 17;</code>
+     * @return \Google\Cloud\Kms\V1\ExternalProtectionLevelOptions|null
+     */
+    public function getExternalProtectionLevelOptions()
+    {
+        return $this->external_protection_level_options;
+    }
+
+    public function hasExternalProtectionLevelOptions()
+    {
+        return isset($this->external_protection_level_options);
+    }
+
+    public function clearExternalProtectionLevelOptions()
+    {
+        unset($this->external_protection_level_options);
+    }
+
+    /**
+     * ExternalProtectionLevelOptions stores a group of additional fields for
+     * configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
+     * are specific to the
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level
+     * and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC]
+     * protection levels.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ExternalProtectionLevelOptions external_protection_level_options = 17;</code>
+     * @param \Google\Cloud\Kms\V1\ExternalProtectionLevelOptions $var
+     * @return $this
+     */
+    public function setExternalProtectionLevelOptions($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\ExternalProtectionLevelOptions::class);
+        $this->external_protection_level_options = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. Whether or not this key version is eligible for reimport, by
+     * being specified as a target in
+     * [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version].
+     *
+     * Generated from protobuf field <code>bool reimport_eligible = 18 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return bool
+     */
+    public function getReimportEligible()
+    {
+        return $this->reimport_eligible;
+    }
+
+    /**
+     * Output only. Whether or not this key version is eligible for reimport, by
+     * being specified as a target in
+     * [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version].
+     *
+     * Generated from protobuf field <code>bool reimport_eligible = 18 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setReimportEligible($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->reimport_eligible = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionAlgorithm.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionAlgorithm.php
new file mode 100644
index 000000000000..b4edec85f40f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionAlgorithm.php
@@ -0,0 +1,336 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\CryptoKeyVersion;
+
+use UnexpectedValueException;
+
+/**
+ * The algorithm of the
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what
+ * parameters must be used for each cryptographic operation.
+ * The
+ * [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION]
+ * algorithm is usable with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+ * Algorithms beginning with `RSA_SIGN_` are usable with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+ * The fields in the name after `RSA_SIGN_` correspond to the following
+ * parameters: padding algorithm, modulus bit length, and digest algorithm.
+ * For PSS, the salt length used is equal to the length of digest
+ * algorithm. For example,
+ * [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256]
+ * will use PSS with a salt length of 256 bits or 32 bytes.
+ * Algorithms beginning with `RSA_DECRYPT_` are usable with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+ * The fields in the name after `RSA_DECRYPT_` correspond to the following
+ * parameters: padding algorithm, modulus bit length, and digest algorithm.
+ * Algorithms beginning with `EC_SIGN_` are usable with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+ * The fields in the name after `EC_SIGN_` correspond to the following
+ * parameters: elliptic curve, digest algorithm.
+ * Algorithms beginning with `HMAC_` are usable with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC].
+ * The suffix following `HMAC_` corresponds to the hash algorithm being used
+ * (eg. SHA256).
+ * Algorithms beginning with `PQ_` are post-quantum.
+ * For more information, see [Key purposes and algorithms]
+ * (https://cloud.google.com/kms/docs/algorithms).
+ *
+ * Protobuf type <code>google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm</code>
+ */
+class CryptoKeyVersionAlgorithm
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0;</code>
+     */
+    const CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0;
+    /**
+     * Creates symmetric encryption keys.
+     *
+     * Generated from protobuf enum <code>GOOGLE_SYMMETRIC_ENCRYPTION = 1;</code>
+     */
+    const GOOGLE_SYMMETRIC_ENCRYPTION = 1;
+    /**
+     * AES-GCM (Galois Counter Mode) using 128-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_128_GCM = 41;</code>
+     */
+    const AES_128_GCM = 41;
+    /**
+     * AES-GCM (Galois Counter Mode) using 256-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_256_GCM = 19;</code>
+     */
+    const AES_256_GCM = 19;
+    /**
+     * AES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_128_CBC = 42;</code>
+     */
+    const AES_128_CBC = 42;
+    /**
+     * AES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_256_CBC = 43;</code>
+     */
+    const AES_256_CBC = 43;
+    /**
+     * AES-CTR (Counter Mode) using 128-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_128_CTR = 44;</code>
+     */
+    const AES_128_CTR = 44;
+    /**
+     * AES-CTR (Counter Mode) using 256-bit keys.
+     *
+     * Generated from protobuf enum <code>AES_256_CTR = 45;</code>
+     */
+    const AES_256_CTR = 45;
+    /**
+     * RSASSA-PSS 2048 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PSS_2048_SHA256 = 2;</code>
+     */
+    const RSA_SIGN_PSS_2048_SHA256 = 2;
+    /**
+     * RSASSA-PSS 3072 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PSS_3072_SHA256 = 3;</code>
+     */
+    const RSA_SIGN_PSS_3072_SHA256 = 3;
+    /**
+     * RSASSA-PSS 4096 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PSS_4096_SHA256 = 4;</code>
+     */
+    const RSA_SIGN_PSS_4096_SHA256 = 4;
+    /**
+     * RSASSA-PSS 4096 bit key with a SHA512 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PSS_4096_SHA512 = 15;</code>
+     */
+    const RSA_SIGN_PSS_4096_SHA512 = 15;
+    /**
+     * RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PKCS1_2048_SHA256 = 5;</code>
+     */
+    const RSA_SIGN_PKCS1_2048_SHA256 = 5;
+    /**
+     * RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PKCS1_3072_SHA256 = 6;</code>
+     */
+    const RSA_SIGN_PKCS1_3072_SHA256 = 6;
+    /**
+     * RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PKCS1_4096_SHA256 = 7;</code>
+     */
+    const RSA_SIGN_PKCS1_4096_SHA256 = 7;
+    /**
+     * RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_PKCS1_4096_SHA512 = 16;</code>
+     */
+    const RSA_SIGN_PKCS1_4096_SHA512 = 16;
+    /**
+     * RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_RAW_PKCS1_2048 = 28;</code>
+     */
+    const RSA_SIGN_RAW_PKCS1_2048 = 28;
+    /**
+     * RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_RAW_PKCS1_3072 = 29;</code>
+     */
+    const RSA_SIGN_RAW_PKCS1_3072 = 29;
+    /**
+     * RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
+     *
+     * Generated from protobuf enum <code>RSA_SIGN_RAW_PKCS1_4096 = 30;</code>
+     */
+    const RSA_SIGN_RAW_PKCS1_4096 = 30;
+    /**
+     * RSAES-OAEP 2048 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_2048_SHA256 = 8;</code>
+     */
+    const RSA_DECRYPT_OAEP_2048_SHA256 = 8;
+    /**
+     * RSAES-OAEP 3072 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_3072_SHA256 = 9;</code>
+     */
+    const RSA_DECRYPT_OAEP_3072_SHA256 = 9;
+    /**
+     * RSAES-OAEP 4096 bit key with a SHA256 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_4096_SHA256 = 10;</code>
+     */
+    const RSA_DECRYPT_OAEP_4096_SHA256 = 10;
+    /**
+     * RSAES-OAEP 4096 bit key with a SHA512 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_4096_SHA512 = 17;</code>
+     */
+    const RSA_DECRYPT_OAEP_4096_SHA512 = 17;
+    /**
+     * RSAES-OAEP 2048 bit key with a SHA1 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_2048_SHA1 = 37;</code>
+     */
+    const RSA_DECRYPT_OAEP_2048_SHA1 = 37;
+    /**
+     * RSAES-OAEP 3072 bit key with a SHA1 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_3072_SHA1 = 38;</code>
+     */
+    const RSA_DECRYPT_OAEP_3072_SHA1 = 38;
+    /**
+     * RSAES-OAEP 4096 bit key with a SHA1 digest.
+     *
+     * Generated from protobuf enum <code>RSA_DECRYPT_OAEP_4096_SHA1 = 39;</code>
+     */
+    const RSA_DECRYPT_OAEP_4096_SHA1 = 39;
+    /**
+     * ECDSA on the NIST P-256 curve with a SHA256 digest.
+     * Other hash functions can also be used:
+     * https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
+     *
+     * Generated from protobuf enum <code>EC_SIGN_P256_SHA256 = 12;</code>
+     */
+    const EC_SIGN_P256_SHA256 = 12;
+    /**
+     * ECDSA on the NIST P-384 curve with a SHA384 digest.
+     * Other hash functions can also be used:
+     * https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
+     *
+     * Generated from protobuf enum <code>EC_SIGN_P384_SHA384 = 13;</code>
+     */
+    const EC_SIGN_P384_SHA384 = 13;
+    /**
+     * ECDSA on the non-NIST secp256k1 curve. This curve is only supported for
+     * HSM protection level.
+     * Other hash functions can also be used:
+     * https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
+     *
+     * Generated from protobuf enum <code>EC_SIGN_SECP256K1_SHA256 = 31;</code>
+     */
+    const EC_SIGN_SECP256K1_SHA256 = 31;
+    /**
+     * EdDSA on the Curve25519 in pure mode (taking data as input).
+     *
+     * Generated from protobuf enum <code>EC_SIGN_ED25519 = 40;</code>
+     */
+    const EC_SIGN_ED25519 = 40;
+    /**
+     * HMAC-SHA256 signing with a 256 bit key.
+     *
+     * Generated from protobuf enum <code>HMAC_SHA256 = 32;</code>
+     */
+    const HMAC_SHA256 = 32;
+    /**
+     * HMAC-SHA1 signing with a 160 bit key.
+     *
+     * Generated from protobuf enum <code>HMAC_SHA1 = 33;</code>
+     */
+    const HMAC_SHA1 = 33;
+    /**
+     * HMAC-SHA384 signing with a 384 bit key.
+     *
+     * Generated from protobuf enum <code>HMAC_SHA384 = 34;</code>
+     */
+    const HMAC_SHA384 = 34;
+    /**
+     * HMAC-SHA512 signing with a 512 bit key.
+     *
+     * Generated from protobuf enum <code>HMAC_SHA512 = 35;</code>
+     */
+    const HMAC_SHA512 = 35;
+    /**
+     * HMAC-SHA224 signing with a 224 bit key.
+     *
+     * Generated from protobuf enum <code>HMAC_SHA224 = 36;</code>
+     */
+    const HMAC_SHA224 = 36;
+    /**
+     * Algorithm representing symmetric encryption by an external key manager.
+     *
+     * Generated from protobuf enum <code>EXTERNAL_SYMMETRIC_ENCRYPTION = 18;</code>
+     */
+    const EXTERNAL_SYMMETRIC_ENCRYPTION = 18;
+
+    private static $valueToName = [
+        self::CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED => 'CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED',
+        self::GOOGLE_SYMMETRIC_ENCRYPTION => 'GOOGLE_SYMMETRIC_ENCRYPTION',
+        self::AES_128_GCM => 'AES_128_GCM',
+        self::AES_256_GCM => 'AES_256_GCM',
+        self::AES_128_CBC => 'AES_128_CBC',
+        self::AES_256_CBC => 'AES_256_CBC',
+        self::AES_128_CTR => 'AES_128_CTR',
+        self::AES_256_CTR => 'AES_256_CTR',
+        self::RSA_SIGN_PSS_2048_SHA256 => 'RSA_SIGN_PSS_2048_SHA256',
+        self::RSA_SIGN_PSS_3072_SHA256 => 'RSA_SIGN_PSS_3072_SHA256',
+        self::RSA_SIGN_PSS_4096_SHA256 => 'RSA_SIGN_PSS_4096_SHA256',
+        self::RSA_SIGN_PSS_4096_SHA512 => 'RSA_SIGN_PSS_4096_SHA512',
+        self::RSA_SIGN_PKCS1_2048_SHA256 => 'RSA_SIGN_PKCS1_2048_SHA256',
+        self::RSA_SIGN_PKCS1_3072_SHA256 => 'RSA_SIGN_PKCS1_3072_SHA256',
+        self::RSA_SIGN_PKCS1_4096_SHA256 => 'RSA_SIGN_PKCS1_4096_SHA256',
+        self::RSA_SIGN_PKCS1_4096_SHA512 => 'RSA_SIGN_PKCS1_4096_SHA512',
+        self::RSA_SIGN_RAW_PKCS1_2048 => 'RSA_SIGN_RAW_PKCS1_2048',
+        self::RSA_SIGN_RAW_PKCS1_3072 => 'RSA_SIGN_RAW_PKCS1_3072',
+        self::RSA_SIGN_RAW_PKCS1_4096 => 'RSA_SIGN_RAW_PKCS1_4096',
+        self::RSA_DECRYPT_OAEP_2048_SHA256 => 'RSA_DECRYPT_OAEP_2048_SHA256',
+        self::RSA_DECRYPT_OAEP_3072_SHA256 => 'RSA_DECRYPT_OAEP_3072_SHA256',
+        self::RSA_DECRYPT_OAEP_4096_SHA256 => 'RSA_DECRYPT_OAEP_4096_SHA256',
+        self::RSA_DECRYPT_OAEP_4096_SHA512 => 'RSA_DECRYPT_OAEP_4096_SHA512',
+        self::RSA_DECRYPT_OAEP_2048_SHA1 => 'RSA_DECRYPT_OAEP_2048_SHA1',
+        self::RSA_DECRYPT_OAEP_3072_SHA1 => 'RSA_DECRYPT_OAEP_3072_SHA1',
+        self::RSA_DECRYPT_OAEP_4096_SHA1 => 'RSA_DECRYPT_OAEP_4096_SHA1',
+        self::EC_SIGN_P256_SHA256 => 'EC_SIGN_P256_SHA256',
+        self::EC_SIGN_P384_SHA384 => 'EC_SIGN_P384_SHA384',
+        self::EC_SIGN_SECP256K1_SHA256 => 'EC_SIGN_SECP256K1_SHA256',
+        self::EC_SIGN_ED25519 => 'EC_SIGN_ED25519',
+        self::HMAC_SHA256 => 'HMAC_SHA256',
+        self::HMAC_SHA1 => 'HMAC_SHA1',
+        self::HMAC_SHA384 => 'HMAC_SHA384',
+        self::HMAC_SHA512 => 'HMAC_SHA512',
+        self::HMAC_SHA224 => 'HMAC_SHA224',
+        self::EXTERNAL_SYMMETRIC_ENCRYPTION => 'EXTERNAL_SYMMETRIC_ENCRYPTION',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(CryptoKeyVersionAlgorithm::class, \Google\Cloud\Kms\V1\CryptoKeyVersion_CryptoKeyVersionAlgorithm::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionState.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionState.php
new file mode 100644
index 000000000000..b4de21be0a7e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionState.php
@@ -0,0 +1,154 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\CryptoKeyVersion;
+
+use UnexpectedValueException;
+
+/**
+ * The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion],
+ * indicating if it can be used.
+ *
+ * Protobuf type <code>google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState</code>
+ */
+class CryptoKeyVersionState
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0;</code>
+     */
+    const CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0;
+    /**
+     * This version is still being generated. It may not be used, enabled,
+     * disabled, or destroyed yet. Cloud KMS will automatically mark this
+     * version
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+     * as soon as the version is ready.
+     *
+     * Generated from protobuf enum <code>PENDING_GENERATION = 5;</code>
+     */
+    const PENDING_GENERATION = 5;
+    /**
+     * This version may be used for cryptographic operations.
+     *
+     * Generated from protobuf enum <code>ENABLED = 1;</code>
+     */
+    const ENABLED = 1;
+    /**
+     * This version may not be used, but the key material is still available,
+     * and the version can be placed back into the
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+     * state.
+     *
+     * Generated from protobuf enum <code>DISABLED = 2;</code>
+     */
+    const DISABLED = 2;
+    /**
+     * This version is destroyed, and the key material is no longer stored.
+     * This version may only become
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+     * again if this version is
+     * [reimport_eligible][google.cloud.kms.v1.CryptoKeyVersion.reimport_eligible]
+     * and the original key material is reimported with a call to
+     * [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+     *
+     * Generated from protobuf enum <code>DESTROYED = 3;</code>
+     */
+    const DESTROYED = 3;
+    /**
+     * This version is scheduled for destruction, and will be destroyed soon.
+     * Call
+     * [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+     * to put it back into the
+     * [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+     * state.
+     *
+     * Generated from protobuf enum <code>DESTROY_SCHEDULED = 4;</code>
+     */
+    const DESTROY_SCHEDULED = 4;
+    /**
+     * This version is still being imported. It may not be used, enabled,
+     * disabled, or destroyed yet. Cloud KMS will automatically mark this
+     * version
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+     * as soon as the version is ready.
+     *
+     * Generated from protobuf enum <code>PENDING_IMPORT = 6;</code>
+     */
+    const PENDING_IMPORT = 6;
+    /**
+     * This version was not imported successfully. It may not be used, enabled,
+     * disabled, or destroyed. The submitted key material has been discarded.
+     * Additional details can be found in
+     * [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason].
+     *
+     * Generated from protobuf enum <code>IMPORT_FAILED = 7;</code>
+     */
+    const IMPORT_FAILED = 7;
+    /**
+     * This version was not generated successfully. It may not be used, enabled,
+     * disabled, or destroyed. Additional details can be found in
+     * [CryptoKeyVersion.generation_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.generation_failure_reason].
+     *
+     * Generated from protobuf enum <code>GENERATION_FAILED = 8;</code>
+     */
+    const GENERATION_FAILED = 8;
+    /**
+     * This version was destroyed, and it may not be used or enabled again.
+     * Cloud KMS is waiting for the corresponding key material residing in an
+     * external key manager to be destroyed.
+     *
+     * Generated from protobuf enum <code>PENDING_EXTERNAL_DESTRUCTION = 9;</code>
+     */
+    const PENDING_EXTERNAL_DESTRUCTION = 9;
+    /**
+     * This version was destroyed, and it may not be used or enabled again.
+     * However, Cloud KMS could not confirm that the corresponding key material
+     * residing in an external key manager was destroyed. Additional details can
+     * be found in
+     * [CryptoKeyVersion.external_destruction_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.external_destruction_failure_reason].
+     *
+     * Generated from protobuf enum <code>EXTERNAL_DESTRUCTION_FAILED = 10;</code>
+     */
+    const EXTERNAL_DESTRUCTION_FAILED = 10;
+
+    private static $valueToName = [
+        self::CRYPTO_KEY_VERSION_STATE_UNSPECIFIED => 'CRYPTO_KEY_VERSION_STATE_UNSPECIFIED',
+        self::PENDING_GENERATION => 'PENDING_GENERATION',
+        self::ENABLED => 'ENABLED',
+        self::DISABLED => 'DISABLED',
+        self::DESTROYED => 'DESTROYED',
+        self::DESTROY_SCHEDULED => 'DESTROY_SCHEDULED',
+        self::PENDING_IMPORT => 'PENDING_IMPORT',
+        self::IMPORT_FAILED => 'IMPORT_FAILED',
+        self::GENERATION_FAILED => 'GENERATION_FAILED',
+        self::PENDING_EXTERNAL_DESTRUCTION => 'PENDING_EXTERNAL_DESTRUCTION',
+        self::EXTERNAL_DESTRUCTION_FAILED => 'EXTERNAL_DESTRUCTION_FAILED',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(CryptoKeyVersionState::class, \Google\Cloud\Kms\V1\CryptoKeyVersion_CryptoKeyVersionState::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionView.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionView.php
new file mode 100644
index 000000000000..33a471de9ad7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersion/CryptoKeyVersionView.php
@@ -0,0 +1,67 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\CryptoKeyVersion;
+
+use UnexpectedValueException;
+
+/**
+ * A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s.
+ * Controls the level of detail returned for
+ * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in
+ * [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]
+ * and
+ * [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+ *
+ * Protobuf type <code>google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView</code>
+ */
+class CryptoKeyVersionView
+{
+    /**
+     * Default view for each
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not
+     * include the
+     * [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field.
+     *
+     * Generated from protobuf enum <code>CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0;</code>
+     */
+    const CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0;
+    /**
+     * Provides all fields in each
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the
+     * [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation].
+     *
+     * Generated from protobuf enum <code>FULL = 1;</code>
+     */
+    const FULL = 1;
+
+    private static $valueToName = [
+        self::CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED => 'CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED',
+        self::FULL => 'FULL',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(CryptoKeyVersionView::class, \Google\Cloud\Kms\V1\CryptoKeyVersion_CryptoKeyVersionView::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersionTemplate.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersionTemplate.php
new file mode 100644
index 000000000000..6f88091103eb
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/CryptoKeyVersionTemplate.php
@@ -0,0 +1,150 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate]
+ * specifies the properties to use when creating a new
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually
+ * with
+ * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+ * or automatically as a result of auto-rotation.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.CryptoKeyVersionTemplate</code>
+ */
+class CryptoKeyVersionTemplate extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating
+     * a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template. Immutable. Defaults to
+     * [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 1;</code>
+     */
+    protected $protection_level = 0;
+    /**
+     * Required.
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * to use when creating a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template.
+     * For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+     * this field is omitted and
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $algorithm = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type int $protection_level
+     *           [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating
+     *           a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     *           template. Immutable. Defaults to
+     *           [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+     *     @type int $algorithm
+     *           Required.
+     *           [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     *           to use when creating a
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     *           template.
+     *           For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+     *           this field is omitted and
+     *           [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
+     *           [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating
+     * a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template. Immutable. Defaults to
+     * [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 1;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating
+     * a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template. Immutable. Defaults to
+     * [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 1;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required.
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * to use when creating a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template.
+     * For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+     * this field is omitted and
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return int
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * Required.
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * to use when creating a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this
+     * template.
+     * For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+     * this field is omitted and
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setAlgorithm($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm::class);
+        $this->algorithm = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptRequest.php
new file mode 100644
index 000000000000..86cf3cc753e8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptRequest.php
@@ -0,0 +1,529 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.DecryptRequest</code>
+ */
+class DecryptRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+     * server will choose the appropriate version.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The encrypted data originally returned in
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ciphertext = '';
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     * is equal to
+     * [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $ciphertext_crc32c = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     * is equal to
+     * [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data_crc32c = null;
+
+    /**
+     * @param string $name       Required. The resource name of the
+     *                           [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+     *                           server will choose the appropriate version. Please see
+     *                           {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+     * @param string $ciphertext Required. The encrypted data originally returned in
+     *                           [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *
+     * @return \Google\Cloud\Kms\V1\DecryptRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $ciphertext): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setCiphertext($ciphertext);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+     *           server will choose the appropriate version.
+     *     @type string $ciphertext
+     *           Required. The encrypted data originally returned in
+     *           [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *     @type string $additional_authenticated_data
+     *           Optional. Optional data that must match the data originally supplied in
+     *           [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     *     @type \Google\Protobuf\Int64Value $ciphertext_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     *           is equal to
+     *           [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     *     @type \Google\Protobuf\Int64Value $additional_authenticated_data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     *           is equal to
+     *           [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+     * server will choose the appropriate version.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+     * server will choose the appropriate version.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The encrypted data originally returned in
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getCiphertext()
+    {
+        return $this->ciphertext;
+    }
+
+    /**
+     * Required. The encrypted data originally returned in
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCiphertext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->ciphertext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getAdditionalAuthenticatedData()
+    {
+        return $this->additional_authenticated_data;
+    }
+
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->additional_authenticated_data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     * is equal to
+     * [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getCiphertextCrc32C()
+    {
+        return $this->ciphertext_crc32c;
+    }
+
+    public function hasCiphertextCrc32C()
+    {
+        return isset($this->ciphertext_crc32c);
+    }
+
+    public function clearCiphertextCrc32C()
+    {
+        unset($this->ciphertext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getCiphertextCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     * is equal to
+     * [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getCiphertextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("ciphertext_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     * is equal to
+     * [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setCiphertextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
+     * is equal to
+     * [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setCiphertextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("ciphertext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     * is equal to
+     * [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->additional_authenticated_data_crc32c;
+    }
+
+    public function hasAdditionalAuthenticatedDataCrc32C()
+    {
+        return isset($this->additional_authenticated_data_crc32c);
+    }
+
+    public function clearAdditionalAuthenticatedDataCrc32C()
+    {
+        unset($this->additional_authenticated_data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getAdditionalAuthenticatedDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     * is equal to
+     * [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("additional_authenticated_data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     * is equal to
+     * [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
+     * is equal to
+     * [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("additional_authenticated_data_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptResponse.php
new file mode 100644
index 000000000000..3910ec3ae0eb
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DecryptResponse.php
@@ -0,0 +1,315 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.DecryptResponse</code>
+ */
+class DecryptResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The decrypted data originally supplied in
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     */
+    protected $plaintext = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     * An integrity check of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: receiving this response message indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     */
+    protected $plaintext_crc32c = null;
+    /**
+     * Whether the Decryption was performed using the primary key version.
+     *
+     * Generated from protobuf field <code>bool used_primary = 3;</code>
+     */
+    protected $used_primary = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $plaintext
+     *           The decrypted data originally supplied in
+     *           [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     *     @type \Google\Protobuf\Int64Value $plaintext_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     *           An integrity check of
+     *           [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     *           can be performed by computing the CRC32C checksum of
+     *           [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     *           and comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: receiving this response message indicates that
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     *           successfully decrypt the
+     *           [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     *     @type bool $used_primary
+     *           Whether the Decryption was performed using the primary key version.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           decryption.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The decrypted data originally supplied in
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @return string
+     */
+    public function getPlaintext()
+    {
+        return $this->plaintext;
+    }
+
+    /**
+     * The decrypted data originally supplied in
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPlaintext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->plaintext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     * An integrity check of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: receiving this response message indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPlaintextCrc32C()
+    {
+        return $this->plaintext_crc32c;
+    }
+
+    public function hasPlaintextCrc32C()
+    {
+        return isset($this->plaintext_crc32c);
+    }
+
+    public function clearPlaintextCrc32C()
+    {
+        unset($this->plaintext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPlaintextCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     * An integrity check of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: receiving this response message indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return int|string|null
+     */
+    public function getPlaintextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("plaintext_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     * An integrity check of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: receiving this response message indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPlaintextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
+     * An integrity check of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * can be performed by computing the CRC32C checksum of
+     * [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: receiving this response message indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPlaintextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("plaintext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Whether the Decryption was performed using the primary key version.
+     *
+     * Generated from protobuf field <code>bool used_primary = 3;</code>
+     * @return bool
+     */
+    public function getUsedPrimary()
+    {
+        return $this->used_primary;
+    }
+
+    /**
+     * Whether the Decryption was performed using the primary key version.
+     *
+     * Generated from protobuf field <code>bool used_primary = 3;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setUsedPrimary($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->used_primary = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 4;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DestroyCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DestroyCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..71fbcb00be4b
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/DestroyCryptoKeyVersionRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.DestroyCryptoKeyVersionRequest</code>
+ */
+class DestroyCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The resource name of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\DestroyCryptoKeyVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Digest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Digest.php
new file mode 100644
index 000000000000..90201ffc30de
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/Digest.php
@@ -0,0 +1,141 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.Digest</code>
+ */
+class Digest extends \Google\Protobuf\Internal\Message
+{
+    protected $digest;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $sha256
+     *           A message digest produced with the SHA-256 algorithm.
+     *     @type string $sha384
+     *           A message digest produced with the SHA-384 algorithm.
+     *     @type string $sha512
+     *           A message digest produced with the SHA-512 algorithm.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * A message digest produced with the SHA-256 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha256 = 1;</code>
+     * @return string
+     */
+    public function getSha256()
+    {
+        return $this->readOneof(1);
+    }
+
+    public function hasSha256()
+    {
+        return $this->hasOneof(1);
+    }
+
+    /**
+     * A message digest produced with the SHA-256 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha256 = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSha256($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->writeOneof(1, $var);
+
+        return $this;
+    }
+
+    /**
+     * A message digest produced with the SHA-384 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha384 = 2;</code>
+     * @return string
+     */
+    public function getSha384()
+    {
+        return $this->readOneof(2);
+    }
+
+    public function hasSha384()
+    {
+        return $this->hasOneof(2);
+    }
+
+    /**
+     * A message digest produced with the SHA-384 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha384 = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSha384($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->writeOneof(2, $var);
+
+        return $this;
+    }
+
+    /**
+     * A message digest produced with the SHA-512 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha512 = 3;</code>
+     * @return string
+     */
+    public function getSha512()
+    {
+        return $this->readOneof(3);
+    }
+
+    public function hasSha512()
+    {
+        return $this->hasOneof(3);
+    }
+
+    /**
+     * A message digest produced with the SHA-512 algorithm.
+     *
+     * Generated from protobuf field <code>bytes sha512 = 3;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setSha512($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->writeOneof(3, $var);
+
+        return $this;
+    }
+
+    /**
+     * @return string
+     */
+    public function getDigest()
+    {
+        return $this->whichOneof("digest");
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConfig.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConfig.php
new file mode 100644
index 000000000000..92325efb4514
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConfig.php
@@ -0,0 +1,123 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * An [EkmConfig][google.cloud.kms.v1.EkmConfig] is a singleton resource that
+ * represents configuration parameters that apply to all
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+ * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] with a
+ * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+ * [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC] in a given
+ * project and location.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.EkmConfig</code>
+ */
+class EkmConfig extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * Optional. Resource name of the default
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection]. Setting this field to
+     * the empty string removes the default.
+     *
+     * Generated from protobuf field <code>string default_ekm_connection = 2 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     */
+    protected $default_ekm_connection = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for the
+     *           [EkmConfig][google.cloud.kms.v1.EkmConfig] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;ekmConfig`.
+     *     @type string $default_ekm_connection
+     *           Optional. Resource name of the default
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection]. Setting this field to
+     *           the empty string removes the default.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Resource name of the default
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection]. Setting this field to
+     * the empty string removes the default.
+     *
+     * Generated from protobuf field <code>string default_ekm_connection = 2 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getDefaultEkmConnection()
+    {
+        return $this->default_ekm_connection;
+    }
+
+    /**
+     * Optional. Resource name of the default
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection]. Setting this field to
+     * the empty string removes the default.
+     *
+     * Generated from protobuf field <code>string default_ekm_connection = 2 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setDefaultEkmConnection($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->default_ekm_connection = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection.php
new file mode 100644
index 000000000000..918f3dee31e3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection.php
@@ -0,0 +1,314 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * An [EkmConnection][google.cloud.kms.v1.EkmConnection] represents an
+ * individual EKM connection. It can be used for creating
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+ * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] with a
+ * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+ * [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as
+ * performing cryptographic operations using keys created within the
+ * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.EkmConnection</code>
+ */
+class EkmConnection extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * Output only. The time at which the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $create_time = null;
+    /**
+     * Optional. A list of
+     * [ServiceResolvers][google.cloud.kms.v1.EkmConnection.ServiceResolver] where
+     * the EKM can be reached. There should be one ServiceResolver per EKM
+     * replica. Currently, only a single
+     * [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] is
+     * supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection.ServiceResolver service_resolvers = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    private $service_resolvers;
+    /**
+     * Optional. Etag of the currently stored
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string etag = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $etag = '';
+    /**
+     * Optional. Describes who can perform control plane operations on the EKM. If
+     * unset, this defaults to
+     * [MANUAL][google.cloud.kms.v1.EkmConnection.KeyManagementMode.MANUAL].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection.KeyManagementMode key_management_mode = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $key_management_mode = 0;
+    /**
+     * Optional. Identifies the EKM Crypto Space that this
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] maps to. Note: This
+     * field is required if
+     * [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode] is
+     * [CLOUD_KMS][google.cloud.kms.v1.EkmConnection.KeyManagementMode.CLOUD_KMS].
+     *
+     * Generated from protobuf field <code>string crypto_space_path = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $crypto_space_path = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for the
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     *     @type \Google\Protobuf\Timestamp $create_time
+     *           Output only. The time at which the
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] was created.
+     *     @type array<\Google\Cloud\Kms\V1\EkmConnection\ServiceResolver>|\Google\Protobuf\Internal\RepeatedField $service_resolvers
+     *           Optional. A list of
+     *           [ServiceResolvers][google.cloud.kms.v1.EkmConnection.ServiceResolver] where
+     *           the EKM can be reached. There should be one ServiceResolver per EKM
+     *           replica. Currently, only a single
+     *           [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] is
+     *           supported.
+     *     @type string $etag
+     *           Optional. Etag of the currently stored
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *     @type int $key_management_mode
+     *           Optional. Describes who can perform control plane operations on the EKM. If
+     *           unset, this defaults to
+     *           [MANUAL][google.cloud.kms.v1.EkmConnection.KeyManagementMode.MANUAL].
+     *     @type string $crypto_space_path
+     *           Optional. Identifies the EKM Crypto Space that this
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] maps to. Note: This
+     *           field is required if
+     *           [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode] is
+     *           [CLOUD_KMS][google.cloud.kms.v1.EkmConnection.KeyManagementMode.CLOUD_KMS].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;ekmConnections/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getCreateTime()
+    {
+        return $this->create_time;
+    }
+
+    public function hasCreateTime()
+    {
+        return isset($this->create_time);
+    }
+
+    public function clearCreateTime()
+    {
+        unset($this->create_time);
+    }
+
+    /**
+     * Output only. The time at which the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setCreateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->create_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. A list of
+     * [ServiceResolvers][google.cloud.kms.v1.EkmConnection.ServiceResolver] where
+     * the EKM can be reached. There should be one ServiceResolver per EKM
+     * replica. Currently, only a single
+     * [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] is
+     * supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection.ServiceResolver service_resolvers = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getServiceResolvers()
+    {
+        return $this->service_resolvers;
+    }
+
+    /**
+     * Optional. A list of
+     * [ServiceResolvers][google.cloud.kms.v1.EkmConnection.ServiceResolver] where
+     * the EKM can be reached. There should be one ServiceResolver per EKM
+     * replica. Currently, only a single
+     * [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] is
+     * supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection.ServiceResolver service_resolvers = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param array<\Google\Cloud\Kms\V1\EkmConnection\ServiceResolver>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setServiceResolvers($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\EkmConnection\ServiceResolver::class);
+        $this->service_resolvers = $arr;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Etag of the currently stored
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string etag = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getEtag()
+    {
+        return $this->etag;
+    }
+
+    /**
+     * Optional. Etag of the currently stored
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string etag = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setEtag($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->etag = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Describes who can perform control plane operations on the EKM. If
+     * unset, this defaults to
+     * [MANUAL][google.cloud.kms.v1.EkmConnection.KeyManagementMode.MANUAL].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection.KeyManagementMode key_management_mode = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getKeyManagementMode()
+    {
+        return $this->key_management_mode;
+    }
+
+    /**
+     * Optional. Describes who can perform control plane operations on the EKM. If
+     * unset, this defaults to
+     * [MANUAL][google.cloud.kms.v1.EkmConnection.KeyManagementMode.MANUAL].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection.KeyManagementMode key_management_mode = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setKeyManagementMode($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\EkmConnection\KeyManagementMode::class);
+        $this->key_management_mode = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Identifies the EKM Crypto Space that this
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] maps to. Note: This
+     * field is required if
+     * [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode] is
+     * [CLOUD_KMS][google.cloud.kms.v1.EkmConnection.KeyManagementMode.CLOUD_KMS].
+     *
+     * Generated from protobuf field <code>string crypto_space_path = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getCryptoSpacePath()
+    {
+        return $this->crypto_space_path;
+    }
+
+    /**
+     * Optional. Identifies the EKM Crypto Space that this
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] maps to. Note: This
+     * field is required if
+     * [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode] is
+     * [CLOUD_KMS][google.cloud.kms.v1.EkmConnection.KeyManagementMode.CLOUD_KMS].
+     *
+     * Generated from protobuf field <code>string crypto_space_path = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCryptoSpacePath($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->crypto_space_path = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/KeyManagementMode.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/KeyManagementMode.php
new file mode 100644
index 000000000000..03dd23462c6c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/KeyManagementMode.php
@@ -0,0 +1,90 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1\EkmConnection;
+
+use UnexpectedValueException;
+
+/**
+ * [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode]
+ * describes who can perform control plane cryptographic operations using this
+ * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ *
+ * Protobuf type <code>google.cloud.kms.v1.EkmConnection.KeyManagementMode</code>
+ */
+class KeyManagementMode
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>KEY_MANAGEMENT_MODE_UNSPECIFIED = 0;</code>
+     */
+    const KEY_MANAGEMENT_MODE_UNSPECIFIED = 0;
+    /**
+     * EKM-side key management operations on
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] must be initiated from
+     * the EKM directly and cannot be performed from Cloud KMS. This means that:
+     * * When creating a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] associated with
+     * this
+     *   [EkmConnection][google.cloud.kms.v1.EkmConnection], the caller must
+     *   supply the key path of pre-existing external key material that will be
+     *   linked to the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     * * Destruction of external key material cannot be requested via the
+     *   Cloud KMS API and must be performed directly in the EKM.
+     * * Automatic rotation of key material is not supported.
+     *
+     * Generated from protobuf enum <code>MANUAL = 1;</code>
+     */
+    const MANUAL = 1;
+    /**
+     * All [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] use EKM-side key
+     * management operations initiated from Cloud KMS. This means that:
+     * * When a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * associated with this [EkmConnection][google.cloud.kms.v1.EkmConnection]
+     * is
+     *   created, the EKM automatically generates new key material and a new
+     *   key path. The caller cannot supply the key path of pre-existing
+     *   external key material.
+     * * Destruction of external key material associated with this
+     *   [EkmConnection][google.cloud.kms.v1.EkmConnection] can be requested by
+     *   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
+     * * Automatic rotation of key material is supported.
+     *
+     * Generated from protobuf enum <code>CLOUD_KMS = 2;</code>
+     */
+    const CLOUD_KMS = 2;
+
+    private static $valueToName = [
+        self::KEY_MANAGEMENT_MODE_UNSPECIFIED => 'KEY_MANAGEMENT_MODE_UNSPECIFIED',
+        self::MANUAL => 'MANUAL',
+        self::CLOUD_KMS => 'CLOUD_KMS',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(KeyManagementMode::class, \Google\Cloud\Kms\V1\EkmConnection_KeyManagementMode::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/ServiceResolver.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/ServiceResolver.php
new file mode 100644
index 000000000000..37e72fe4b1a8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EkmConnection/ServiceResolver.php
@@ -0,0 +1,206 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1\EkmConnection;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver]
+ * represents an EKM replica that can be reached within an
+ * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.EkmConnection.ServiceResolver</code>
+ */
+class ServiceResolver extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the Service Directory service pointing to
+     * an EKM replica, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;namespaces/&#42;&#47;services/&#42;`.
+     *
+     * Generated from protobuf field <code>string service_directory_service = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $service_directory_service = '';
+    /**
+     * Optional. The filter applied to the endpoints of the resolved service. If
+     * no filter is specified, all endpoints will be considered. An endpoint
+     * will be chosen arbitrarily from the filtered list for each request.
+     * For endpoint filter syntax and examples, see
+     * https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
+     *
+     * Generated from protobuf field <code>string endpoint_filter = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $endpoint_filter = '';
+    /**
+     * Required. The hostname of the EKM replica used at TLS and HTTP layers.
+     *
+     * Generated from protobuf field <code>string hostname = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $hostname = '';
+    /**
+     * Required. A list of leaf server certificates used to authenticate HTTPS
+     * connections to the EKM replica. Currently, a maximum of 10
+     * [Certificate][google.cloud.kms.v1.Certificate] is supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.Certificate server_certificates = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    private $server_certificates;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $service_directory_service
+     *           Required. The resource name of the Service Directory service pointing to
+     *           an EKM replica, in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;namespaces/&#42;&#47;services/&#42;`.
+     *     @type string $endpoint_filter
+     *           Optional. The filter applied to the endpoints of the resolved service. If
+     *           no filter is specified, all endpoints will be considered. An endpoint
+     *           will be chosen arbitrarily from the filtered list for each request.
+     *           For endpoint filter syntax and examples, see
+     *           https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
+     *     @type string $hostname
+     *           Required. The hostname of the EKM replica used at TLS and HTTP layers.
+     *     @type array<\Google\Cloud\Kms\V1\Certificate>|\Google\Protobuf\Internal\RepeatedField $server_certificates
+     *           Required. A list of leaf server certificates used to authenticate HTTPS
+     *           connections to the EKM replica. Currently, a maximum of 10
+     *           [Certificate][google.cloud.kms.v1.Certificate] is supported.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the Service Directory service pointing to
+     * an EKM replica, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;namespaces/&#42;&#47;services/&#42;`.
+     *
+     * Generated from protobuf field <code>string service_directory_service = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getServiceDirectoryService()
+    {
+        return $this->service_directory_service;
+    }
+
+    /**
+     * Required. The resource name of the Service Directory service pointing to
+     * an EKM replica, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;namespaces/&#42;&#47;services/&#42;`.
+     *
+     * Generated from protobuf field <code>string service_directory_service = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setServiceDirectoryService($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->service_directory_service = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. The filter applied to the endpoints of the resolved service. If
+     * no filter is specified, all endpoints will be considered. An endpoint
+     * will be chosen arbitrarily from the filtered list for each request.
+     * For endpoint filter syntax and examples, see
+     * https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
+     *
+     * Generated from protobuf field <code>string endpoint_filter = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getEndpointFilter()
+    {
+        return $this->endpoint_filter;
+    }
+
+    /**
+     * Optional. The filter applied to the endpoints of the resolved service. If
+     * no filter is specified, all endpoints will be considered. An endpoint
+     * will be chosen arbitrarily from the filtered list for each request.
+     * For endpoint filter syntax and examples, see
+     * https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
+     *
+     * Generated from protobuf field <code>string endpoint_filter = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setEndpointFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->endpoint_filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The hostname of the EKM replica used at TLS and HTTP layers.
+     *
+     * Generated from protobuf field <code>string hostname = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getHostname()
+    {
+        return $this->hostname;
+    }
+
+    /**
+     * Required. The hostname of the EKM replica used at TLS and HTTP layers.
+     *
+     * Generated from protobuf field <code>string hostname = 3 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setHostname($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->hostname = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. A list of leaf server certificates used to authenticate HTTPS
+     * connections to the EKM replica. Currently, a maximum of 10
+     * [Certificate][google.cloud.kms.v1.Certificate] is supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.Certificate server_certificates = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getServerCertificates()
+    {
+        return $this->server_certificates;
+    }
+
+    /**
+     * Required. A list of leaf server certificates used to authenticate HTTPS
+     * connections to the EKM replica. Currently, a maximum of 10
+     * [Certificate][google.cloud.kms.v1.Certificate] is supported.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.Certificate server_certificates = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param array<\Google\Cloud\Kms\V1\Certificate>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setServerCertificates($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\Certificate::class);
+        $this->server_certificates = $arr;
+
+        return $this;
+    }
+
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(ServiceResolver::class, \Google\Cloud\Kms\V1\EkmConnection_ServiceResolver::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptRequest.php
new file mode 100644
index 000000000000..54a6c404dbc8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptRequest.php
@@ -0,0 +1,625 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.EncryptRequest</code>
+ */
+class EncryptRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     * If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+     * will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $plaintext = '';
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+     * AAD must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     * is equal to
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $plaintext_crc32c = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     * is equal to
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data_crc32c = null;
+
+    /**
+     * @param string $name      Required. The resource name of the
+     *                          [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+     *                          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *                          encryption.
+     *
+     *                          If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+     *                          will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+     * @param string $plaintext Required. The data to encrypt. Must be no larger than 64KiB.
+     *
+     *                          The maximum size depends on the key version's
+     *                          [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     *                          For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     *                          [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     *                          [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+     *                          plaintext must be no larger than 64KiB. For
+     *                          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     *                          the plaintext and additional_authenticated_data fields must be no larger
+     *                          than 8KiB.
+     *
+     * @return \Google\Cloud\Kms\V1\EncryptRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $plaintext): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setPlaintext($plaintext);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           encryption.
+     *           If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+     *           will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+     *     @type string $plaintext
+     *           Required. The data to encrypt. Must be no larger than 64KiB.
+     *           The maximum size depends on the key version's
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     *           For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     *           [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     *           [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+     *           plaintext must be no larger than 64KiB. For
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     *           the plaintext and additional_authenticated_data fields must be no larger
+     *           than 8KiB.
+     *     @type string $additional_authenticated_data
+     *           Optional. Optional data that, if specified, must also be provided during
+     *           decryption through
+     *           [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     *           The maximum size depends on the key version's
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     *           For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     *           [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     *           [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+     *           AAD must be no larger than 64KiB. For
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     *           the plaintext and additional_authenticated_data fields must be no larger
+     *           than 8KiB.
+     *     @type \Google\Protobuf\Int64Value $plaintext_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     *           is equal to
+     *           [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     *     @type \Google\Protobuf\Int64Value $additional_authenticated_data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received
+     *           [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     *           using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     *           is equal to
+     *           [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     * If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+     * will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     * If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+     * will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getPlaintext()
+    {
+        return $this->plaintext;
+    }
+
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPlaintext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->plaintext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+     * AAD must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getAdditionalAuthenticatedData()
+    {
+        return $this->additional_authenticated_data;
+    }
+
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+     * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+     * AAD must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->additional_authenticated_data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     * is equal to
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPlaintextCrc32C()
+    {
+        return $this->plaintext_crc32c;
+    }
+
+    public function hasPlaintextCrc32C()
+    {
+        return isset($this->plaintext_crc32c);
+    }
+
+    public function clearPlaintextCrc32C()
+    {
+        unset($this->plaintext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPlaintextCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     * is equal to
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getPlaintextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("plaintext_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     * is equal to
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPlaintextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
+     * is equal to
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPlaintextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("plaintext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     * is equal to
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->additional_authenticated_data_crc32c;
+    }
+
+    public function hasAdditionalAuthenticatedDataCrc32C()
+    {
+        return isset($this->additional_authenticated_data_crc32c);
+    }
+
+    public function clearAdditionalAuthenticatedDataCrc32C()
+    {
+        unset($this->additional_authenticated_data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getAdditionalAuthenticatedDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     * is equal to
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("additional_authenticated_data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     * is equal to
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received
+     * [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
+     * using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
+     * is equal to
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("additional_authenticated_data_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptResponse.php
new file mode 100644
index 000000000000..7a18418344b6
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/EncryptResponse.php
@@ -0,0 +1,471 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.EncryptResponse</code>
+ */
+class EncryptResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     */
+    protected $name = '';
+    /**
+     * The encrypted data.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2;</code>
+     */
+    protected $ciphertext = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     * An integrity check of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * can be performed by computing the CRC32C checksum of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     */
+    protected $ciphertext_crc32c = null;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
+     * this field indicates either that
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 5;</code>
+     */
+    protected $verified_plaintext_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
+     * false value of this field indicates either that
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 6;</code>
+     */
+    protected $verified_additional_authenticated_data_crc32c = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           encryption. Check this field to verify that the intended resource was used
+     *           for encryption.
+     *     @type string $ciphertext
+     *           The encrypted data.
+     *     @type \Google\Protobuf\Int64Value $ciphertext_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     *           An integrity check of
+     *           [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     *           can be performed by computing the CRC32C checksum of
+     *           [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     *           and comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type bool $verified_plaintext_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
+     *           this field indicates either that
+     *           [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_additional_authenticated_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
+     *           false value of this field indicates either that
+     *           [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           encryption.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * The encrypted data.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2;</code>
+     * @return string
+     */
+    public function getCiphertext()
+    {
+        return $this->ciphertext;
+    }
+
+    /**
+     * The encrypted data.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCiphertext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->ciphertext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     * An integrity check of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * can be performed by computing the CRC32C checksum of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getCiphertextCrc32C()
+    {
+        return $this->ciphertext_crc32c;
+    }
+
+    public function hasCiphertextCrc32C()
+    {
+        return isset($this->ciphertext_crc32c);
+    }
+
+    public function clearCiphertextCrc32C()
+    {
+        unset($this->ciphertext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getCiphertextCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     * An integrity check of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * can be performed by computing the CRC32C checksum of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @return int|string|null
+     */
+    public function getCiphertextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("ciphertext_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     * An integrity check of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * can be performed by computing the CRC32C checksum of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setCiphertextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+     * An integrity check of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * can be performed by computing the CRC32C checksum of
+     * [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setCiphertextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("ciphertext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
+     * this field indicates either that
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 5;</code>
+     * @return bool
+     */
+    public function getVerifiedPlaintextCrc32C()
+    {
+        return $this->verified_plaintext_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
+     * this field indicates either that
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 5;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedPlaintextCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
+     * false value of this field indicates either that
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 6;</code>
+     * @return bool
+     */
+    public function getVerifiedAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->verified_additional_authenticated_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
+     * false value of this field indicates either that
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 6;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 7;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ExternalProtectionLevelOptions.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ExternalProtectionLevelOptions.php
new file mode 100644
index 000000000000..9a8fb7d4fabb
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ExternalProtectionLevelOptions.php
@@ -0,0 +1,122 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * ExternalProtectionLevelOptions stores a group of additional fields for
+ * configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
+ * are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL]
+ * protection level and
+ * [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] protection
+ * levels.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ExternalProtectionLevelOptions</code>
+ */
+class ExternalProtectionLevelOptions extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The URI for an external resource that this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
+     *
+     * Generated from protobuf field <code>string external_key_uri = 1;</code>
+     */
+    protected $external_key_uri = '';
+    /**
+     * The path to the external key material on the EKM when using
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set
+     * this field instead of external_key_uri when using an
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string ekm_connection_key_path = 2;</code>
+     */
+    protected $ekm_connection_key_path = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $external_key_uri
+     *           The URI for an external resource that this
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
+     *     @type string $ekm_connection_key_path
+     *           The path to the external key material on the EKM when using
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set
+     *           this field instead of external_key_uri when using an
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The URI for an external resource that this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
+     *
+     * Generated from protobuf field <code>string external_key_uri = 1;</code>
+     * @return string
+     */
+    public function getExternalKeyUri()
+    {
+        return $this->external_key_uri;
+    }
+
+    /**
+     * The URI for an external resource that this
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
+     *
+     * Generated from protobuf field <code>string external_key_uri = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setExternalKeyUri($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->external_key_uri = $var;
+
+        return $this;
+    }
+
+    /**
+     * The path to the external key material on the EKM when using
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set
+     * this field instead of external_key_uri when using an
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string ekm_connection_key_path = 2;</code>
+     * @return string
+     */
+    public function getEkmConnectionKeyPath()
+    {
+        return $this->ekm_connection_key_path;
+    }
+
+    /**
+     * The path to the external key material on the EKM when using
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set
+     * this field instead of external_key_uri when using an
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>string ekm_connection_key_path = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setEkmConnectionKeyPath($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->ekm_connection_key_path = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesRequest.php
new file mode 100644
index 000000000000..695206324a5a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesRequest.php
@@ -0,0 +1,179 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GenerateRandomBytesRequest</code>
+ */
+class GenerateRandomBytesRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The project-specific location in which to generate random bytes.
+     * For example, "projects/my-project/locations/us-central1".
+     *
+     * Generated from protobuf field <code>string location = 1;</code>
+     */
+    protected $location = '';
+    /**
+     * The length in bytes of the amount of randomness to retrieve.  Minimum 8
+     * bytes, maximum 1024 bytes.
+     *
+     * Generated from protobuf field <code>int32 length_bytes = 2;</code>
+     */
+    protected $length_bytes = 0;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
+     * generating the random data. Currently, only
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
+     * supported.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * @param string $location        The project-specific location in which to generate random bytes.
+     *                                For example, "projects/my-project/locations/us-central1".
+     * @param int    $lengthBytes     The length in bytes of the amount of randomness to retrieve.  Minimum 8
+     *                                bytes, maximum 1024 bytes.
+     * @param int    $protectionLevel The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
+     *                                generating the random data. Currently, only
+     *                                [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
+     *                                supported.
+     *                                For allowed values, use constants defined on {@see \Google\Cloud\Kms\V1\ProtectionLevel}
+     *
+     * @return \Google\Cloud\Kms\V1\GenerateRandomBytesRequest
+     *
+     * @experimental
+     */
+    public static function build(string $location, int $lengthBytes, int $protectionLevel): self
+    {
+        return (new self())
+            ->setLocation($location)
+            ->setLengthBytes($lengthBytes)
+            ->setProtectionLevel($protectionLevel);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $location
+     *           The project-specific location in which to generate random bytes.
+     *           For example, "projects/my-project/locations/us-central1".
+     *     @type int $length_bytes
+     *           The length in bytes of the amount of randomness to retrieve.  Minimum 8
+     *           bytes, maximum 1024 bytes.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
+     *           generating the random data. Currently, only
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
+     *           supported.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The project-specific location in which to generate random bytes.
+     * For example, "projects/my-project/locations/us-central1".
+     *
+     * Generated from protobuf field <code>string location = 1;</code>
+     * @return string
+     */
+    public function getLocation()
+    {
+        return $this->location;
+    }
+
+    /**
+     * The project-specific location in which to generate random bytes.
+     * For example, "projects/my-project/locations/us-central1".
+     *
+     * Generated from protobuf field <code>string location = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setLocation($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->location = $var;
+
+        return $this;
+    }
+
+    /**
+     * The length in bytes of the amount of randomness to retrieve.  Minimum 8
+     * bytes, maximum 1024 bytes.
+     *
+     * Generated from protobuf field <code>int32 length_bytes = 2;</code>
+     * @return int
+     */
+    public function getLengthBytes()
+    {
+        return $this->length_bytes;
+    }
+
+    /**
+     * The length in bytes of the amount of randomness to retrieve.  Minimum 8
+     * bytes, maximum 1024 bytes.
+     *
+     * Generated from protobuf field <code>int32 length_bytes = 2;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setLengthBytes($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->length_bytes = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
+     * generating the random data. Currently, only
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
+     * supported.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
+     * generating the random data. Currently, only
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
+     * supported.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesResponse.php
new file mode 100644
index 000000000000..4cf4401fde68
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GenerateRandomBytesResponse.php
@@ -0,0 +1,211 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GenerateRandomBytesResponse</code>
+ */
+class GenerateRandomBytesResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The generated data.
+     *
+     * Generated from protobuf field <code>bytes data = 1;</code>
+     */
+    protected $data = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     * An integrity check of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * can be performed by computing the CRC32C checksum of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3;</code>
+     */
+    protected $data_crc32c = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $data
+     *           The generated data.
+     *     @type \Google\Protobuf\Int64Value $data_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     *           An integrity check of
+     *           [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     *           can be performed by computing the CRC32C checksum of
+     *           [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     *           and comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The generated data.
+     *
+     * Generated from protobuf field <code>bytes data = 1;</code>
+     * @return string
+     */
+    public function getData()
+    {
+        return $this->data;
+    }
+
+    /**
+     * The generated data.
+     *
+     * Generated from protobuf field <code>bytes data = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     * An integrity check of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * can be performed by computing the CRC32C checksum of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getDataCrc32C()
+    {
+        return $this->data_crc32c;
+    }
+
+    public function hasDataCrc32C()
+    {
+        return isset($this->data_crc32c);
+    }
+
+    public function clearDataCrc32C()
+    {
+        unset($this->data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getDataCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     * An integrity check of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * can be performed by computing the CRC32C checksum of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3;</code>
+     * @return int|string|null
+     */
+    public function getDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("data_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     * An integrity check of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * can be performed by computing the CRC32C checksum of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
+     * An integrity check of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * can be performed by computing the CRC32C checksum of
+     * [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
+     * and comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("data_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetAutokeyConfigRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetAutokeyConfigRequest.php
new file mode 100644
index 000000000000..4bd2c559b37f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetAutokeyConfigRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [GetAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.GetAutokeyConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetAutokeyConfigRequest</code>
+ */
+class GetAutokeyConfigRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     *                     resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`. Please see
+     *                     {@see AutokeyAdminClient::autokeyConfigName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetAutokeyConfigRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     *           resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\AutokeyAdmin::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+     * resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyRequest.php
new file mode 100644
index 000000000000..a022fcb8a83f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetCryptoKeyRequest</code>
+ */
+class GetCryptoKeyRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     *                     [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetCryptoKeyRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..1a7b994be0d8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetCryptoKeyVersionRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetCryptoKeyVersionRequest</code>
+ */
+class GetCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetCryptoKeyVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConfigRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConfigRequest.php
new file mode 100644
index 000000000000..d51d9230caee
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConfigRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.GetEkmConfig][google.cloud.kms.v1.EkmService.GetEkmConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetEkmConfigRequest</code>
+ */
+class GetEkmConfigRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+     *                     [EkmConfig][google.cloud.kms.v1.EkmConfig] to get. Please see
+     *                     {@see EkmServiceClient::ekmConfigName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetEkmConfigRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+     *           [EkmConfig][google.cloud.kms.v1.EkmConfig] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+     * [EkmConfig][google.cloud.kms.v1.EkmConfig] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConnectionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConnectionRequest.php
new file mode 100644
index 000000000000..8a5e1c04323e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetEkmConnectionRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.GetEkmConnection][google.cloud.kms.v1.EkmService.GetEkmConnection].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetEkmConnectionRequest</code>
+ */
+class GetEkmConnectionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     *                     [EkmConnection][google.cloud.kms.v1.EkmConnection] to get. Please see
+     *                     {@see EkmServiceClient::ekmConnectionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetEkmConnectionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetImportJobRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetImportJobRequest.php
new file mode 100644
index 000000000000..a8f2614ffbbd
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetImportJobRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetImportJobRequest</code>
+ */
+class GetImportJobRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     *                     [ImportJob][google.cloud.kms.v1.ImportJob] to get. Please see
+     *                     {@see KeyManagementServiceClient::importJobName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetImportJobRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     *           [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyHandleRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyHandleRequest.php
new file mode 100644
index 000000000000..5fb3261e6b56
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyHandleRequest.php
@@ -0,0 +1,91 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for [GetKeyHandle][google.cloud.kms.v1.Autokey.GetKeyHandle].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetKeyHandleRequest</code>
+ */
+class GetKeyHandleRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+     * e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+     *                     e.g.
+     *                     `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`. Please see
+     *                     {@see AutokeyClient::keyHandleName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetKeyHandleRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+     *           e.g.
+     *           `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+     * e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+     * e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyRingRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyRingRequest.php
new file mode 100644
index 000000000000..a34ae4a11196
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetKeyRingRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetKeyRingRequest</code>
+ */
+class GetKeyRingRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     *                     [KeyRing][google.cloud.kms.v1.KeyRing] to get. Please see
+     *                     {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetKeyRingRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     *           [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetPublicKeyRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetPublicKeyRequest.php
new file mode 100644
index 000000000000..508c3434e2b9
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/GetPublicKeyRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.GetPublicKeyRequest</code>
+ */
+class GetPublicKeyRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\GetPublicKeyRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..9018eb71ff7e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportCryptoKeyVersionRequest.php
@@ -0,0 +1,491 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ImportCryptoKeyVersionRequest</code>
+ */
+class ImportCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
+     * The create permission is only required on this key when creating a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
+     * an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+     * target for an import operation. If this field is not present, a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
+     * supplied key material is created.
+     * If this field is present, the supplied key material is imported into
+     * the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
+     * import into an existing
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
+     * [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
+     * have been previously created via [ImportCryptoKeyVersion][], and be in
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
+     * or
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
+     * state. The key material and algorithm must match the previous
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
+     * key material.
+     *
+     * Generated from protobuf field <code>string crypto_key_version = 6 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     */
+    protected $crypto_key_version = '';
+    /**
+     * Required. The
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * of the key being imported. This does not need to match the
+     * [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $algorithm = 0;
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
+     * material.
+     *
+     * Generated from protobuf field <code>string import_job = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $import_job = '';
+    /**
+     * Optional. The wrapped key material to import.
+     * Before wrapping, key material must be formatted. If importing symmetric key
+     * material, the expected key material format is plain bytes. If importing
+     * asymmetric key material, the expected key material format is PKCS#8-encoded
+     * DER (the PrivateKeyInfo structure from RFC 5208).
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+     * this field must contain the concatenation of:
+     * <ol>
+     *   <li>An ephemeral AES-256 wrapping key wrapped with the
+     *       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+     *       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+     *       label.
+     *   </li>
+     *   <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+     *       key using AES-KWP (RFC 5649).
+     *   </li>
+     * </ol>
+     * This format is the same as the format produced by PKCS#11 mechanism
+     * CKM_RSA_AES_KEY_WRAP.
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+     * or
+     * [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+     * this field must contain the formatted key to be imported, wrapped with the
+     * [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+     * with SHA-256, MGF1 with SHA-256, and an empty label.
+     *
+     * Generated from protobuf field <code>bytes wrapped_key = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $wrapped_key = '';
+    protected $wrapped_key_material;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
+     *           The create permission is only required on this key when creating a new
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *     @type string $crypto_key_version
+     *           Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
+     *           an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+     *           target for an import operation. If this field is not present, a new
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
+     *           supplied key material is created.
+     *           If this field is present, the supplied key material is imported into
+     *           the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
+     *           import into an existing
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
+     *           [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
+     *           have been previously created via [ImportCryptoKeyVersion][], and be in
+     *           [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
+     *           or
+     *           [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
+     *           state. The key material and algorithm must match the previous
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
+     *           key material.
+     *     @type int $algorithm
+     *           Required. The
+     *           [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     *           of the key being imported. This does not need to match the
+     *           [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
+     *     @type string $import_job
+     *           Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     *           [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
+     *           material.
+     *     @type string $wrapped_key
+     *           Optional. The wrapped key material to import.
+     *           Before wrapping, key material must be formatted. If importing symmetric key
+     *           material, the expected key material format is plain bytes. If importing
+     *           asymmetric key material, the expected key material format is PKCS#8-encoded
+     *           DER (the PrivateKeyInfo structure from RFC 5208).
+     *           When wrapping with import methods
+     *           ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+     *           or
+     *           [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+     *           or
+     *           [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+     *           or
+     *           [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+     *           this field must contain the concatenation of:
+     *           <ol>
+     *             <li>An ephemeral AES-256 wrapping key wrapped with the
+     *                 [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+     *                 RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+     *                 label.
+     *             </li>
+     *             <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+     *                 key using AES-KWP (RFC 5649).
+     *             </li>
+     *           </ol>
+     *           This format is the same as the format produced by PKCS#11 mechanism
+     *           CKM_RSA_AES_KEY_WRAP.
+     *           When wrapping with import methods
+     *           ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+     *           or
+     *           [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+     *           this field must contain the formatted key to be imported, wrapped with the
+     *           [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+     *           with SHA-256, MGF1 with SHA-256, and an empty label.
+     *     @type string $rsa_aes_wrapped_key
+     *           Optional. This field has the same meaning as
+     *           [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
+     *           Prefer to use that field in new work. Either that field or this field
+     *           (but not both) must be specified.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
+     * The create permission is only required on this key when creating a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
+     * The create permission is only required on this key when creating a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
+     * an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+     * target for an import operation. If this field is not present, a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
+     * supplied key material is created.
+     * If this field is present, the supplied key material is imported into
+     * the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
+     * import into an existing
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
+     * [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
+     * have been previously created via [ImportCryptoKeyVersion][], and be in
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
+     * or
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
+     * state. The key material and algorithm must match the previous
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
+     * key material.
+     *
+     * Generated from protobuf field <code>string crypto_key_version = 6 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getCryptoKeyVersion()
+    {
+        return $this->crypto_key_version;
+    }
+
+    /**
+     * Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
+     * an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
+     * target for an import operation. If this field is not present, a new
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
+     * supplied key material is created.
+     * If this field is present, the supplied key material is imported into
+     * the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
+     * import into an existing
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
+     * [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
+     * have been previously created via [ImportCryptoKeyVersion][], and be in
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
+     * or
+     * [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
+     * state. The key material and algorithm must match the previous
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
+     * key material.
+     *
+     * Generated from protobuf field <code>string crypto_key_version = 6 [(.google.api.field_behavior) = OPTIONAL, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCryptoKeyVersion($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->crypto_key_version = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * of the key being imported. This does not need to match the
+     * [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return int
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * Required. The
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * of the key being imported. This does not need to match the
+     * [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setAlgorithm($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm::class);
+        $this->algorithm = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
+     * material.
+     *
+     * Generated from protobuf field <code>string import_job = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getImportJob()
+    {
+        return $this->import_job;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
+     * material.
+     *
+     * Generated from protobuf field <code>string import_job = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setImportJob($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->import_job = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. The wrapped key material to import.
+     * Before wrapping, key material must be formatted. If importing symmetric key
+     * material, the expected key material format is plain bytes. If importing
+     * asymmetric key material, the expected key material format is PKCS#8-encoded
+     * DER (the PrivateKeyInfo structure from RFC 5208).
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+     * this field must contain the concatenation of:
+     * <ol>
+     *   <li>An ephemeral AES-256 wrapping key wrapped with the
+     *       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+     *       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+     *       label.
+     *   </li>
+     *   <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+     *       key using AES-KWP (RFC 5649).
+     *   </li>
+     * </ol>
+     * This format is the same as the format produced by PKCS#11 mechanism
+     * CKM_RSA_AES_KEY_WRAP.
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+     * or
+     * [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+     * this field must contain the formatted key to be imported, wrapped with the
+     * [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+     * with SHA-256, MGF1 with SHA-256, and an empty label.
+     *
+     * Generated from protobuf field <code>bytes wrapped_key = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getWrappedKey()
+    {
+        return $this->wrapped_key;
+    }
+
+    /**
+     * Optional. The wrapped key material to import.
+     * Before wrapping, key material must be formatted. If importing symmetric key
+     * material, the expected key material format is plain bytes. If importing
+     * asymmetric key material, the expected key material format is PKCS#8-encoded
+     * DER (the PrivateKeyInfo structure from RFC 5208).
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+     * or
+     * [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+     * or
+     * [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+     * this field must contain the concatenation of:
+     * <ol>
+     *   <li>An ephemeral AES-256 wrapping key wrapped with the
+     *       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+     *       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+     *       label.
+     *   </li>
+     *   <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+     *       key using AES-KWP (RFC 5649).
+     *   </li>
+     * </ol>
+     * This format is the same as the format produced by PKCS#11 mechanism
+     * CKM_RSA_AES_KEY_WRAP.
+     * When wrapping with import methods
+     * ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+     * or
+     * [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+     * this field must contain the formatted key to be imported, wrapped with the
+     * [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+     * with SHA-256, MGF1 with SHA-256, and an empty label.
+     *
+     * Generated from protobuf field <code>bytes wrapped_key = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setWrappedKey($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->wrapped_key = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. This field has the same meaning as
+     * [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
+     * Prefer to use that field in new work. Either that field or this field
+     * (but not both) must be specified.
+     *
+     * Generated from protobuf field <code>bytes rsa_aes_wrapped_key = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getRsaAesWrappedKey()
+    {
+        return $this->readOneof(5);
+    }
+
+    public function hasRsaAesWrappedKey()
+    {
+        return $this->hasOneof(5);
+    }
+
+    /**
+     * Optional. This field has the same meaning as
+     * [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
+     * Prefer to use that field in new work. Either that field or this field
+     * (but not both) must be specified.
+     *
+     * Generated from protobuf field <code>bytes rsa_aes_wrapped_key = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setRsaAesWrappedKey($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->writeOneof(5, $var);
+
+        return $this;
+    }
+
+    /**
+     * @return string
+     */
+    public function getWrappedKeyMaterial()
+    {
+        return $this->whichOneof("wrapped_key_material");
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob.php
new file mode 100644
index 000000000000..6eae364be08c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob.php
@@ -0,0 +1,549 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+ * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing
+ * key material, generated outside of Cloud KMS.
+ * When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will
+ * generate a "wrapping key", which is a public/private key pair. You use the
+ * wrapping key to encrypt (also known as wrap) the pre-existing key material to
+ * protect it during the import process. The nature of the wrapping key depends
+ * on the choice of
+ * [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the
+ * wrapping key generation is complete, the
+ * [state][google.cloud.kms.v1.ImportJob.state] will be set to
+ * [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the
+ * [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The
+ * fetched public key can then be used to wrap your pre-existing key material.
+ * Once the key material is wrapped, it can be imported into a new
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+ * [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+ * Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be
+ * imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
+ * uses the private key portion of the wrapping key to unwrap the key material.
+ * Only Cloud KMS has access to the private key.
+ * An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is
+ * created. Once expired, Cloud KMS will no longer be able to import or unwrap
+ * any key material that was wrapped with the
+ * [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+ * For more information, see
+ * [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ImportJob</code>
+ */
+class ImportJob extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;importJobs/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * Required. Immutable. The wrapping method to be used for incoming key
+     * material.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportMethod import_method = 2 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     */
+    protected $import_method = 0;
+    /**
+     * Required. Immutable. The protection level of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+     * on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
+     * into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     */
+    protected $protection_level = 0;
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $create_time = null;
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key
+     * material was generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $generate_time = null;
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and
+     * can no longer be used to import key material.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $expire_time = null;
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]
+     * expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_event_time = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $expire_event_time = null;
+    /**
+     * Output only. The current state of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportJobState state = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $state = 0;
+    /**
+     * Output only. The public key with which to wrap key material prior to
+     * import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.WrappingPublicKey public_key = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $public_key = null;
+    /**
+     * Output only. Statement that was generated and signed by the key creator
+     * (for example, an HSM) at key creation time. Use this statement to verify
+     * attributes of the key as stored on the HSM, independently of Google.
+     * Only present if the chosen
+     * [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a
+     * protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $attestation = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for this
+     *           [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;importJobs/&#42;`.
+     *     @type int $import_method
+     *           Required. Immutable. The wrapping method to be used for incoming key
+     *           material.
+     *     @type int $protection_level
+     *           Required. Immutable. The protection level of the
+     *           [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     *           of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+     *           on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
+     *           into.
+     *     @type \Google\Protobuf\Timestamp $create_time
+     *           Output only. The time at which this
+     *           [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+     *     @type \Google\Protobuf\Timestamp $generate_time
+     *           Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key
+     *           material was generated.
+     *     @type \Google\Protobuf\Timestamp $expire_time
+     *           Output only. The time at which this
+     *           [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and
+     *           can no longer be used to import key material.
+     *     @type \Google\Protobuf\Timestamp $expire_event_time
+     *           Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]
+     *           expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is
+     *           [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+     *     @type int $state
+     *           Output only. The current state of the
+     *           [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
+     *     @type \Google\Cloud\Kms\V1\ImportJob\WrappingPublicKey $public_key
+     *           Output only. The public key with which to wrap key material prior to
+     *           import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
+     *           [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+     *     @type \Google\Cloud\Kms\V1\KeyOperationAttestation $attestation
+     *           Output only. Statement that was generated and signed by the key creator
+     *           (for example, an HSM) at key creation time. Use this statement to verify
+     *           attributes of the key as stored on the HSM, independently of Google.
+     *           Only present if the chosen
+     *           [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a
+     *           protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;importJobs/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;importJobs/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. Immutable. The wrapping method to be used for incoming key
+     * material.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportMethod import_method = 2 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     * @return int
+     */
+    public function getImportMethod()
+    {
+        return $this->import_method;
+    }
+
+    /**
+     * Required. Immutable. The wrapping method to be used for incoming key
+     * material.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportMethod import_method = 2 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setImportMethod($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ImportJob\ImportMethod::class);
+        $this->import_method = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. Immutable. The protection level of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+     * on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
+     * into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * Required. Immutable. The protection level of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+     * on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
+     * into.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IMMUTABLE];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getCreateTime()
+    {
+        return $this->create_time;
+    }
+
+    public function hasCreateTime()
+    {
+        return isset($this->create_time);
+    }
+
+    public function clearCreateTime()
+    {
+        unset($this->create_time);
+    }
+
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setCreateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->create_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key
+     * material was generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getGenerateTime()
+    {
+        return $this->generate_time;
+    }
+
+    public function hasGenerateTime()
+    {
+        return isset($this->generate_time);
+    }
+
+    public function clearGenerateTime()
+    {
+        unset($this->generate_time);
+    }
+
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key
+     * material was generated.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp generate_time = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setGenerateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->generate_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and
+     * can no longer be used to import key material.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getExpireTime()
+    {
+        return $this->expire_time;
+    }
+
+    public function hasExpireTime()
+    {
+        return isset($this->expire_time);
+    }
+
+    public function clearExpireTime()
+    {
+        unset($this->expire_time);
+    }
+
+    /**
+     * Output only. The time at which this
+     * [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and
+     * can no longer be used to import key material.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setExpireTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->expire_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]
+     * expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_event_time = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getExpireEventTime()
+    {
+        return $this->expire_event_time;
+    }
+
+    public function hasExpireEventTime()
+    {
+        return isset($this->expire_event_time);
+    }
+
+    public function clearExpireEventTime()
+    {
+        unset($this->expire_event_time);
+    }
+
+    /**
+     * Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]
+     * expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp expire_event_time = 10 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setExpireEventTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->expire_event_time = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The current state of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportJobState state = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return int
+     */
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    /**
+     * Output only. The current state of the
+     * [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.ImportJobState state = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setState($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ImportJob\ImportJobState::class);
+        $this->state = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The public key with which to wrap key material prior to
+     * import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.WrappingPublicKey public_key = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Cloud\Kms\V1\ImportJob\WrappingPublicKey|null
+     */
+    public function getPublicKey()
+    {
+        return $this->public_key;
+    }
+
+    public function hasPublicKey()
+    {
+        return isset($this->public_key);
+    }
+
+    public function clearPublicKey()
+    {
+        unset($this->public_key);
+    }
+
+    /**
+     * Output only. The public key with which to wrap key material prior to
+     * import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
+     * [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ImportJob.WrappingPublicKey public_key = 7 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Cloud\Kms\V1\ImportJob\WrappingPublicKey $var
+     * @return $this
+     */
+    public function setPublicKey($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\ImportJob\WrappingPublicKey::class);
+        $this->public_key = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. Statement that was generated and signed by the key creator
+     * (for example, an HSM) at key creation time. Use this statement to verify
+     * attributes of the key as stored on the HSM, independently of Google.
+     * Only present if the chosen
+     * [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a
+     * protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Cloud\Kms\V1\KeyOperationAttestation|null
+     */
+    public function getAttestation()
+    {
+        return $this->attestation;
+    }
+
+    public function hasAttestation()
+    {
+        return isset($this->attestation);
+    }
+
+    public function clearAttestation()
+    {
+        unset($this->attestation);
+    }
+
+    /**
+     * Output only. Statement that was generated and signed by the key creator
+     * (for example, an HSM) at key creation time. Use this statement to verify
+     * attributes of the key as stored on the HSM, independently of Google.
+     * Only present if the chosen
+     * [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a
+     * protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation attestation = 8 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Cloud\Kms\V1\KeyOperationAttestation $var
+     * @return $this
+     */
+    public function setAttestation($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyOperationAttestation::class);
+        $this->attestation = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportJobState.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportJobState.php
new file mode 100644
index 000000000000..b6e7a3e918ae
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportJobState.php
@@ -0,0 +1,79 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\ImportJob;
+
+use UnexpectedValueException;
+
+/**
+ * The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if
+ * it can be used.
+ *
+ * Protobuf type <code>google.cloud.kms.v1.ImportJob.ImportJobState</code>
+ */
+class ImportJobState
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>IMPORT_JOB_STATE_UNSPECIFIED = 0;</code>
+     */
+    const IMPORT_JOB_STATE_UNSPECIFIED = 0;
+    /**
+     * The wrapping key for this job is still being generated. It may not be
+     * used. Cloud KMS will automatically mark this job as
+     * [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as
+     * the wrapping key is generated.
+     *
+     * Generated from protobuf enum <code>PENDING_GENERATION = 1;</code>
+     */
+    const PENDING_GENERATION = 1;
+    /**
+     * This job may be used in
+     * [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]
+     * and
+     * [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+     * requests.
+     *
+     * Generated from protobuf enum <code>ACTIVE = 2;</code>
+     */
+    const ACTIVE = 2;
+    /**
+     * This job can no longer be used and may not leave this state once entered.
+     *
+     * Generated from protobuf enum <code>EXPIRED = 3;</code>
+     */
+    const EXPIRED = 3;
+
+    private static $valueToName = [
+        self::IMPORT_JOB_STATE_UNSPECIFIED => 'IMPORT_JOB_STATE_UNSPECIFIED',
+        self::PENDING_GENERATION => 'PENDING_GENERATION',
+        self::ACTIVE => 'ACTIVE',
+        self::EXPIRED => 'EXPIRED',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(ImportJobState::class, \Google\Cloud\Kms\V1\ImportJob_ImportJobState::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportMethod.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportMethod.php
new file mode 100644
index 000000000000..f9a854116277
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/ImportMethod.php
@@ -0,0 +1,120 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\ImportJob;
+
+use UnexpectedValueException;
+
+/**
+ * [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the
+ * key wrapping method chosen for this
+ * [ImportJob][google.cloud.kms.v1.ImportJob].
+ *
+ * Protobuf type <code>google.cloud.kms.v1.ImportJob.ImportMethod</code>
+ */
+class ImportMethod
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>IMPORT_METHOD_UNSPECIFIED = 0;</code>
+     */
+    const IMPORT_METHOD_UNSPECIFIED = 0;
+    /**
+     * This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+     * scheme defined in the PKCS #11 standard. In summary, this involves
+     * wrapping the raw key with an ephemeral AES key, and wrapping the
+     * ephemeral AES key with a 3072 bit RSA key. For more details, see
+     * [RSA AES key wrap
+     * mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_3072_SHA1_AES_256 = 1;</code>
+     */
+    const RSA_OAEP_3072_SHA1_AES_256 = 1;
+    /**
+     * This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+     * scheme defined in the PKCS #11 standard. In summary, this involves
+     * wrapping the raw key with an ephemeral AES key, and wrapping the
+     * ephemeral AES key with a 4096 bit RSA key. For more details, see
+     * [RSA AES key wrap
+     * mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_4096_SHA1_AES_256 = 2;</code>
+     */
+    const RSA_OAEP_4096_SHA1_AES_256 = 2;
+    /**
+     * This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+     * scheme defined in the PKCS #11 standard. In summary, this involves
+     * wrapping the raw key with an ephemeral AES key, and wrapping the
+     * ephemeral AES key with a 3072 bit RSA key. For more details, see
+     * [RSA AES key wrap
+     * mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_3072_SHA256_AES_256 = 3;</code>
+     */
+    const RSA_OAEP_3072_SHA256_AES_256 = 3;
+    /**
+     * This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+     * scheme defined in the PKCS #11 standard. In summary, this involves
+     * wrapping the raw key with an ephemeral AES key, and wrapping the
+     * ephemeral AES key with a 4096 bit RSA key. For more details, see
+     * [RSA AES key wrap
+     * mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_4096_SHA256_AES_256 = 4;</code>
+     */
+    const RSA_OAEP_4096_SHA256_AES_256 = 4;
+    /**
+     * This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The
+     * key material to be imported is wrapped directly with the RSA key. Due
+     * to technical limitations of RSA wrapping, this method cannot be used to
+     * wrap RSA keys for import.
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_3072_SHA256 = 5;</code>
+     */
+    const RSA_OAEP_3072_SHA256 = 5;
+    /**
+     * This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The
+     * key material to be imported is wrapped directly with the RSA key. Due
+     * to technical limitations of RSA wrapping, this method cannot be used to
+     * wrap RSA keys for import.
+     *
+     * Generated from protobuf enum <code>RSA_OAEP_4096_SHA256 = 6;</code>
+     */
+    const RSA_OAEP_4096_SHA256 = 6;
+
+    private static $valueToName = [
+        self::IMPORT_METHOD_UNSPECIFIED => 'IMPORT_METHOD_UNSPECIFIED',
+        self::RSA_OAEP_3072_SHA1_AES_256 => 'RSA_OAEP_3072_SHA1_AES_256',
+        self::RSA_OAEP_4096_SHA1_AES_256 => 'RSA_OAEP_4096_SHA1_AES_256',
+        self::RSA_OAEP_3072_SHA256_AES_256 => 'RSA_OAEP_3072_SHA256_AES_256',
+        self::RSA_OAEP_4096_SHA256_AES_256 => 'RSA_OAEP_4096_SHA256_AES_256',
+        self::RSA_OAEP_3072_SHA256 => 'RSA_OAEP_3072_SHA256',
+        self::RSA_OAEP_4096_SHA256 => 'RSA_OAEP_4096_SHA256',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(ImportMethod::class, \Google\Cloud\Kms\V1\ImportJob_ImportMethod::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/WrappingPublicKey.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/WrappingPublicKey.php
new file mode 100644
index 000000000000..63be4f5d952d
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ImportJob/WrappingPublicKey.php
@@ -0,0 +1,88 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\ImportJob;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * The public key component of the wrapping key. For details of the type of
+ * key this public key corresponds to, see the
+ * [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ImportJob.WrappingPublicKey</code>
+ */
+class WrappingPublicKey extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The public key, encoded in PEM format. For more information, see the [RFC
+     * 7468](https://tools.ietf.org/html/rfc7468) sections for [General
+     * Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     */
+    protected $pem = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $pem
+     *           The public key, encoded in PEM format. For more information, see the [RFC
+     *           7468](https://tools.ietf.org/html/rfc7468) sections for [General
+     *           Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     *           [Textual Encoding of Subject Public Key Info]
+     *           (https://tools.ietf.org/html/rfc7468#section-13).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The public key, encoded in PEM format. For more information, see the [RFC
+     * 7468](https://tools.ietf.org/html/rfc7468) sections for [General
+     * Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     * @return string
+     */
+    public function getPem()
+    {
+        return $this->pem;
+    }
+
+    /**
+     * The public key, encoded in PEM format. For more information, see the [RFC
+     * 7468](https://tools.ietf.org/html/rfc7468) sections for [General
+     * Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPem($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->pem = $var;
+
+        return $this;
+    }
+
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(WrappingPublicKey::class, \Google\Cloud\Kms\V1\ImportJob_WrappingPublicKey::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyAccessJustificationsPolicy.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyAccessJustificationsPolicy.php
new file mode 100644
index 000000000000..f8e478c969ad
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyAccessJustificationsPolicy.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A
+ * [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
+ * specifies zero or more allowed
+ * [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
+ * and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.KeyAccessJustificationsPolicy</code>
+ */
+class KeyAccessJustificationsPolicy extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of allowed reasons for access to a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
+     * means all encrypt, decrypt, and sign operations for the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
+     * fail.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.AccessReason allowed_access_reasons = 1;</code>
+     */
+    private $allowed_access_reasons;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<int>|\Google\Protobuf\Internal\RepeatedField $allowed_access_reasons
+     *           The list of allowed reasons for access to a
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
+     *           means all encrypt, decrypt, and sign operations for the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
+     *           fail.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of allowed reasons for access to a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
+     * means all encrypt, decrypt, and sign operations for the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
+     * fail.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.AccessReason allowed_access_reasons = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getAllowedAccessReasons()
+    {
+        return $this->allowed_access_reasons;
+    }
+
+    /**
+     * The list of allowed reasons for access to a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
+     * means all encrypt, decrypt, and sign operations for the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
+     * fail.
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.AccessReason allowed_access_reasons = 1;</code>
+     * @param array<int>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setAllowedAccessReasons($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::ENUM, \Google\Cloud\Kms\V1\AccessReason::class);
+        $this->allowed_access_reasons = $arr;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyHandle.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyHandle.php
new file mode 100644
index 000000000000..aa4c81b8b765
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyHandle.php
@@ -0,0 +1,196 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Resource-oriented representation of a request to Cloud KMS Autokey and the
+ * resulting provisioning of a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.KeyHandle</code>
+ */
+class KeyHandle extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Identifier. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle]
+     * resource, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     */
+    protected $name = '';
+    /**
+     * Output only. Name of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that has
+     * been provisioned for Customer Managed Encryption Key (CMEK) use in the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] project and location for the
+     * requested resource type. The [CryptoKey][google.cloud.kms.v1.CryptoKey]
+     * project will reflect the value configured in the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] on the resource
+     * project's ancestor folder at the time of the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] creation. If more than one
+     * ancestor folder has a configured
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig], the nearest of these
+     * configurations is used.
+     *
+     * Generated from protobuf field <code>string kms_key = 3 [(.google.api.field_behavior) = OUTPUT_ONLY, (.google.api.resource_reference) = {</code>
+     */
+    protected $kms_key = '';
+    /**
+     * Required. Indicates the resource type that the resulting
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
+     * `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
+     * types.
+     *
+     * Generated from protobuf field <code>string resource_type_selector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $resource_type_selector = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Identifier. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle]
+     *           resource, e.g.
+     *           `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *     @type string $kms_key
+     *           Output only. Name of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that has
+     *           been provisioned for Customer Managed Encryption Key (CMEK) use in the
+     *           [KeyHandle][google.cloud.kms.v1.KeyHandle] project and location for the
+     *           requested resource type. The [CryptoKey][google.cloud.kms.v1.CryptoKey]
+     *           project will reflect the value configured in the
+     *           [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] on the resource
+     *           project's ancestor folder at the time of the
+     *           [KeyHandle][google.cloud.kms.v1.KeyHandle] creation. If more than one
+     *           ancestor folder has a configured
+     *           [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig], the nearest of these
+     *           configurations is used.
+     *     @type string $resource_type_selector
+     *           Required. Indicates the resource type that the resulting
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
+     *           `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
+     *           types.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Identifier. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle]
+     * resource, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Identifier. Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle]
+     * resource, e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = IDENTIFIER];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. Name of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that has
+     * been provisioned for Customer Managed Encryption Key (CMEK) use in the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] project and location for the
+     * requested resource type. The [CryptoKey][google.cloud.kms.v1.CryptoKey]
+     * project will reflect the value configured in the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] on the resource
+     * project's ancestor folder at the time of the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] creation. If more than one
+     * ancestor folder has a configured
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig], the nearest of these
+     * configurations is used.
+     *
+     * Generated from protobuf field <code>string kms_key = 3 [(.google.api.field_behavior) = OUTPUT_ONLY, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getKmsKey()
+    {
+        return $this->kms_key;
+    }
+
+    /**
+     * Output only. Name of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that has
+     * been provisioned for Customer Managed Encryption Key (CMEK) use in the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] project and location for the
+     * requested resource type. The [CryptoKey][google.cloud.kms.v1.CryptoKey]
+     * project will reflect the value configured in the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] on the resource
+     * project's ancestor folder at the time of the
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] creation. If more than one
+     * ancestor folder has a configured
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig], the nearest of these
+     * configurations is used.
+     *
+     * Generated from protobuf field <code>string kms_key = 3 [(.google.api.field_behavior) = OUTPUT_ONLY, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setKmsKey($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->kms_key = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. Indicates the resource type that the resulting
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
+     * `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
+     * types.
+     *
+     * Generated from protobuf field <code>string resource_type_selector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getResourceTypeSelector()
+    {
+        return $this->resource_type_selector;
+    }
+
+    /**
+     * Required. Indicates the resource type that the resulting
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
+     * `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
+     * types.
+     *
+     * Generated from protobuf field <code>string resource_type_selector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setResourceTypeSelector($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->resource_type_selector = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation.php
new file mode 100644
index 000000000000..faed7bffa9e1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation.php
@@ -0,0 +1,151 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Contains an HSM-generated attestation about a key operation. For more
+ * information, see [Verifying attestations]
+ * (https://cloud.google.com/kms/docs/attest-key).
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.KeyOperationAttestation</code>
+ */
+class KeyOperationAttestation extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The format of the attestation data.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat format = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $format = 0;
+    /**
+     * Output only. The attestation data provided by the HSM when the key
+     * operation was performed.
+     *
+     * Generated from protobuf field <code>bytes content = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $content = '';
+    /**
+     * Output only. The certificate chains needed to validate the attestation
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.CertificateChains cert_chains = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $cert_chains = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type int $format
+     *           Output only. The format of the attestation data.
+     *     @type string $content
+     *           Output only. The attestation data provided by the HSM when the key
+     *           operation was performed.
+     *     @type \Google\Cloud\Kms\V1\KeyOperationAttestation\CertificateChains $cert_chains
+     *           Output only. The certificate chains needed to validate the attestation
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The format of the attestation data.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat format = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return int
+     */
+    public function getFormat()
+    {
+        return $this->format;
+    }
+
+    /**
+     * Output only. The format of the attestation data.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat format = 4 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setFormat($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\KeyOperationAttestation\AttestationFormat::class);
+        $this->format = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The attestation data provided by the HSM when the key
+     * operation was performed.
+     *
+     * Generated from protobuf field <code>bytes content = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getContent()
+    {
+        return $this->content;
+    }
+
+    /**
+     * Output only. The attestation data provided by the HSM when the key
+     * operation was performed.
+     *
+     * Generated from protobuf field <code>bytes content = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setContent($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->content = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The certificate chains needed to validate the attestation
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.CertificateChains cert_chains = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Cloud\Kms\V1\KeyOperationAttestation\CertificateChains|null
+     */
+    public function getCertChains()
+    {
+        return $this->cert_chains;
+    }
+
+    public function hasCertChains()
+    {
+        return isset($this->cert_chains);
+    }
+
+    public function clearCertChains()
+    {
+        unset($this->cert_chains);
+    }
+
+    /**
+     * Output only. The certificate chains needed to validate the attestation
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.KeyOperationAttestation.CertificateChains cert_chains = 6 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Cloud\Kms\V1\KeyOperationAttestation\CertificateChains $var
+     * @return $this
+     */
+    public function setCertChains($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\KeyOperationAttestation\CertificateChains::class);
+        $this->cert_chains = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/AttestationFormat.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/AttestationFormat.php
new file mode 100644
index 000000000000..43880fade2c1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/AttestationFormat.php
@@ -0,0 +1,68 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\KeyOperationAttestation;
+
+use UnexpectedValueException;
+
+/**
+ * Attestation formats provided by the HSM.
+ *
+ * Protobuf type <code>google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat</code>
+ */
+class AttestationFormat
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>ATTESTATION_FORMAT_UNSPECIFIED = 0;</code>
+     */
+    const ATTESTATION_FORMAT_UNSPECIFIED = 0;
+    /**
+     * Cavium HSM attestation compressed with gzip. Note that this format is
+     * defined by Cavium and subject to change at any time.
+     * See
+     * https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html.
+     *
+     * Generated from protobuf enum <code>CAVIUM_V1_COMPRESSED = 3;</code>
+     */
+    const CAVIUM_V1_COMPRESSED = 3;
+    /**
+     * Cavium HSM attestation V2 compressed with gzip. This is a new format
+     * introduced in Cavium's version 3.2-08.
+     *
+     * Generated from protobuf enum <code>CAVIUM_V2_COMPRESSED = 4;</code>
+     */
+    const CAVIUM_V2_COMPRESSED = 4;
+
+    private static $valueToName = [
+        self::ATTESTATION_FORMAT_UNSPECIFIED => 'ATTESTATION_FORMAT_UNSPECIFIED',
+        self::CAVIUM_V1_COMPRESSED => 'CAVIUM_V1_COMPRESSED',
+        self::CAVIUM_V2_COMPRESSED => 'CAVIUM_V2_COMPRESSED',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(AttestationFormat::class, \Google\Cloud\Kms\V1\KeyOperationAttestation_AttestationFormat::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/CertificateChains.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/CertificateChains.php
new file mode 100644
index 000000000000..b1eef375ad42
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyOperationAttestation/CertificateChains.php
@@ -0,0 +1,140 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1\KeyOperationAttestation;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Certificate chains needed to verify the attestation.
+ * Certificates in chains are PEM-encoded and are ordered based on
+ * https://tools.ietf.org/html/rfc5246#section-7.4.2.
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.KeyOperationAttestation.CertificateChains</code>
+ */
+class CertificateChains extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Cavium certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string cavium_certs = 1;</code>
+     */
+    private $cavium_certs;
+    /**
+     * Google card certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_card_certs = 2;</code>
+     */
+    private $google_card_certs;
+    /**
+     * Google partition certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_partition_certs = 3;</code>
+     */
+    private $google_partition_certs;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<string>|\Google\Protobuf\Internal\RepeatedField $cavium_certs
+     *           Cavium certificate chain corresponding to the attestation.
+     *     @type array<string>|\Google\Protobuf\Internal\RepeatedField $google_card_certs
+     *           Google card certificate chain corresponding to the attestation.
+     *     @type array<string>|\Google\Protobuf\Internal\RepeatedField $google_partition_certs
+     *           Google partition certificate chain corresponding to the attestation.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Cavium certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string cavium_certs = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getCaviumCerts()
+    {
+        return $this->cavium_certs;
+    }
+
+    /**
+     * Cavium certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string cavium_certs = 1;</code>
+     * @param array<string>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setCaviumCerts($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::STRING);
+        $this->cavium_certs = $arr;
+
+        return $this;
+    }
+
+    /**
+     * Google card certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_card_certs = 2;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getGoogleCardCerts()
+    {
+        return $this->google_card_certs;
+    }
+
+    /**
+     * Google card certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_card_certs = 2;</code>
+     * @param array<string>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setGoogleCardCerts($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::STRING);
+        $this->google_card_certs = $arr;
+
+        return $this;
+    }
+
+    /**
+     * Google partition certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_partition_certs = 3;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getGooglePartitionCerts()
+    {
+        return $this->google_partition_certs;
+    }
+
+    /**
+     * Google partition certificate chain corresponding to the attestation.
+     *
+     * Generated from protobuf field <code>repeated string google_partition_certs = 3;</code>
+     * @param array<string>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setGooglePartitionCerts($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::STRING);
+        $this->google_partition_certs = $arr;
+
+        return $this;
+    }
+
+}
+
+// Adding a class alias for backwards compatibility with the previous class name.
+class_alias(CertificateChains::class, \Google\Cloud\Kms\V1\KeyOperationAttestation_CertificateChains::class);
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyRing.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyRing.php
new file mode 100644
index 000000000000..797fe8942e0b
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/KeyRing.php
@@ -0,0 +1,124 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.KeyRing</code>
+ */
+class KeyRing extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Output only. The resource name for the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $name = '';
+    /**
+     * Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing]
+     * was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     */
+    protected $create_time = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Output only. The resource name for the
+     *           [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *     @type \Google\Protobuf\Timestamp $create_time
+     *           Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing]
+     *           was created.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Output only. The resource name for the
+     * [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing]
+     * was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @return \Google\Protobuf\Timestamp|null
+     */
+    public function getCreateTime()
+    {
+        return $this->create_time;
+    }
+
+    public function hasCreateTime()
+    {
+        return isset($this->create_time);
+    }
+
+    public function clearCreateTime()
+    {
+        unset($this->create_time);
+    }
+
+    /**
+     * Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing]
+     * was created.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];</code>
+     * @param \Google\Protobuf\Timestamp $var
+     * @return $this
+     */
+    public function setCreateTime($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Timestamp::class);
+        $this->create_time = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsRequest.php
new file mode 100644
index 000000000000..b429f3ce2435
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsRequest.php
@@ -0,0 +1,314 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListCryptoKeyVersionsRequest</code>
+ */
+class ListCryptoKeyVersionsRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
+     * response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * can subsequently be obtained by including the
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * The fields to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView view = 4;</code>
+     */
+    protected $view = 0;
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $order_by = '';
+
+    /**
+     * @param string $parent Required. The resource name of the
+     *                       [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+     *                       `projects/&#42;/locations/&#42;/keyRings/&#42;/cryptoKeys/*`. Please see
+     *                       {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListCryptoKeyVersionsRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+     *           `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
+     *           response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     *           can subsequently be obtained by including the
+     *           [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
+     *           in a subsequent request. If unspecified, the server will pick an
+     *           appropriate default.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+     *     @type int $view
+     *           The fields to include in the response.
+     *     @type string $filter
+     *           Optional. Only include resources that match the filter in the response. For
+     *           more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *     @type string $order_by
+     *           Optional. Specify how the results should be sorted. If not specified, the
+     *           results will be sorted in the default order. For more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;&#47;cryptoKeys/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
+     * response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * can subsequently be obtained by including the
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
+     * response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
+     * can subsequently be obtained by including the
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The fields to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView view = 4;</code>
+     * @return int
+     */
+    public function getView()
+    {
+        return $this->view;
+    }
+
+    /**
+     * The fields to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView view = 4;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setView($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionView::class);
+        $this->view = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getOrderBy()
+    {
+        return $this->order_by;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setOrderBy($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->order_by = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsResponse.php
new file mode 100644
index 000000000000..bbbe9ccb0775
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeyVersionsResponse.php
@@ -0,0 +1,152 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListCryptoKeyVersionsResponse</code>
+ */
+class ListCryptoKeyVersionsResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKeyVersion crypto_key_versions = 1;</code>
+     */
+    private $crypto_key_versions;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+    /**
+     * The total number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
+     * query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     */
+    protected $total_size = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\CryptoKeyVersion>|\Google\Protobuf\Internal\RepeatedField $crypto_key_versions
+     *           The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
+     *           to retrieve the next page of results.
+     *     @type int $total_size
+     *           The total number of
+     *           [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
+     *           query.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKeyVersion crypto_key_versions = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getCryptoKeyVersions()
+    {
+        return $this->crypto_key_versions;
+    }
+
+    /**
+     * The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKeyVersion crypto_key_versions = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\CryptoKeyVersion>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setCryptoKeyVersions($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\CryptoKeyVersion::class);
+        $this->crypto_key_versions = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The total number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
+     * query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @return int
+     */
+    public function getTotalSize()
+    {
+        return $this->total_size;
+    }
+
+    /**
+     * The total number of
+     * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
+     * query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTotalSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->total_size = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysRequest.php
new file mode 100644
index 000000000000..dc800232d1eb
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysRequest.php
@@ -0,0 +1,309 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListCryptoKeysRequest</code>
+ */
+class ListCryptoKeysRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
+     * Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
+     * obtained by including the
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * The fields of the primary version to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView version_view = 4;</code>
+     */
+    protected $version_view = 0;
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $order_by = '';
+
+    /**
+     * @param string $parent Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     *                       to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
+     *                       {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListCryptoKeysRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     *           to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
+     *           Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
+     *           obtained by including the
+     *           [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
+     *           in a subsequent request.  If unspecified, the server will pick an
+     *           appropriate default.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+     *     @type int $version_view
+     *           The fields of the primary version to include in the response.
+     *     @type string $filter
+     *           Optional. Only include resources that match the filter in the response. For
+     *           more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *     @type string $order_by
+     *           Optional. Specify how the results should be sorted. If not specified, the
+     *           results will be sorted in the default order. For more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
+     * Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
+     * obtained by including the
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
+     * Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
+     * obtained by including the
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The fields of the primary version to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView version_view = 4;</code>
+     * @return int
+     */
+    public function getVersionView()
+    {
+        return $this->version_view;
+    }
+
+    /**
+     * The fields of the primary version to include in the response.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView version_view = 4;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setVersionView($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionView::class);
+        $this->version_view = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getOrderBy()
+    {
+        return $this->order_by;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setOrderBy($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->order_by = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysResponse.php
new file mode 100644
index 000000000000..256c1b36b885
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListCryptoKeysResponse.php
@@ -0,0 +1,148 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListCryptoKeysResponse</code>
+ */
+class ListCryptoKeysResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKey crypto_keys = 1;</code>
+     */
+    private $crypto_keys;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+    /**
+     * The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     */
+    protected $total_size = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\CryptoKey>|\Google\Protobuf\Internal\RepeatedField $crypto_keys
+     *           The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
+     *           to retrieve the next page of results.
+     *     @type int $total_size
+     *           The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
+     *           matched the query.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKey crypto_keys = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getCryptoKeys()
+    {
+        return $this->crypto_keys;
+    }
+
+    /**
+     * The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.CryptoKey crypto_keys = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\CryptoKey>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setCryptoKeys($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\CryptoKey::class);
+        $this->crypto_keys = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @return int
+     */
+    public function getTotalSize()
+    {
+        return $this->total_size;
+    }
+
+    /**
+     * The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTotalSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->total_size = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsRequest.php
new file mode 100644
index 000000000000..00bdce40d8da
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsRequest.php
@@ -0,0 +1,280 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListEkmConnectionsRequest</code>
+ */
+class ListEkmConnectionsRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to include in the
+     * response. Further [EkmConnections][google.cloud.kms.v1.EkmConnection] can
+     * subsequently be obtained by including the
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $order_by = '';
+
+    /**
+     * @param string $parent Required. The resource name of the location associated with the
+     *                       [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+     *                       `projects/&#42;/locations/*`. Please see
+     *                       {@see EkmServiceClient::locationName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListEkmConnectionsRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the location associated with the
+     *           [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+     *           `projects/&#42;&#47;locations/&#42;`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [EkmConnections][google.cloud.kms.v1.EkmConnection] to include in the
+     *           response. Further [EkmConnections][google.cloud.kms.v1.EkmConnection] can
+     *           subsequently be obtained by including the
+     *           [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token]
+     *           in a subsequent request. If unspecified, the server will pick an
+     *           appropriate default.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token].
+     *     @type string $filter
+     *           Optional. Only include resources that match the filter in the response. For
+     *           more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *     @type string $order_by
+     *           Optional. Specify how the results should be sorted. If not specified, the
+     *           results will be sorted in the default order.  For more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to include in the
+     * response. Further [EkmConnections][google.cloud.kms.v1.EkmConnection] can
+     * subsequently be obtained by including the
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [EkmConnections][google.cloud.kms.v1.EkmConnection] to include in the
+     * response. Further [EkmConnections][google.cloud.kms.v1.EkmConnection] can
+     * subsequently be obtained by including the
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getOrderBy()
+    {
+        return $this->order_by;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setOrderBy($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->order_by = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsResponse.php
new file mode 100644
index 000000000000..cf84a145df5e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListEkmConnectionsResponse.php
@@ -0,0 +1,148 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListEkmConnectionsResponse</code>
+ */
+class ListEkmConnectionsResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection ekm_connections = 1;</code>
+     */
+    private $ekm_connections;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListEkmConnectionsRequest.page_token][google.cloud.kms.v1.ListEkmConnectionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+    /**
+     * The total number of [EkmConnections][google.cloud.kms.v1.EkmConnection]
+     * that matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     */
+    protected $total_size = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\EkmConnection>|\Google\Protobuf\Internal\RepeatedField $ekm_connections
+     *           The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListEkmConnectionsRequest.page_token][google.cloud.kms.v1.ListEkmConnectionsRequest.page_token]
+     *           to retrieve the next page of results.
+     *     @type int $total_size
+     *           The total number of [EkmConnections][google.cloud.kms.v1.EkmConnection]
+     *           that matched the query.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection ekm_connections = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getEkmConnections()
+    {
+        return $this->ekm_connections;
+    }
+
+    /**
+     * The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.EkmConnection ekm_connections = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\EkmConnection>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setEkmConnections($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\EkmConnection::class);
+        $this->ekm_connections = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListEkmConnectionsRequest.page_token][google.cloud.kms.v1.ListEkmConnectionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListEkmConnectionsRequest.page_token][google.cloud.kms.v1.ListEkmConnectionsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The total number of [EkmConnections][google.cloud.kms.v1.EkmConnection]
+     * that matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @return int
+     */
+    public function getTotalSize()
+    {
+        return $this->total_size;
+    }
+
+    /**
+     * The total number of [EkmConnections][google.cloud.kms.v1.EkmConnection]
+     * that matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTotalSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->total_size = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsRequest.php
new file mode 100644
index 000000000000..463eb5440cc1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsRequest.php
@@ -0,0 +1,275 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListImportJobsRequest</code>
+ */
+class ListImportJobsRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
+     * Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
+     * obtained by including the
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $order_by = '';
+
+    /**
+     * @param string $parent Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     *                       to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
+     *                       {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListImportJobsRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     *           to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
+     *           Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
+     *           obtained by including the
+     *           [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
+     *           in a subsequent request. If unspecified, the server will pick an
+     *           appropriate default.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+     *     @type string $filter
+     *           Optional. Only include resources that match the filter in the response. For
+     *           more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *     @type string $order_by
+     *           Optional. Specify how the results should be sorted. If not specified, the
+     *           results will be sorted in the default order. For more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+     * to list, in the format `projects/&#42;&#47;locations/&#42;&#47;keyRings/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
+     * Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
+     * obtained by including the
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
+     * Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
+     * obtained by including the
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
+     * in a subsequent request. If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getOrderBy()
+    {
+        return $this->order_by;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order. For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setOrderBy($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->order_by = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsResponse.php
new file mode 100644
index 000000000000..04f11ca76dd2
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListImportJobsResponse.php
@@ -0,0 +1,148 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListImportJobsResponse</code>
+ */
+class ListImportJobsResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.ImportJob import_jobs = 1;</code>
+     */
+    private $import_jobs;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+    /**
+     * The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     */
+    protected $total_size = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\ImportJob>|\Google\Protobuf\Internal\RepeatedField $import_jobs
+     *           The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
+     *           to retrieve the next page of results.
+     *     @type int $total_size
+     *           The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
+     *           matched the query.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.ImportJob import_jobs = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getImportJobs()
+    {
+        return $this->import_jobs;
+    }
+
+    /**
+     * The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.ImportJob import_jobs = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\ImportJob>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setImportJobs($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\ImportJob::class);
+        $this->import_jobs = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @return int
+     */
+    public function getTotalSize()
+    {
+        return $this->total_size;
+    }
+
+    /**
+     * The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
+     * matched the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTotalSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->total_size = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesRequest.php
new file mode 100644
index 000000000000..c294c8dedd23
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesRequest.php
@@ -0,0 +1,234 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [Autokey.ListKeyHandles][google.cloud.kms.v1.Autokey.ListKeyHandles].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListKeyHandlesRequest</code>
+ */
+class ListKeyHandlesRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. Name of the resource project and location from which to list
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] to include in the response. The
+     * service may return fewer than this value. Further
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] can subsequently be obtained by
+     * including the
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token]
+     * in a subsequent request.  If unspecified, at most 100
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] will be returned.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * Optional. Filter to apply when listing
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `resource_type_selector="{SERVICE}.googleapis.com/{TYPE}"`.
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+
+    /**
+     * @param string $parent Required. Name of the resource project and location from which to list
+     *                       [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     *                       `projects/{PROJECT_ID}/locations/{LOCATION}`. Please see
+     *                       {@see AutokeyClient::locationName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListKeyHandlesRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. Name of the resource project and location from which to list
+     *           [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     *           `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [KeyHandles][google.cloud.kms.v1.KeyHandle] to include in the response. The
+     *           service may return fewer than this value. Further
+     *           [KeyHandles][google.cloud.kms.v1.KeyHandle] can subsequently be obtained by
+     *           including the
+     *           [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token]
+     *           in a subsequent request.  If unspecified, at most 100
+     *           [KeyHandles][google.cloud.kms.v1.KeyHandle] will be returned.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token].
+     *     @type string $filter
+     *           Optional. Filter to apply when listing
+     *           [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     *           `resource_type_selector="{SERVICE}.googleapis.com/{TYPE}"`.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. Name of the resource project and location from which to list
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. Name of the resource project and location from which to list
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `projects/{PROJECT_ID}/locations/{LOCATION}`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] to include in the response. The
+     * service may return fewer than this value. Further
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] can subsequently be obtained by
+     * including the
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token]
+     * in a subsequent request.  If unspecified, at most 100
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] will be returned.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] to include in the response. The
+     * service may return fewer than this value. Further
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] can subsequently be obtained by
+     * including the
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token]
+     * in a subsequent request.  If unspecified, at most 100
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle] will be returned.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyHandlesResponse.next_page_token][google.cloud.kms.v1.ListKeyHandlesResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Filter to apply when listing
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `resource_type_selector="{SERVICE}.googleapis.com/{TYPE}"`.
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Filter to apply when listing
+     * [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+     * `resource_type_selector="{SERVICE}.googleapis.com/{TYPE}"`.
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesResponse.php
new file mode 100644
index 000000000000..eed5fc43ccb1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyHandlesResponse.php
@@ -0,0 +1,110 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [Autokey.ListKeyHandles][google.cloud.kms.v1.Autokey.ListKeyHandles].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListKeyHandlesResponse</code>
+ */
+class ListKeyHandlesResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Resulting [KeyHandles][google.cloud.kms.v1.KeyHandle].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyHandle key_handles = 1;</code>
+     */
+    private $key_handles;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyHandlesRequest.page_token][google.cloud.kms.v1.ListKeyHandlesRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\KeyHandle>|\Google\Protobuf\Internal\RepeatedField $key_handles
+     *           Resulting [KeyHandles][google.cloud.kms.v1.KeyHandle].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListKeyHandlesRequest.page_token][google.cloud.kms.v1.ListKeyHandlesRequest.page_token]
+     *           to retrieve the next page of results.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Autokey::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Resulting [KeyHandles][google.cloud.kms.v1.KeyHandle].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyHandle key_handles = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getKeyHandles()
+    {
+        return $this->key_handles;
+    }
+
+    /**
+     * Resulting [KeyHandles][google.cloud.kms.v1.KeyHandle].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyHandle key_handles = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\KeyHandle>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setKeyHandles($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\KeyHandle::class);
+        $this->key_handles = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyHandlesRequest.page_token][google.cloud.kms.v1.ListKeyHandlesRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyHandlesRequest.page_token][google.cloud.kms.v1.ListKeyHandlesRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsRequest.php
new file mode 100644
index 000000000000..5f2032f8741e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsRequest.php
@@ -0,0 +1,280 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListKeyRingsRequest</code>
+ */
+class ListKeyRingsRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
+     * [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
+     * including the
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_size = 0;
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $page_token = '';
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $filter = '';
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $order_by = '';
+
+    /**
+     * @param string $parent Required. The resource name of the location associated with the
+     *                       [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     *                       `projects/&#42;/locations/*`. Please see
+     *                       {@see KeyManagementServiceClient::locationName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ListKeyRingsRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. The resource name of the location associated with the
+     *           [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     *           `projects/&#42;&#47;locations/&#42;`.
+     *     @type int $page_size
+     *           Optional. Optional limit on the number of
+     *           [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
+     *           [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
+     *           including the
+     *           [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
+     *           in a subsequent request.  If unspecified, the server will pick an
+     *           appropriate default.
+     *     @type string $page_token
+     *           Optional. Optional pagination token, returned earlier via
+     *           [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+     *     @type string $filter
+     *           Optional. Only include resources that match the filter in the response. For
+     *           more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *     @type string $order_by
+     *           Optional. Specify how the results should be sorted. If not specified, the
+     *           results will be sorted in the default order.  For more information, see
+     *           [Sorting and filtering list
+     *           results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. The resource name of the location associated with the
+     * [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+     * `projects/&#42;&#47;locations/&#42;`.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
+     * [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
+     * including the
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int
+     */
+    public function getPageSize()
+    {
+        return $this->page_size;
+    }
+
+    /**
+     * Optional. Optional limit on the number of
+     * [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
+     * [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
+     * including the
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
+     * in a subsequent request.  If unspecified, the server will pick an
+     * appropriate default.
+     *
+     * Generated from protobuf field <code>int32 page_size = 2 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setPageSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->page_size = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getPageToken()
+    {
+        return $this->page_token;
+    }
+
+    /**
+     * Optional. Optional pagination token, returned earlier via
+     * [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+     *
+     * Generated from protobuf field <code>string page_token = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getFilter()
+    {
+        return $this->filter;
+    }
+
+    /**
+     * Optional. Only include resources that match the filter in the response. For
+     * more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string filter = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setFilter($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->filter = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getOrderBy()
+    {
+        return $this->order_by;
+    }
+
+    /**
+     * Optional. Specify how the results should be sorted. If not specified, the
+     * results will be sorted in the default order.  For more information, see
+     * [Sorting and filtering list
+     * results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+     *
+     * Generated from protobuf field <code>string order_by = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setOrderBy($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->order_by = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsResponse.php
new file mode 100644
index 000000000000..3deac0ea2e0f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ListKeyRingsResponse.php
@@ -0,0 +1,148 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ListKeyRingsResponse</code>
+ */
+class ListKeyRingsResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyRing key_rings = 1;</code>
+     */
+    private $key_rings;
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     */
+    protected $next_page_token = '';
+    /**
+     * The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
+     * the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     */
+    protected $total_size = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type array<\Google\Cloud\Kms\V1\KeyRing>|\Google\Protobuf\Internal\RepeatedField $key_rings
+     *           The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+     *     @type string $next_page_token
+     *           A token to retrieve next page of results. Pass this value in
+     *           [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
+     *           to retrieve the next page of results.
+     *     @type int $total_size
+     *           The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
+     *           the query.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyRing key_rings = 1;</code>
+     * @return \Google\Protobuf\Internal\RepeatedField
+     */
+    public function getKeyRings()
+    {
+        return $this->key_rings;
+    }
+
+    /**
+     * The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+     *
+     * Generated from protobuf field <code>repeated .google.cloud.kms.v1.KeyRing key_rings = 1;</code>
+     * @param array<\Google\Cloud\Kms\V1\KeyRing>|\Google\Protobuf\Internal\RepeatedField $var
+     * @return $this
+     */
+    public function setKeyRings($var)
+    {
+        $arr = GPBUtil::checkRepeatedField($var, \Google\Protobuf\Internal\GPBType::MESSAGE, \Google\Cloud\Kms\V1\KeyRing::class);
+        $this->key_rings = $arr;
+
+        return $this;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @return string
+     */
+    public function getNextPageToken()
+    {
+        return $this->next_page_token;
+    }
+
+    /**
+     * A token to retrieve next page of results. Pass this value in
+     * [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
+     * to retrieve the next page of results.
+     *
+     * Generated from protobuf field <code>string next_page_token = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setNextPageToken($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->next_page_token = $var;
+
+        return $this;
+    }
+
+    /**
+     * The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
+     * the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @return int
+     */
+    public function getTotalSize()
+    {
+        return $this->total_size;
+    }
+
+    /**
+     * The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
+     * the query.
+     *
+     * Generated from protobuf field <code>int32 total_size = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTotalSize($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->total_size = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/LocationMetadata.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/LocationMetadata.php
new file mode 100644
index 000000000000..656adb13aac7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/LocationMetadata.php
@@ -0,0 +1,126 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Cloud KMS metadata for the given
+ * [google.cloud.location.Location][google.cloud.location.Location].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.LocationMetadata</code>
+ */
+class LocationMetadata extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
+     * location.
+     *
+     * Generated from protobuf field <code>bool hsm_available = 1;</code>
+     */
+    protected $hsm_available = false;
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
+     * this location.
+     *
+     * Generated from protobuf field <code>bool ekm_available = 2;</code>
+     */
+    protected $ekm_available = false;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type bool $hsm_available
+     *           Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
+     *           location.
+     *     @type bool $ekm_available
+     *           Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     *           [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
+     *           this location.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
+     * location.
+     *
+     * Generated from protobuf field <code>bool hsm_available = 1;</code>
+     * @return bool
+     */
+    public function getHsmAvailable()
+    {
+        return $this->hsm_available;
+    }
+
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
+     * location.
+     *
+     * Generated from protobuf field <code>bool hsm_available = 1;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setHsmAvailable($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->hsm_available = $var;
+
+        return $this;
+    }
+
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
+     * this location.
+     *
+     * Generated from protobuf field <code>bool ekm_available = 2;</code>
+     * @return bool
+     */
+    public function getEkmAvailable()
+    {
+        return $this->ekm_available;
+    }
+
+    /**
+     * Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+     * [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
+     * this location.
+     *
+     * Generated from protobuf field <code>bool ekm_available = 2;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setEkmAvailable($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->ekm_available = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignRequest.php
new file mode 100644
index 000000000000..efc81a1661d3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignRequest.php
@@ -0,0 +1,300 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.MacSignRequest</code>
+ */
+class MacSignRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The data to sign. The MAC tag is computed over this data field
+     * based on the specific algorithm.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     * equal to
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $data_crc32c = null;
+
+    /**
+     * @param string $name Required. The resource name of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *                     signing. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     * @param string $data Required. The data to sign. The MAC tag is computed over this data field
+     *                     based on the specific algorithm.
+     *
+     * @return \Google\Cloud\Kms\V1\MacSignRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $data): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setData($data);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           signing.
+     *     @type string $data
+     *           Required. The data to sign. The MAC tag is computed over this data field
+     *           based on the specific algorithm.
+     *     @type \Google\Protobuf\Int64Value $data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     *           specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will verify the integrity of the received
+     *           [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     *           checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     *           equal to
+     *           [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * signing.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The data to sign. The MAC tag is computed over this data field
+     * based on the specific algorithm.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getData()
+    {
+        return $this->data;
+    }
+
+    /**
+     * Required. The data to sign. The MAC tag is computed over this data field
+     * based on the specific algorithm.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     * equal to
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getDataCrc32C()
+    {
+        return $this->data_crc32c;
+    }
+
+    public function hasDataCrc32C()
+    {
+        return isset($this->data_crc32c);
+    }
+
+    public function clearDataCrc32C()
+    {
+        unset($this->data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     * equal to
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     * equal to
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
+     * equal to
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("data_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignResponse.php
new file mode 100644
index 000000000000..632a972782b3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacSignResponse.php
@@ -0,0 +1,377 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.MacSignResponse</code>
+ */
+class MacSignResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     */
+    protected $name = '';
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes mac = 2;</code>
+     */
+    protected $mac = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     * integrity check of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     * performed by computing the CRC32C checksum of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     * comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 3;</code>
+     */
+    protected $mac_crc32c = null;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
+     * field indicates either that
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 4;</code>
+     */
+    protected $verified_data_crc32c = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *           Check this field to verify that the intended resource was used for signing.
+     *     @type string $mac
+     *           The created signature.
+     *     @type \Google\Protobuf\Int64Value $mac_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     *           integrity check of
+     *           [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     *           performed by computing the CRC32C checksum of
+     *           [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     *           comparing your results to this field. Discard the response in case of
+     *           non-matching checksum values, and perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type bool $verified_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
+     *           field indicates either that
+     *           [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     * Check this field to verify that the intended resource was used for signing.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes mac = 2;</code>
+     * @return string
+     */
+    public function getMac()
+    {
+        return $this->mac;
+    }
+
+    /**
+     * The created signature.
+     *
+     * Generated from protobuf field <code>bytes mac = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setMac($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->mac = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     * integrity check of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     * performed by computing the CRC32C checksum of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     * comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 3;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getMacCrc32C()
+    {
+        return $this->mac_crc32c;
+    }
+
+    public function hasMacCrc32C()
+    {
+        return isset($this->mac_crc32c);
+    }
+
+    public function clearMacCrc32C()
+    {
+        unset($this->mac_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getMacCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     * integrity check of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     * performed by computing the CRC32C checksum of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     * comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 3;</code>
+     * @return int|string|null
+     */
+    public function getMacCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("mac_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     * integrity check of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     * performed by computing the CRC32C checksum of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     * comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 3;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setMacCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->mac_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
+     * integrity check of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
+     * performed by computing the CRC32C checksum of
+     * [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
+     * comparing your results to this field. Discard the response in case of
+     * non-matching checksum values, and perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 3;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setMacCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("mac_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
+     * field indicates either that
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 4;</code>
+     * @return bool
+     */
+    public function getVerifiedDataCrc32C()
+    {
+        return $this->verified_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
+     * field indicates either that
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 4;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyRequest.php
new file mode 100644
index 000000000000..57af029a1136
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyRequest.php
@@ -0,0 +1,508 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.MacVerifyRequest</code>
+ */
+class MacVerifyRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * verification.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The data used previously as a
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+     * the MAC tag.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     * is equal to
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $data_crc32c = null;
+    /**
+     * Required. The signature to verify.
+     *
+     * Generated from protobuf field <code>bytes mac = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $mac = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.tag][]) is equal to
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $mac_crc32c = null;
+
+    /**
+     * @param string $name Required. The resource name of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *                     verification. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     * @param string $data Required. The data used previously as a
+     *                     [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+     *                     the MAC tag.
+     * @param string $mac  Required. The signature to verify.
+     *
+     * @return \Google\Cloud\Kms\V1\MacVerifyRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $data, string $mac): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setData($data)
+            ->setMac($mac);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           verification.
+     *     @type string $data
+     *           Required. The data used previously as a
+     *           [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+     *           the MAC tag.
+     *     @type \Google\Protobuf\Int64Value $data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     *           specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will verify the integrity of the received
+     *           [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     *           this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     *           is equal to
+     *           [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     *     @type string $mac
+     *           Required. The signature to verify.
+     *     @type \Google\Protobuf\Int64Value $mac_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     *           specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will verify the integrity of the received
+     *           [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     *           checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C([MacVerifyRequest.tag][]) is equal to
+     *           [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     *           and if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum. Note: This
+     *           field is defined as int64 for reasons of compatibility across different
+     *           languages. However, it is a non-negative integer, which will never exceed
+     *           2^32-1, and can be safely downconverted to uint32 in languages that support
+     *           this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * verification.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * verification.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The data used previously as a
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+     * the MAC tag.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getData()
+    {
+        return $this->data;
+    }
+
+    /**
+     * Required. The data used previously as a
+     * [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+     * the MAC tag.
+     *
+     * Generated from protobuf field <code>bytes data = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     * is equal to
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getDataCrc32C()
+    {
+        return $this->data_crc32c;
+    }
+
+    public function hasDataCrc32C()
+    {
+        return isset($this->data_crc32c);
+    }
+
+    public function clearDataCrc32C()
+    {
+        unset($this->data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     * is equal to
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     * is equal to
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
+     * is equal to
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value data_crc32c = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("data_crc32c", $var);
+        return $this;}
+
+    /**
+     * Required. The signature to verify.
+     *
+     * Generated from protobuf field <code>bytes mac = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getMac()
+    {
+        return $this->mac;
+    }
+
+    /**
+     * Required. The signature to verify.
+     *
+     * Generated from protobuf field <code>bytes mac = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setMac($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->mac = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.tag][]) is equal to
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getMacCrc32C()
+    {
+        return $this->mac_crc32c;
+    }
+
+    public function hasMacCrc32C()
+    {
+        return isset($this->mac_crc32c);
+    }
+
+    public function clearMacCrc32C()
+    {
+        unset($this->mac_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getMacCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.tag][]) is equal to
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getMacCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("mac_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.tag][]) is equal to
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setMacCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->mac_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
+     * specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will verify the integrity of the received
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C([MacVerifyRequest.tag][]) is equal to
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
+     * and if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum. Note: This
+     * field is defined as int64 for reasons of compatibility across different
+     * languages. However, it is a non-negative integer, which will never exceed
+     * 2^32-1, and can be safely downconverted to uint32 in languages that support
+     * this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value mac_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setMacCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("mac_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyResponse.php
new file mode 100644
index 000000000000..457f9f454810
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/MacVerifyResponse.php
@@ -0,0 +1,386 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.MacVerifyResponse</code>
+ */
+class MacVerifyResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification. Check this field to verify that the intended resource was
+     * used for verification.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     */
+    protected $name = '';
+    /**
+     * This field indicates whether or not the verification operation for
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
+     * successful.
+     *
+     * Generated from protobuf field <code>bool success = 2;</code>
+     */
+    protected $success = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 3;</code>
+     */
+    protected $verified_data_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_mac_crc32c = 4;</code>
+     */
+    protected $verified_mac_crc32c = false;
+    /**
+     * Integrity verification field. This value is used for the integrity
+     * verification of [MacVerifyResponse.success]. If the value of this field
+     * contradicts the value of [MacVerifyResponse.success], discard the response
+     * and perform a limited number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_success_integrity = 5;</code>
+     */
+    protected $verified_success_integrity = false;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     *           verification. Check this field to verify that the intended resource was
+     *           used for verification.
+     *     @type bool $success
+     *           This field indicates whether or not the verification operation for
+     *           [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
+     *           [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
+     *           successful.
+     *     @type bool $verified_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
+     *           field indicates either that
+     *           [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_mac_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the
+     *           [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
+     *           field indicates either that
+     *           [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_success_integrity
+     *           Integrity verification field. This value is used for the integrity
+     *           verification of [MacVerifyResponse.success]. If the value of this field
+     *           contradicts the value of [MacVerifyResponse.success], discard the response
+     *           and perform a limited number of retries.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     *           verification.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification. Check this field to verify that the intended resource was
+     * used for verification.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification. Check this field to verify that the intended resource was
+     * used for verification.
+     *
+     * Generated from protobuf field <code>string name = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * This field indicates whether or not the verification operation for
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
+     * successful.
+     *
+     * Generated from protobuf field <code>bool success = 2;</code>
+     * @return bool
+     */
+    public function getSuccess()
+    {
+        return $this->success;
+    }
+
+    /**
+     * This field indicates whether or not the verification operation for
+     * [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
+     * [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
+     * successful.
+     *
+     * Generated from protobuf field <code>bool success = 2;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setSuccess($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->success = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 3;</code>
+     * @return bool
+     */
+    public function getVerifiedDataCrc32C()
+    {
+        return $this->verified_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_data_crc32c = 3;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_mac_crc32c = 4;</code>
+     * @return bool
+     */
+    public function getVerifiedMacCrc32C()
+    {
+        return $this->verified_mac_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the
+     * [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
+     * field indicates either that
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_mac_crc32c = 4;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedMacCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_mac_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. This value is used for the integrity
+     * verification of [MacVerifyResponse.success]. If the value of this field
+     * contradicts the value of [MacVerifyResponse.success], discard the response
+     * and perform a limited number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_success_integrity = 5;</code>
+     * @return bool
+     */
+    public function getVerifiedSuccessIntegrity()
+    {
+        return $this->verified_success_integrity;
+    }
+
+    /**
+     * Integrity verification field. This value is used for the integrity
+     * verification of [MacVerifyResponse.success]. If the value of this field
+     * contradicts the value of [MacVerifyResponse.success], discard the response
+     * and perform a limited number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_success_integrity = 5;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedSuccessIntegrity($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_success_integrity = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
+     * verification.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 6;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ProtectionLevel.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ProtectionLevel.php
new file mode 100644
index 000000000000..e6f74d6c62b8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ProtectionLevel.php
@@ -0,0 +1,77 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use UnexpectedValueException;
+
+/**
+ * [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how
+ * cryptographic operations are performed. For more information, see [Protection
+ * levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
+ *
+ * Protobuf type <code>google.cloud.kms.v1.ProtectionLevel</code>
+ */
+class ProtectionLevel
+{
+    /**
+     * Not specified.
+     *
+     * Generated from protobuf enum <code>PROTECTION_LEVEL_UNSPECIFIED = 0;</code>
+     */
+    const PROTECTION_LEVEL_UNSPECIFIED = 0;
+    /**
+     * Crypto operations are performed in software.
+     *
+     * Generated from protobuf enum <code>SOFTWARE = 1;</code>
+     */
+    const SOFTWARE = 1;
+    /**
+     * Crypto operations are performed in a Hardware Security Module.
+     *
+     * Generated from protobuf enum <code>HSM = 2;</code>
+     */
+    const HSM = 2;
+    /**
+     * Crypto operations are performed by an external key manager.
+     *
+     * Generated from protobuf enum <code>EXTERNAL = 3;</code>
+     */
+    const EXTERNAL = 3;
+    /**
+     * Crypto operations are performed in an EKM-over-VPC backend.
+     *
+     * Generated from protobuf enum <code>EXTERNAL_VPC = 4;</code>
+     */
+    const EXTERNAL_VPC = 4;
+
+    private static $valueToName = [
+        self::PROTECTION_LEVEL_UNSPECIFIED => 'PROTECTION_LEVEL_UNSPECIFIED',
+        self::SOFTWARE => 'SOFTWARE',
+        self::HSM => 'HSM',
+        self::EXTERNAL => 'EXTERNAL',
+        self::EXTERNAL_VPC => 'EXTERNAL_VPC',
+    ];
+
+    public static function name($value)
+    {
+        if (!isset(self::$valueToName[$value])) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no name defined for value %s', __CLASS__, $value));
+        }
+        return self::$valueToName[$value];
+    }
+
+
+    public static function value($name)
+    {
+        $const = __CLASS__ . '::' . strtoupper($name);
+        if (!defined($const)) {
+            throw new UnexpectedValueException(sprintf(
+                    'Enum %s has no value defined for name %s', __CLASS__, $name));
+        }
+        return constant($const);
+    }
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/PublicKey.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/PublicKey.php
new file mode 100644
index 000000000000..7309923596b0
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/PublicKey.php
@@ -0,0 +1,354 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/resources.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * The public keys for a given
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
+ * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.PublicKey</code>
+ */
+class PublicKey extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The public key, encoded in PEM format. For more information, see the
+     * [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+     * [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     */
+    protected $pem = '';
+    /**
+     * The
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * associated with this key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;</code>
+     */
+    protected $algorithm = 0;
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     * computing the CRC32C checksum of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     * results to this field. Discard the response in case of non-matching
+     * checksum values, and perform a limited number of retries. A persistent
+     * mismatch may indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value pem_crc32c = 3;</code>
+     */
+    protected $pem_crc32c = null;
+    /**
+     * The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     * Provided here for verification.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     */
+    protected $name = '';
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $pem
+     *           The public key, encoded in PEM format. For more information, see the
+     *           [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+     *           [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     *           [Textual Encoding of Subject Public Key Info]
+     *           (https://tools.ietf.org/html/rfc7468#section-13).
+     *     @type int $algorithm
+     *           The
+     *           [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     *           associated with this key.
+     *     @type \Google\Protobuf\Int64Value $pem_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     *           [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     *           computing the CRC32C checksum of
+     *           [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     *           results to this field. Discard the response in case of non-matching
+     *           checksum values, and perform a limited number of retries. A persistent
+     *           mismatch may indicate an issue in your computation of the CRC32C checksum.
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     *           NOTE: This field is in Beta.
+     *     @type string $name
+     *           The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     *           Provided here for verification.
+     *           NOTE: This field is in Beta.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Resources::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The public key, encoded in PEM format. For more information, see the
+     * [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+     * [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     * @return string
+     */
+    public function getPem()
+    {
+        return $this->pem;
+    }
+
+    /**
+     * The public key, encoded in PEM format. For more information, see the
+     * [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+     * [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+     * [Textual Encoding of Subject Public Key Info]
+     * (https://tools.ietf.org/html/rfc7468#section-13).
+     *
+     * Generated from protobuf field <code>string pem = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPem($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->pem = $var;
+
+        return $this;
+    }
+
+    /**
+     * The
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * associated with this key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;</code>
+     * @return int
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * The
+     * [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+     * associated with this key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setAlgorithm($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm::class);
+        $this->algorithm = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     * computing the CRC32C checksum of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     * results to this field. Discard the response in case of non-matching
+     * checksum values, and perform a limited number of retries. A persistent
+     * mismatch may indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value pem_crc32c = 3;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPemCrc32C()
+    {
+        return $this->pem_crc32c;
+    }
+
+    public function hasPemCrc32C()
+    {
+        return isset($this->pem_crc32c);
+    }
+
+    public function clearPemCrc32C()
+    {
+        unset($this->pem_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPemCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     * computing the CRC32C checksum of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     * results to this field. Discard the response in case of non-matching
+     * checksum values, and perform a limited number of retries. A persistent
+     * mismatch may indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value pem_crc32c = 3;</code>
+     * @return int|string|null
+     */
+    public function getPemCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("pem_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     * computing the CRC32C checksum of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     * results to this field. Discard the response in case of non-matching
+     * checksum values, and perform a limited number of retries. A persistent
+     * mismatch may indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value pem_crc32c = 3;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPemCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->pem_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by
+     * computing the CRC32C checksum of
+     * [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your
+     * results to this field. Discard the response in case of non-matching
+     * checksum values, and perform a limited number of retries. A persistent
+     * mismatch may indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value pem_crc32c = 3;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPemCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("pem_crc32c", $var);
+        return $this;}
+
+    /**
+     * The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     * Provided here for verification.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     * Provided here for verification.
+     * NOTE: This field is in Beta.
+     *
+     * Generated from protobuf field <code>string name = 4;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 5;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptRequest.php
new file mode 100644
index 000000000000..3d6cd5c1a96f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptRequest.php
@@ -0,0 +1,707 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.RawDecryptRequest</code>
+ */
+class RawDecryptRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The encrypted data originally returned in
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ciphertext = '';
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data = '';
+    /**
+     * Required. The initialization vector (IV) used during encryption, which must
+     * match the data originally provided in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $initialization_vector = '';
+    /**
+     * The length of the authentication tag that is appended to the end of
+     * the ciphertext. If unspecified (0), the default value for the key's
+     * algorithm will be used (for AES-GCM, the default value is 16).
+     *
+     * Generated from protobuf field <code>int32 tag_length = 5;</code>
+     */
+    protected $tag_length = 0;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received ciphertext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(ciphertext) is equal
+     * to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $ciphertext_crc32c = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data_crc32c = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     * if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $initialization_vector_crc32c = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           decryption.
+     *     @type string $ciphertext
+     *           Required. The encrypted data originally returned in
+     *           [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     *     @type string $additional_authenticated_data
+     *           Optional. Optional data that must match the data originally supplied in
+     *           [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     *     @type string $initialization_vector
+     *           Required. The initialization vector (IV) used during encryption, which must
+     *           match the data originally provided in
+     *           [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *     @type int $tag_length
+     *           The length of the authentication tag that is appended to the end of
+     *           the ciphertext. If unspecified (0), the default value for the key's
+     *           algorithm will be used (for AES-GCM, the default value is 16).
+     *     @type \Google\Protobuf\Int64Value $ciphertext_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received ciphertext using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that CRC32C(ciphertext) is equal
+     *           to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type \Google\Protobuf\Int64Value $additional_authenticated_data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received additional_authenticated_data using
+     *           this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C(additional_authenticated_data) is equal to
+     *           additional_authenticated_data_crc32c, and if so, perform
+     *           a limited number of retries. A persistent mismatch may indicate an issue in
+     *           your computation of the CRC32C checksum.
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     *     @type \Google\Protobuf\Int64Value $initialization_vector_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received initialization_vector using this
+     *           checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     *           if so, perform a limited number of retries. A persistent mismatch may
+     *           indicate an issue in your computation of the CRC32C checksum.
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * decryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The encrypted data originally returned in
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getCiphertext()
+    {
+        return $this->ciphertext;
+    }
+
+    /**
+     * Required. The encrypted data originally returned in
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCiphertext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->ciphertext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getAdditionalAuthenticatedData()
+    {
+        return $this->additional_authenticated_data;
+    }
+
+    /**
+     * Optional. Optional data that must match the data originally supplied in
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->additional_authenticated_data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The initialization vector (IV) used during encryption, which must
+     * match the data originally provided in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getInitializationVector()
+    {
+        return $this->initialization_vector;
+    }
+
+    /**
+     * Required. The initialization vector (IV) used during encryption, which must
+     * match the data originally provided in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 4 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setInitializationVector($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->initialization_vector = $var;
+
+        return $this;
+    }
+
+    /**
+     * The length of the authentication tag that is appended to the end of
+     * the ciphertext. If unspecified (0), the default value for the key's
+     * algorithm will be used (for AES-GCM, the default value is 16).
+     *
+     * Generated from protobuf field <code>int32 tag_length = 5;</code>
+     * @return int
+     */
+    public function getTagLength()
+    {
+        return $this->tag_length;
+    }
+
+    /**
+     * The length of the authentication tag that is appended to the end of
+     * the ciphertext. If unspecified (0), the default value for the key's
+     * algorithm will be used (for AES-GCM, the default value is 16).
+     *
+     * Generated from protobuf field <code>int32 tag_length = 5;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTagLength($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->tag_length = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received ciphertext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(ciphertext) is equal
+     * to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getCiphertextCrc32C()
+    {
+        return $this->ciphertext_crc32c;
+    }
+
+    public function hasCiphertextCrc32C()
+    {
+        return isset($this->ciphertext_crc32c);
+    }
+
+    public function clearCiphertextCrc32C()
+    {
+        unset($this->ciphertext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getCiphertextCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received ciphertext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(ciphertext) is equal
+     * to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getCiphertextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("ciphertext_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received ciphertext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(ciphertext) is equal
+     * to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setCiphertextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received ciphertext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(ciphertext) is equal
+     * to ciphertext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setCiphertextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("ciphertext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->additional_authenticated_data_crc32c;
+    }
+
+    public function hasAdditionalAuthenticatedDataCrc32C()
+    {
+        return isset($this->additional_authenticated_data_crc32c);
+    }
+
+    public function clearAdditionalAuthenticatedDataCrc32C()
+    {
+        unset($this->additional_authenticated_data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getAdditionalAuthenticatedDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("additional_authenticated_data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("additional_authenticated_data_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     * if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getInitializationVectorCrc32C()
+    {
+        return $this->initialization_vector_crc32c;
+    }
+
+    public function hasInitializationVectorCrc32C()
+    {
+        return isset($this->initialization_vector_crc32c);
+    }
+
+    public function clearInitializationVectorCrc32C()
+    {
+        unset($this->initialization_vector_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getInitializationVectorCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     * if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getInitializationVectorCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("initialization_vector_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     * if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->initialization_vector_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and
+     * if so, perform a limited number of retries. A persistent mismatch may
+     * indicate an issue in your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 8 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("initialization_vector_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptResponse.php
new file mode 100644
index 000000000000..6ce9ba157ce9
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawDecryptResponse.php
@@ -0,0 +1,511 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.RawDecryptResponse</code>
+ */
+class RawDecryptResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The decrypted data.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     */
+    protected $plaintext = '';
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     * An integrity check of plaintext can be performed by computing the CRC32C
+     * checksum of plaintext and comparing your results to this field. Discard the
+     * response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: receiving this response message
+     * indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     */
+    protected $plaintext_crc32c = null;
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     */
+    protected $protection_level = 0;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the ciphertext. A false value of this
+     * field indicates either that
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 4;</code>
+     */
+    protected $verified_ciphertext_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 5;</code>
+     */
+    protected $verified_additional_authenticated_data_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 6;</code>
+     */
+    protected $verified_initialization_vector_crc32c = false;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $plaintext
+     *           The decrypted data.
+     *     @type \Google\Protobuf\Int64Value $plaintext_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     *           An integrity check of plaintext can be performed by computing the CRC32C
+     *           checksum of plaintext and comparing your results to this field. Discard the
+     *           response in case of non-matching checksum values, and perform a limited
+     *           number of retries. A persistent mismatch may indicate an issue in your
+     *           computation of the CRC32C checksum. Note: receiving this response message
+     *           indicates that
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     *           successfully decrypt the
+     *           [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           decryption.
+     *     @type bool $verified_ciphertext_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the ciphertext. A false value of this
+     *           field indicates either that
+     *           [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_additional_authenticated_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of additional_authenticated_data. A false
+     *           value of this field indicates either that //
+     *           [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_initialization_vector_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of initialization_vector. A false value of
+     *           this field indicates either that
+     *           [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The decrypted data.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @return string
+     */
+    public function getPlaintext()
+    {
+        return $this->plaintext;
+    }
+
+    /**
+     * The decrypted data.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPlaintext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->plaintext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     * An integrity check of plaintext can be performed by computing the CRC32C
+     * checksum of plaintext and comparing your results to this field. Discard the
+     * response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: receiving this response message
+     * indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPlaintextCrc32C()
+    {
+        return $this->plaintext_crc32c;
+    }
+
+    public function hasPlaintextCrc32C()
+    {
+        return isset($this->plaintext_crc32c);
+    }
+
+    public function clearPlaintextCrc32C()
+    {
+        unset($this->plaintext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPlaintextCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     * An integrity check of plaintext can be performed by computing the CRC32C
+     * checksum of plaintext and comparing your results to this field. Discard the
+     * response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: receiving this response message
+     * indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @return int|string|null
+     */
+    public function getPlaintextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("plaintext_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     * An integrity check of plaintext can be performed by computing the CRC32C
+     * checksum of plaintext and comparing your results to this field. Discard the
+     * response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: receiving this response message
+     * indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPlaintextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext].
+     * An integrity check of plaintext can be performed by computing the CRC32C
+     * checksum of plaintext and comparing your results to this field. Discard the
+     * response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: receiving this response message
+     * indicates that
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
+     * successfully decrypt the
+     * [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext].
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 2;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPlaintextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("plaintext_crc32c", $var);
+        return $this;}
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * decryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the ciphertext. A false value of this
+     * field indicates either that
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 4;</code>
+     * @return bool
+     */
+    public function getVerifiedCiphertextCrc32C()
+    {
+        return $this->verified_ciphertext_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the ciphertext. A false value of this
+     * field indicates either that
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_ciphertext_crc32c = 4;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedCiphertextCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 5;</code>
+     * @return bool
+     */
+    public function getVerifiedAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->verified_additional_authenticated_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 5;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 6;</code>
+     * @return bool
+     */
+    public function getVerifiedInitializationVectorCrc32C()
+    {
+        return $this->verified_initialization_vector_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 6;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedInitializationVectorCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_initialization_vector_crc32c = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptRequest.php
new file mode 100644
index 000000000000..1f1d581d1d0d
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptRequest.php
@@ -0,0 +1,743 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.RawEncryptRequest</code>
+ */
+class RawEncryptRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $plaintext = '';
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * This field may only be used in conjunction with an
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm] that accepts
+     * additional authenticated data (for example, AES-GCM).
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received plaintext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(plaintext) is equal
+     * to plaintext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $plaintext_crc32c = null;
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $additional_authenticated_data_crc32c = null;
+    /**
+     * Optional. A customer-supplied initialization vector that will be used for
+     * encryption. If it is not provided for AES-CBC and AES-CTR, one will be
+     * generated. It will be returned in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $initialization_vector = '';
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to
+     * initialization_vector_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     */
+    protected $initialization_vector_crc32c = null;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     *           encryption.
+     *     @type string $plaintext
+     *           Required. The data to encrypt. Must be no larger than 64KiB.
+     *           The maximum size depends on the key version's
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     *           For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     *           plaintext must be no larger than 64KiB. For
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     *           the plaintext and additional_authenticated_data fields must be no larger
+     *           than 8KiB.
+     *     @type string $additional_authenticated_data
+     *           Optional. Optional data that, if specified, must also be provided during
+     *           decryption through
+     *           [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     *           This field may only be used in conjunction with an
+     *           [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm] that accepts
+     *           additional authenticated data (for example, AES-GCM).
+     *           The maximum size depends on the key version's
+     *           [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     *           For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     *           plaintext must be no larger than 64KiB. For
+     *           [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     *           the plaintext and additional_authenticated_data fields must be no larger
+     *           than 8KiB.
+     *     @type \Google\Protobuf\Int64Value $plaintext_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received plaintext using this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that CRC32C(plaintext) is equal
+     *           to plaintext_crc32c, and if so, perform a limited number of retries. A
+     *           persistent mismatch may indicate an issue in your computation of the CRC32C
+     *           checksum. Note: This field is defined as int64 for reasons of compatibility
+     *           across different languages. However, it is a non-negative integer, which
+     *           will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     *           languages that support this type.
+     *     @type \Google\Protobuf\Int64Value $additional_authenticated_data_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received additional_authenticated_data using
+     *           this checksum.
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C(additional_authenticated_data) is equal to
+     *           additional_authenticated_data_crc32c, and if so, perform
+     *           a limited number of retries. A persistent mismatch may indicate an issue in
+     *           your computation of the CRC32C checksum.
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     *     @type string $initialization_vector
+     *           Optional. A customer-supplied initialization vector that will be used for
+     *           encryption. If it is not provided for AES-CBC and AES-CTR, one will be
+     *           generated. It will be returned in
+     *           [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *     @type \Google\Protobuf\Int64Value $initialization_vector_crc32c
+     *           Optional. An optional CRC32C checksum of the
+     *           [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     *           If specified,
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     *           verify the integrity of the received initialization_vector using this
+     *           checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     *           will report an error if the checksum verification fails. If you receive a
+     *           checksum error, your client should verify that
+     *           CRC32C(initialization_vector) is equal to
+     *           initialization_vector_crc32c, and if so, perform
+     *           a limited number of retries. A persistent mismatch may indicate an issue in
+     *           your computation of the CRC32C checksum.
+     *           Note: This field is defined as int64 for reasons of compatibility across
+     *           different languages. However, it is a non-negative integer, which will
+     *           never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     *           that support this type.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+     * encryption.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getPlaintext()
+    {
+        return $this->plaintext;
+    }
+
+    /**
+     * Required. The data to encrypt. Must be no larger than 64KiB.
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes plaintext = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setPlaintext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->plaintext = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * This field may only be used in conjunction with an
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm] that accepts
+     * additional authenticated data (for example, AES-GCM).
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getAdditionalAuthenticatedData()
+    {
+        return $this->additional_authenticated_data;
+    }
+
+    /**
+     * Optional. Optional data that, if specified, must also be provided during
+     * decryption through
+     * [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data].
+     * This field may only be used in conjunction with an
+     * [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm] that accepts
+     * additional authenticated data (for example, AES-GCM).
+     * The maximum size depends on the key version's
+     * [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+     * For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+     * plaintext must be no larger than 64KiB. For
+     * [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+     * the plaintext and additional_authenticated_data fields must be no larger
+     * than 8KiB.
+     *
+     * Generated from protobuf field <code>bytes additional_authenticated_data = 3 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedData($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->additional_authenticated_data = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received plaintext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(plaintext) is equal
+     * to plaintext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getPlaintextCrc32C()
+    {
+        return $this->plaintext_crc32c;
+    }
+
+    public function hasPlaintextCrc32C()
+    {
+        return isset($this->plaintext_crc32c);
+    }
+
+    public function clearPlaintextCrc32C()
+    {
+        unset($this->plaintext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getPlaintextCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received plaintext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(plaintext) is equal
+     * to plaintext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getPlaintextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("plaintext_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received plaintext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(plaintext) is equal
+     * to plaintext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setPlaintextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received plaintext using this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that CRC32C(plaintext) is equal
+     * to plaintext_crc32c, and if so, perform a limited number of retries. A
+     * persistent mismatch may indicate an issue in your computation of the CRC32C
+     * checksum. Note: This field is defined as int64 for reasons of compatibility
+     * across different languages. However, it is a non-negative integer, which
+     * will never exceed 2^32-1, and can be safely downconverted to uint32 in
+     * languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value plaintext_crc32c = 4 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setPlaintextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("plaintext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->additional_authenticated_data_crc32c;
+    }
+
+    public function hasAdditionalAuthenticatedDataCrc32C()
+    {
+        return isset($this->additional_authenticated_data_crc32c);
+    }
+
+    public function clearAdditionalAuthenticatedDataCrc32C()
+    {
+        unset($this->additional_authenticated_data_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getAdditionalAuthenticatedDataCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getAdditionalAuthenticatedDataCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("additional_authenticated_data_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received additional_authenticated_data using
+     * this checksum.
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(additional_authenticated_data) is equal to
+     * additional_authenticated_data_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setAdditionalAuthenticatedDataCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("additional_authenticated_data_crc32c", $var);
+        return $this;}
+
+    /**
+     * Optional. A customer-supplied initialization vector that will be used for
+     * encryption. If it is not provided for AES-CBC and AES-CTR, one will be
+     * generated. It will be returned in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return string
+     */
+    public function getInitializationVector()
+    {
+        return $this->initialization_vector;
+    }
+
+    /**
+     * Optional. A customer-supplied initialization vector that will be used for
+     * encryption. If it is not provided for AES-CBC and AES-CTR, one will be
+     * generated. It will be returned in
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 6 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setInitializationVector($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->initialization_vector = $var;
+
+        return $this;
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to
+     * initialization_vector_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getInitializationVectorCrc32C()
+    {
+        return $this->initialization_vector_crc32c;
+    }
+
+    public function hasInitializationVectorCrc32C()
+    {
+        return isset($this->initialization_vector_crc32c);
+    }
+
+    public function clearInitializationVectorCrc32C()
+    {
+        unset($this->initialization_vector_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getInitializationVectorCrc32C()</code>
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to
+     * initialization_vector_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @return int|string|null
+     */
+    public function getInitializationVectorCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("initialization_vector_crc32c");
+    }
+
+    /**
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to
+     * initialization_vector_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->initialization_vector_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Optional. An optional CRC32C checksum of the
+     * [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector].
+     * If specified,
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
+     * verify the integrity of the received initialization_vector using this
+     * checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+     * will report an error if the checksum verification fails. If you receive a
+     * checksum error, your client should verify that
+     * CRC32C(initialization_vector) is equal to
+     * initialization_vector_crc32c, and if so, perform
+     * a limited number of retries. A persistent mismatch may indicate an issue in
+     * your computation of the CRC32C checksum.
+     * Note: This field is defined as int64 for reasons of compatibility across
+     * different languages. However, it is a non-negative integer, which will
+     * never exceed 2^32-1, and can be safely downconverted to uint32 in languages
+     * that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 7 [(.google.api.field_behavior) = OPTIONAL];</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("initialization_vector_crc32c", $var);
+        return $this;}
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptResponse.php
new file mode 100644
index 000000000000..b779e66f66c8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RawEncryptResponse.php
@@ -0,0 +1,744 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [KeyManagementService.RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.RawEncryptResponse</code>
+ */
+class RawEncryptResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * The encrypted data. In the case of AES-GCM, the authentication tag
+     * is the [tag_length][google.cloud.kms.v1.RawEncryptResponse.tag_length]
+     * bytes at the end of this field.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 1;</code>
+     */
+    protected $ciphertext = '';
+    /**
+     * The initialization vector (IV) generated by the service during
+     * encryption. This value must be stored and provided in
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector]
+     * at decryption time.
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 2;</code>
+     */
+    protected $initialization_vector = '';
+    /**
+     * The length of the authentication tag that is appended to
+     * the end of the ciphertext.
+     *
+     * Generated from protobuf field <code>int32 tag_length = 3;</code>
+     */
+    protected $tag_length = 0;
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     * An integrity check of ciphertext can be performed by computing the CRC32C
+     * checksum of ciphertext and comparing your results to this field. Discard
+     * the response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: This field is defined as int64
+     * for reasons of compatibility across different languages. However, it is a
+     * non-negative integer, which will never exceed 2^32-1, and can be safely
+     * downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     */
+    protected $ciphertext_crc32c = null;
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     * An integrity check of initialization_vector can be performed by computing
+     * the CRC32C checksum of initialization_vector and comparing your results to
+     * this field. Discard the response in case of non-matching checksum values,
+     * and perform a limited number of retries. A persistent mismatch may indicate
+     * an issue in your computation of the CRC32C checksum. Note: This field is
+     * defined as int64 for reasons of compatibility across different languages.
+     * However, it is a non-negative integer, which will never exceed 2^32-1, and
+     * can be safely downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 5;</code>
+     */
+    protected $initialization_vector_crc32c = null;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the plaintext. A false value of this
+     * field indicates either that
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 6;</code>
+     */
+    protected $verified_plaintext_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 7;</code>
+     */
+    protected $verified_additional_authenticated_data_crc32c = false;
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 10;</code>
+     */
+    protected $verified_initialization_vector_crc32c = false;
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 8;</code>
+     */
+    protected $name = '';
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9;</code>
+     */
+    protected $protection_level = 0;
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $ciphertext
+     *           The encrypted data. In the case of AES-GCM, the authentication tag
+     *           is the [tag_length][google.cloud.kms.v1.RawEncryptResponse.tag_length]
+     *           bytes at the end of this field.
+     *     @type string $initialization_vector
+     *           The initialization vector (IV) generated by the service during
+     *           encryption. This value must be stored and provided in
+     *           [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector]
+     *           at decryption time.
+     *     @type int $tag_length
+     *           The length of the authentication tag that is appended to
+     *           the end of the ciphertext.
+     *     @type \Google\Protobuf\Int64Value $ciphertext_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     *           An integrity check of ciphertext can be performed by computing the CRC32C
+     *           checksum of ciphertext and comparing your results to this field. Discard
+     *           the response in case of non-matching checksum values, and perform a limited
+     *           number of retries. A persistent mismatch may indicate an issue in your
+     *           computation of the CRC32C checksum. Note: This field is defined as int64
+     *           for reasons of compatibility across different languages. However, it is a
+     *           non-negative integer, which will never exceed 2^32-1, and can be safely
+     *           downconverted to uint32 in languages that support this type.
+     *     @type \Google\Protobuf\Int64Value $initialization_vector_crc32c
+     *           Integrity verification field. A CRC32C checksum of the returned
+     *           [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     *           An integrity check of initialization_vector can be performed by computing
+     *           the CRC32C checksum of initialization_vector and comparing your results to
+     *           this field. Discard the response in case of non-matching checksum values,
+     *           and perform a limited number of retries. A persistent mismatch may indicate
+     *           an issue in your computation of the CRC32C checksum. Note: This field is
+     *           defined as int64 for reasons of compatibility across different languages.
+     *           However, it is a non-negative integer, which will never exceed 2^32-1, and
+     *           can be safely downconverted to uint32 in languages that support this type.
+     *     @type bool $verified_plaintext_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of the plaintext. A false value of this
+     *           field indicates either that
+     *           [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_additional_authenticated_data_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of additional_authenticated_data. A false
+     *           value of this field indicates either that //
+     *           [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type bool $verified_initialization_vector_crc32c
+     *           Integrity verification field. A flag indicating whether
+     *           [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     *           was received by
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     *           for the integrity verification of initialization_vector. A false value of
+     *           this field indicates either that
+     *           [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     *           was left unset or that it was not delivered to
+     *           [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     *           set
+     *           [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     *           but this field is still false, discard the response and perform a limited
+     *           number of retries.
+     *     @type string $name
+     *           The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           encryption. Check this field to verify that the intended resource was used
+     *           for encryption.
+     *     @type int $protection_level
+     *           The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     *           encryption.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * The encrypted data. In the case of AES-GCM, the authentication tag
+     * is the [tag_length][google.cloud.kms.v1.RawEncryptResponse.tag_length]
+     * bytes at the end of this field.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 1;</code>
+     * @return string
+     */
+    public function getCiphertext()
+    {
+        return $this->ciphertext;
+    }
+
+    /**
+     * The encrypted data. In the case of AES-GCM, the authentication tag
+     * is the [tag_length][google.cloud.kms.v1.RawEncryptResponse.tag_length]
+     * bytes at the end of this field.
+     *
+     * Generated from protobuf field <code>bytes ciphertext = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCiphertext($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->ciphertext = $var;
+
+        return $this;
+    }
+
+    /**
+     * The initialization vector (IV) generated by the service during
+     * encryption. This value must be stored and provided in
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector]
+     * at decryption time.
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 2;</code>
+     * @return string
+     */
+    public function getInitializationVector()
+    {
+        return $this->initialization_vector;
+    }
+
+    /**
+     * The initialization vector (IV) generated by the service during
+     * encryption. This value must be stored and provided in
+     * [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector]
+     * at decryption time.
+     *
+     * Generated from protobuf field <code>bytes initialization_vector = 2;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setInitializationVector($var)
+    {
+        GPBUtil::checkString($var, False);
+        $this->initialization_vector = $var;
+
+        return $this;
+    }
+
+    /**
+     * The length of the authentication tag that is appended to
+     * the end of the ciphertext.
+     *
+     * Generated from protobuf field <code>int32 tag_length = 3;</code>
+     * @return int
+     */
+    public function getTagLength()
+    {
+        return $this->tag_length;
+    }
+
+    /**
+     * The length of the authentication tag that is appended to
+     * the end of the ciphertext.
+     *
+     * Generated from protobuf field <code>int32 tag_length = 3;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setTagLength($var)
+    {
+        GPBUtil::checkInt32($var);
+        $this->tag_length = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     * An integrity check of ciphertext can be performed by computing the CRC32C
+     * checksum of ciphertext and comparing your results to this field. Discard
+     * the response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: This field is defined as int64
+     * for reasons of compatibility across different languages. However, it is a
+     * non-negative integer, which will never exceed 2^32-1, and can be safely
+     * downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getCiphertextCrc32C()
+    {
+        return $this->ciphertext_crc32c;
+    }
+
+    public function hasCiphertextCrc32C()
+    {
+        return isset($this->ciphertext_crc32c);
+    }
+
+    public function clearCiphertextCrc32C()
+    {
+        unset($this->ciphertext_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getCiphertextCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     * An integrity check of ciphertext can be performed by computing the CRC32C
+     * checksum of ciphertext and comparing your results to this field. Discard
+     * the response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: This field is defined as int64
+     * for reasons of compatibility across different languages. However, it is a
+     * non-negative integer, which will never exceed 2^32-1, and can be safely
+     * downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @return int|string|null
+     */
+    public function getCiphertextCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("ciphertext_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     * An integrity check of ciphertext can be performed by computing the CRC32C
+     * checksum of ciphertext and comparing your results to this field. Discard
+     * the response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: This field is defined as int64
+     * for reasons of compatibility across different languages. However, it is a
+     * non-negative integer, which will never exceed 2^32-1, and can be safely
+     * downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setCiphertextCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->ciphertext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+     * An integrity check of ciphertext can be performed by computing the CRC32C
+     * checksum of ciphertext and comparing your results to this field. Discard
+     * the response in case of non-matching checksum values, and perform a limited
+     * number of retries. A persistent mismatch may indicate an issue in your
+     * computation of the CRC32C checksum. Note: This field is defined as int64
+     * for reasons of compatibility across different languages. However, it is a
+     * non-negative integer, which will never exceed 2^32-1, and can be safely
+     * downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value ciphertext_crc32c = 4;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setCiphertextCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("ciphertext_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     * An integrity check of initialization_vector can be performed by computing
+     * the CRC32C checksum of initialization_vector and comparing your results to
+     * this field. Discard the response in case of non-matching checksum values,
+     * and perform a limited number of retries. A persistent mismatch may indicate
+     * an issue in your computation of the CRC32C checksum. Note: This field is
+     * defined as int64 for reasons of compatibility across different languages.
+     * However, it is a non-negative integer, which will never exceed 2^32-1, and
+     * can be safely downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 5;</code>
+     * @return \Google\Protobuf\Int64Value|null
+     */
+    public function getInitializationVectorCrc32C()
+    {
+        return $this->initialization_vector_crc32c;
+    }
+
+    public function hasInitializationVectorCrc32C()
+    {
+        return isset($this->initialization_vector_crc32c);
+    }
+
+    public function clearInitializationVectorCrc32C()
+    {
+        unset($this->initialization_vector_crc32c);
+    }
+
+    /**
+     * Returns the unboxed value from <code>getInitializationVectorCrc32C()</code>
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     * An integrity check of initialization_vector can be performed by computing
+     * the CRC32C checksum of initialization_vector and comparing your results to
+     * this field. Discard the response in case of non-matching checksum values,
+     * and perform a limited number of retries. A persistent mismatch may indicate
+     * an issue in your computation of the CRC32C checksum. Note: This field is
+     * defined as int64 for reasons of compatibility across different languages.
+     * However, it is a non-negative integer, which will never exceed 2^32-1, and
+     * can be safely downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 5;</code>
+     * @return int|string|null
+     */
+    public function getInitializationVectorCrc32CUnwrapped()
+    {
+        return $this->readWrapperValue("initialization_vector_crc32c");
+    }
+
+    /**
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     * An integrity check of initialization_vector can be performed by computing
+     * the CRC32C checksum of initialization_vector and comparing your results to
+     * this field. Discard the response in case of non-matching checksum values,
+     * and perform a limited number of retries. A persistent mismatch may indicate
+     * an issue in your computation of the CRC32C checksum. Note: This field is
+     * defined as int64 for reasons of compatibility across different languages.
+     * However, it is a non-negative integer, which will never exceed 2^32-1, and
+     * can be safely downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 5;</code>
+     * @param \Google\Protobuf\Int64Value $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32C($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\Int64Value::class);
+        $this->initialization_vector_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Sets the field by wrapping a primitive type in a Google\Protobuf\Int64Value object.
+
+     * Integrity verification field. A CRC32C checksum of the returned
+     * [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+     * An integrity check of initialization_vector can be performed by computing
+     * the CRC32C checksum of initialization_vector and comparing your results to
+     * this field. Discard the response in case of non-matching checksum values,
+     * and perform a limited number of retries. A persistent mismatch may indicate
+     * an issue in your computation of the CRC32C checksum. Note: This field is
+     * defined as int64 for reasons of compatibility across different languages.
+     * However, it is a non-negative integer, which will never exceed 2^32-1, and
+     * can be safely downconverted to uint32 in languages that support this type.
+     *
+     * Generated from protobuf field <code>.google.protobuf.Int64Value initialization_vector_crc32c = 5;</code>
+     * @param int|string|null $var
+     * @return $this
+     */
+    public function setInitializationVectorCrc32CUnwrapped($var)
+    {
+        $this->writeWrapperValue("initialization_vector_crc32c", $var);
+        return $this;}
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the plaintext. A false value of this
+     * field indicates either that
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 6;</code>
+     * @return bool
+     */
+    public function getVerifiedPlaintextCrc32C()
+    {
+        return $this->verified_plaintext_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of the plaintext. A false value of this
+     * field indicates either that
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_plaintext_crc32c = 6;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedPlaintextCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_plaintext_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 7;</code>
+     * @return bool
+     */
+    public function getVerifiedAdditionalAuthenticatedDataCrc32C()
+    {
+        return $this->verified_additional_authenticated_data_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of additional_authenticated_data. A false
+     * value of this field indicates either that //
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_additional_authenticated_data_crc32c = 7;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedAdditionalAuthenticatedDataCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_additional_authenticated_data_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 10;</code>
+     * @return bool
+     */
+    public function getVerifiedInitializationVectorCrc32C()
+    {
+        return $this->verified_initialization_vector_crc32c;
+    }
+
+    /**
+     * Integrity verification field. A flag indicating whether
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was received by
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
+     * for the integrity verification of initialization_vector. A false value of
+     * this field indicates either that
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * was left unset or that it was not delivered to
+     * [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
+     * set
+     * [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c]
+     * but this field is still false, discard the response and perform a limited
+     * number of retries.
+     *
+     * Generated from protobuf field <code>bool verified_initialization_vector_crc32c = 10;</code>
+     * @param bool $var
+     * @return $this
+     */
+    public function setVerifiedInitializationVectorCrc32C($var)
+    {
+        GPBUtil::checkBool($var);
+        $this->verified_initialization_vector_crc32c = $var;
+
+        return $this;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 8;</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption. Check this field to verify that the intended resource was used
+     * for encryption.
+     *
+     * Generated from protobuf field <code>string name = 8;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9;</code>
+     * @return int
+     */
+    public function getProtectionLevel()
+    {
+        return $this->protection_level;
+    }
+
+    /**
+     * The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
+     * encryption.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.ProtectionLevel protection_level = 9;</code>
+     * @param int $var
+     * @return $this
+     */
+    public function setProtectionLevel($var)
+    {
+        GPBUtil::checkEnum($var, \Google\Cloud\Kms\V1\ProtectionLevel::class);
+        $this->protection_level = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RestoreCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RestoreCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..d62fe8e8863c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/RestoreCryptoKeyVersionRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.RestoreCryptoKeyVersionRequest</code>
+ */
+class RestoreCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The resource name of the
+     *                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. Please see
+     *                     {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\RestoreCryptoKeyVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigRequest.php
new file mode 100644
index 000000000000..d92a39db1b36
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigRequest.php
@@ -0,0 +1,92 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ShowEffectiveAutokeyConfigRequest</code>
+ */
+class ShowEffectiveAutokeyConfigRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. Name of the resource project to the show effective Cloud KMS
+     * Autokey configuration for. This may be helpful for interrogating the effect
+     * of nested folder configurations on a given resource project.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $parent = '';
+
+    /**
+     * @param string $parent Required. Name of the resource project to the show effective Cloud KMS
+     *                       Autokey configuration for. This may be helpful for interrogating the effect
+     *                       of nested folder configurations on a given resource project. Please see
+     *                       {@see AutokeyAdminClient::projectName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigRequest
+     *
+     * @experimental
+     */
+    public static function build(string $parent): self
+    {
+        return (new self())
+            ->setParent($parent);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $parent
+     *           Required. Name of the resource project to the show effective Cloud KMS
+     *           Autokey configuration for. This may be helpful for interrogating the effect
+     *           of nested folder configurations on a given resource project.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\AutokeyAdmin::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. Name of the resource project to the show effective Cloud KMS
+     * Autokey configuration for. This may be helpful for interrogating the effect
+     * of nested folder configurations on a given resource project.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getParent()
+    {
+        return $this->parent;
+    }
+
+    /**
+     * Required. Name of the resource project to the show effective Cloud KMS
+     * Autokey configuration for. This may be helpful for interrogating the effect
+     * of nested folder configurations on a given resource project.
+     *
+     * Generated from protobuf field <code>string parent = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setParent($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->parent = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigResponse.php
new file mode 100644
index 000000000000..418d222e0779
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/ShowEffectiveAutokeyConfigResponse.php
@@ -0,0 +1,72 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.ShowEffectiveAutokeyConfigResponse</code>
+ */
+class ShowEffectiveAutokeyConfigResponse extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Name of the key project configured in the resource project's folder
+     * ancestry.
+     *
+     * Generated from protobuf field <code>string key_project = 1;</code>
+     */
+    protected $key_project = '';
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $key_project
+     *           Name of the key project configured in the resource project's folder
+     *           ancestry.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\AutokeyAdmin::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Name of the key project configured in the resource project's folder
+     * ancestry.
+     *
+     * Generated from protobuf field <code>string key_project = 1;</code>
+     * @return string
+     */
+    public function getKeyProject()
+    {
+        return $this->key_project;
+    }
+
+    /**
+     * Name of the key project configured in the resource project's folder
+     * ancestry.
+     *
+     * Generated from protobuf field <code>string key_project = 1;</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setKeyProject($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->key_project = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateAutokeyConfigRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateAutokeyConfigRequest.php
new file mode 100644
index 000000000000..28b4dc1f3e6d
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateAutokeyConfigRequest.php
@@ -0,0 +1,152 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/autokey_admin.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateAutokeyConfigRequest</code>
+ */
+class UpdateAutokeyConfigRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
+     * update.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig autokey_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $autokey_config = null;
+    /**
+     * Required. Masks which fields of the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
+     * `keyProject`.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $update_mask = null;
+
+    /**
+     * @param \Google\Cloud\Kms\V1\AutokeyConfig $autokeyConfig Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
+     *                                                          update.
+     * @param \Google\Protobuf\FieldMask         $updateMask    Required. Masks which fields of the
+     *                                                          [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
+     *                                                          `keyProject`.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateAutokeyConfigRequest
+     *
+     * @experimental
+     */
+    public static function build(\Google\Cloud\Kms\V1\AutokeyConfig $autokeyConfig, \Google\Protobuf\FieldMask $updateMask): self
+    {
+        return (new self())
+            ->setAutokeyConfig($autokeyConfig)
+            ->setUpdateMask($updateMask);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type \Google\Cloud\Kms\V1\AutokeyConfig $autokey_config
+     *           Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
+     *           update.
+     *     @type \Google\Protobuf\FieldMask $update_mask
+     *           Required. Masks which fields of the
+     *           [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
+     *           `keyProject`.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\AutokeyAdmin::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
+     * update.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig autokey_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\AutokeyConfig|null
+     */
+    public function getAutokeyConfig()
+    {
+        return $this->autokey_config;
+    }
+
+    public function hasAutokeyConfig()
+    {
+        return isset($this->autokey_config);
+    }
+
+    public function clearAutokeyConfig()
+    {
+        unset($this->autokey_config);
+    }
+
+    /**
+     * Required. [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] with values to
+     * update.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.AutokeyConfig autokey_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\AutokeyConfig $var
+     * @return $this
+     */
+    public function setAutokeyConfig($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\AutokeyConfig::class);
+        $this->autokey_config = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. Masks which fields of the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
+     * `keyProject`.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\FieldMask|null
+     */
+    public function getUpdateMask()
+    {
+        return $this->update_mask;
+    }
+
+    public function hasUpdateMask()
+    {
+        return isset($this->update_mask);
+    }
+
+    public function clearUpdateMask()
+    {
+        unset($this->update_mask);
+    }
+
+    /**
+     * Required. Masks which fields of the
+     * [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] to update, e.g.
+     * `keyProject`.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Protobuf\FieldMask $var
+     * @return $this
+     */
+    public function setUpdateMask($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\FieldMask::class);
+        $this->update_mask = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyPrimaryVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyPrimaryVersionRequest.php
new file mode 100644
index 000000000000..1a9161832a5e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyPrimaryVersionRequest.php
@@ -0,0 +1,128 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest</code>
+ */
+class UpdateCryptoKeyPrimaryVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+    /**
+     * Required. The id of the child
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+     *
+     * Generated from protobuf field <code>string crypto_key_version_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key_version_id = '';
+
+    /**
+     * @param string $name               Required. The resource name of the
+     *                                   [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. Please see
+     *                                   {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+     * @param string $cryptoKeyVersionId Required. The id of the child
+     *                                   [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateCryptoKeyPrimaryVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name, string $cryptoKeyVersionId): self
+    {
+        return (new self())
+            ->setName($name)
+            ->setCryptoKeyVersionId($cryptoKeyVersionId);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The resource name of the
+     *           [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+     *     @type string $crypto_key_version_id
+     *           Required. The id of the child
+     *           [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The resource name of the
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. The id of the child
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+     *
+     * Generated from protobuf field <code>string crypto_key_version_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return string
+     */
+    public function getCryptoKeyVersionId()
+    {
+        return $this->crypto_key_version_id;
+    }
+
+    /**
+     * Required. The id of the child
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+     *
+     * Generated from protobuf field <code>string crypto_key_version_id = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setCryptoKeyVersionId($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->crypto_key_version_id = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyRequest.php
new file mode 100644
index 000000000000..b11e974dbe70
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyRequest.php
@@ -0,0 +1,137 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateCryptoKeyRequest</code>
+ */
+class UpdateCryptoKeyRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key = null;
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $update_mask = null;
+
+    /**
+     * @param \Google\Cloud\Kms\V1\CryptoKey $cryptoKey  Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+     * @param \Google\Protobuf\FieldMask     $updateMask Required. List of fields to be updated in this request.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateCryptoKeyRequest
+     *
+     * @experimental
+     */
+    public static function build(\Google\Cloud\Kms\V1\CryptoKey $cryptoKey, \Google\Protobuf\FieldMask $updateMask): self
+    {
+        return (new self())
+            ->setCryptoKey($cryptoKey)
+            ->setUpdateMask($updateMask);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type \Google\Cloud\Kms\V1\CryptoKey $crypto_key
+     *           Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+     *     @type \Google\Protobuf\FieldMask $update_mask
+     *           Required. List of fields to be updated in this request.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKey|null
+     */
+    public function getCryptoKey()
+    {
+        return $this->crypto_key;
+    }
+
+    public function hasCryptoKey()
+    {
+        return isset($this->crypto_key);
+    }
+
+    public function clearCryptoKey()
+    {
+        unset($this->crypto_key);
+    }
+
+    /**
+     * Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKey crypto_key = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKey $var
+     * @return $this
+     */
+    public function setCryptoKey($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKey::class);
+        $this->crypto_key = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\FieldMask|null
+     */
+    public function getUpdateMask()
+    {
+        return $this->update_mask;
+    }
+
+    public function hasUpdateMask()
+    {
+        return isset($this->update_mask);
+    }
+
+    public function clearUpdateMask()
+    {
+        unset($this->update_mask);
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Protobuf\FieldMask $var
+     * @return $this
+     */
+    public function setUpdateMask($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\FieldMask::class);
+        $this->update_mask = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyVersionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyVersionRequest.php
new file mode 100644
index 000000000000..c91c56d8b516
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateCryptoKeyVersionRequest.php
@@ -0,0 +1,142 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateCryptoKeyVersionRequest</code>
+ */
+class UpdateCryptoKeyVersionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $crypto_key_version = null;
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $update_mask = null;
+
+    /**
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersion $cryptoKeyVersion Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     *                                                                updated values.
+     * @param \Google\Protobuf\FieldMask            $updateMask       Required. List of fields to be updated in this request.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateCryptoKeyVersionRequest
+     *
+     * @experimental
+     */
+    public static function build(\Google\Cloud\Kms\V1\CryptoKeyVersion $cryptoKeyVersion, \Google\Protobuf\FieldMask $updateMask): self
+    {
+        return (new self())
+            ->setCryptoKeyVersion($cryptoKeyVersion)
+            ->setUpdateMask($updateMask);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type \Google\Cloud\Kms\V1\CryptoKeyVersion $crypto_key_version
+     *           Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     *           updated values.
+     *     @type \Google\Protobuf\FieldMask $update_mask
+     *           Required. List of fields to be updated in this request.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\Service::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\CryptoKeyVersion|null
+     */
+    public function getCryptoKeyVersion()
+    {
+        return $this->crypto_key_version;
+    }
+
+    public function hasCryptoKeyVersion()
+    {
+        return isset($this->crypto_key_version);
+    }
+
+    public function clearCryptoKeyVersion()
+    {
+        unset($this->crypto_key_version);
+    }
+
+    /**
+     * Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.CryptoKeyVersion crypto_key_version = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\CryptoKeyVersion $var
+     * @return $this
+     */
+    public function setCryptoKeyVersion($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\CryptoKeyVersion::class);
+        $this->crypto_key_version = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\FieldMask|null
+     */
+    public function getUpdateMask()
+    {
+        return $this->update_mask;
+    }
+
+    public function hasUpdateMask()
+    {
+        return isset($this->update_mask);
+    }
+
+    public function clearUpdateMask()
+    {
+        unset($this->update_mask);
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Protobuf\FieldMask $var
+     * @return $this
+     */
+    public function setUpdateMask($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\FieldMask::class);
+        $this->update_mask = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConfigRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConfigRequest.php
new file mode 100644
index 000000000000..e33d285b04a2
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConfigRequest.php
@@ -0,0 +1,137 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.UpdateEkmConfig][google.cloud.kms.v1.EkmService.UpdateEkmConfig].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateEkmConfigRequest</code>
+ */
+class UpdateEkmConfigRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConfig ekm_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ekm_config = null;
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $update_mask = null;
+
+    /**
+     * @param \Google\Cloud\Kms\V1\EkmConfig $ekmConfig  Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+     * @param \Google\Protobuf\FieldMask     $updateMask Required. List of fields to be updated in this request.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateEkmConfigRequest
+     *
+     * @experimental
+     */
+    public static function build(\Google\Cloud\Kms\V1\EkmConfig $ekmConfig, \Google\Protobuf\FieldMask $updateMask): self
+    {
+        return (new self())
+            ->setEkmConfig($ekmConfig)
+            ->setUpdateMask($updateMask);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type \Google\Cloud\Kms\V1\EkmConfig $ekm_config
+     *           Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+     *     @type \Google\Protobuf\FieldMask $update_mask
+     *           Required. List of fields to be updated in this request.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConfig ekm_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\EkmConfig|null
+     */
+    public function getEkmConfig()
+    {
+        return $this->ekm_config;
+    }
+
+    public function hasEkmConfig()
+    {
+        return isset($this->ekm_config);
+    }
+
+    public function clearEkmConfig()
+    {
+        unset($this->ekm_config);
+    }
+
+    /**
+     * Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConfig ekm_config = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\EkmConfig $var
+     * @return $this
+     */
+    public function setEkmConfig($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\EkmConfig::class);
+        $this->ekm_config = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\FieldMask|null
+     */
+    public function getUpdateMask()
+    {
+        return $this->update_mask;
+    }
+
+    public function hasUpdateMask()
+    {
+        return isset($this->update_mask);
+    }
+
+    public function clearUpdateMask()
+    {
+        unset($this->update_mask);
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Protobuf\FieldMask $var
+     * @return $this
+     */
+    public function setUpdateMask($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\FieldMask::class);
+        $this->update_mask = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConnectionRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConnectionRequest.php
new file mode 100644
index 000000000000..0a77d3a6ab24
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/UpdateEkmConnectionRequest.php
@@ -0,0 +1,142 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.UpdateEkmConnection][google.cloud.kms.v1.EkmService.UpdateEkmConnection].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.UpdateEkmConnectionRequest</code>
+ */
+class UpdateEkmConnectionRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $ekm_connection = null;
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     */
+    protected $update_mask = null;
+
+    /**
+     * @param \Google\Cloud\Kms\V1\EkmConnection $ekmConnection Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+     *                                                          values.
+     * @param \Google\Protobuf\FieldMask         $updateMask    Required. List of fields to be updated in this request.
+     *
+     * @return \Google\Cloud\Kms\V1\UpdateEkmConnectionRequest
+     *
+     * @experimental
+     */
+    public static function build(\Google\Cloud\Kms\V1\EkmConnection $ekmConnection, \Google\Protobuf\FieldMask $updateMask): self
+    {
+        return (new self())
+            ->setEkmConnection($ekmConnection)
+            ->setUpdateMask($updateMask);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type \Google\Cloud\Kms\V1\EkmConnection $ekm_connection
+     *           Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+     *           values.
+     *     @type \Google\Protobuf\FieldMask $update_mask
+     *           Required. List of fields to be updated in this request.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Cloud\Kms\V1\EkmConnection|null
+     */
+    public function getEkmConnection()
+    {
+        return $this->ekm_connection;
+    }
+
+    public function hasEkmConnection()
+    {
+        return isset($this->ekm_connection);
+    }
+
+    public function clearEkmConnection()
+    {
+        unset($this->ekm_connection);
+    }
+
+    /**
+     * Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+     * values.
+     *
+     * Generated from protobuf field <code>.google.cloud.kms.v1.EkmConnection ekm_connection = 1 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Cloud\Kms\V1\EkmConnection $var
+     * @return $this
+     */
+    public function setEkmConnection($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Cloud\Kms\V1\EkmConnection::class);
+        $this->ekm_connection = $var;
+
+        return $this;
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @return \Google\Protobuf\FieldMask|null
+     */
+    public function getUpdateMask()
+    {
+        return $this->update_mask;
+    }
+
+    public function hasUpdateMask()
+    {
+        return isset($this->update_mask);
+    }
+
+    public function clearUpdateMask()
+    {
+        unset($this->update_mask);
+    }
+
+    /**
+     * Required. List of fields to be updated in this request.
+     *
+     * Generated from protobuf field <code>.google.protobuf.FieldMask update_mask = 2 [(.google.api.field_behavior) = REQUIRED];</code>
+     * @param \Google\Protobuf\FieldMask $var
+     * @return $this
+     */
+    public function setUpdateMask($var)
+    {
+        GPBUtil::checkMessage($var, \Google\Protobuf\FieldMask::class);
+        $this->update_mask = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityRequest.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityRequest.php
new file mode 100644
index 000000000000..7ad43869a480
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityRequest.php
@@ -0,0 +1,87 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Request message for
+ * [EkmService.VerifyConnectivity][google.cloud.kms.v1.EkmService.VerifyConnectivity].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.VerifyConnectivityRequest</code>
+ */
+class VerifyConnectivityRequest extends \Google\Protobuf\Internal\Message
+{
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     */
+    protected $name = '';
+
+    /**
+     * @param string $name Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     *                     [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify. Please see
+     *                     {@see EkmServiceClient::ekmConnectionName()} for help formatting this field.
+     *
+     * @return \Google\Cloud\Kms\V1\VerifyConnectivityRequest
+     *
+     * @experimental
+     */
+    public static function build(string $name): self
+    {
+        return (new self())
+            ->setName($name);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     *     @type string $name
+     *           Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     *           [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify.
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify.
+     *
+     * Generated from protobuf field <code>string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.resource_reference) = {</code>
+     * @param string $var
+     * @return $this
+     */
+    public function setName($var)
+    {
+        GPBUtil::checkString($var, True);
+        $this->name = $var;
+
+        return $this;
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityResponse.php b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityResponse.php
new file mode 100644
index 000000000000..4221f23c7637
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/proto/src/Google/Cloud/Kms/V1/VerifyConnectivityResponse.php
@@ -0,0 +1,34 @@
+<?php
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/kms/v1/ekm_service.proto
+
+namespace Google\Cloud\Kms\V1;
+
+use Google\Protobuf\Internal\GPBType;
+use Google\Protobuf\Internal\RepeatedField;
+use Google\Protobuf\Internal\GPBUtil;
+
+/**
+ * Response message for
+ * [EkmService.VerifyConnectivity][google.cloud.kms.v1.EkmService.VerifyConnectivity].
+ *
+ * Generated from protobuf message <code>google.cloud.kms.v1.VerifyConnectivityResponse</code>
+ */
+class VerifyConnectivityResponse extends \Google\Protobuf\Internal\Message
+{
+
+    /**
+     * Constructor.
+     *
+     * @param array $data {
+     *     Optional. Data for populating the Message object.
+     *
+     * }
+     */
+    public function __construct($data = NULL) {
+        \GPBMetadata\Google\Cloud\Kms\V1\EkmService::initOnce();
+        parent::__construct($data);
+    }
+
+}
+
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_autokey_config.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_autokey_config.php
new file mode 100644
index 000000000000..89599d61f7aa
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_autokey_config.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_GetAutokeyConfig_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\AutokeyConfig;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Kms\V1\GetAutokeyConfigRequest;
+
+/**
+ * Returns the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
+ * folder.
+ *
+ * @param string $formattedName Name of the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig]
+ *                              resource, e.g. `folders/{FOLDER_NUMBER}/autokeyConfig`. Please see
+ *                              {@see AutokeyAdminClient::autokeyConfigName()} for help formatting this field.
+ */
+function get_autokey_config_sample(string $formattedName): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $request = (new GetAutokeyConfigRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var AutokeyConfig $response */
+        $response = $autokeyAdminClient->getAutokeyConfig($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = AutokeyAdminClient::autokeyConfigName('[FOLDER]');
+
+    get_autokey_config_sample($formattedName);
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_GetAutokeyConfig_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_iam_policy.php
new file mode 100644
index 000000000000..21fc073d8358
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_iam_policy.php
@@ -0,0 +1,72 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_GetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+
+/**
+ * Gets the access control policy for a resource. Returns an empty policy
+if the resource exists and does not have a policy set.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being requested.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function get_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $request = (new GetIamPolicyRequest())
+        ->setResource($resource);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $autokeyAdminClient->getIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    get_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_GetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_location.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_location.php
new file mode 100644
index 000000000000..6cb25c532205
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/get_location.php
@@ -0,0 +1,57 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_GetLocation_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Gets information about a location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function get_location_sample(): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $request = new GetLocationRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Location $response */
+        $response = $autokeyAdminClient->getLocation($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_GetLocation_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/list_locations.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/list_locations.php
new file mode 100644
index 000000000000..b8af0822b0d7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/list_locations.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_ListLocations_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Lists information about the supported locations for this service.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function list_locations_sample(): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $request = new ListLocationsRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $autokeyAdminClient->listLocations($request);
+
+        /** @var Location $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_ListLocations_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/set_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/set_iam_policy.php
new file mode 100644
index 000000000000..1202ce1f6065
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/set_iam_policy.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_SetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+
+/**
+ * Sets the access control policy on the specified resource. Replaces
+any existing policy.
+
+Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+errors.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being specified.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function set_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $policy = new Policy();
+    $request = (new SetIamPolicyRequest())
+        ->setResource($resource)
+        ->setPolicy($policy);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $autokeyAdminClient->setIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    set_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_SetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/show_effective_autokey_config.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/show_effective_autokey_config.php
new file mode 100644
index 000000000000..5beefc9c0980
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/show_effective_autokey_config.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_ShowEffectiveAutokeyConfig_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigRequest;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigResponse;
+
+/**
+ * Returns the effective Cloud KMS Autokey configuration for a given project.
+ *
+ * @param string $formattedParent Name of the resource project to the show effective Cloud KMS
+ *                                Autokey configuration for. This may be helpful for interrogating the effect
+ *                                of nested folder configurations on a given resource project. Please see
+ *                                {@see AutokeyAdminClient::projectName()} for help formatting this field.
+ */
+function show_effective_autokey_config_sample(string $formattedParent): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $request = (new ShowEffectiveAutokeyConfigRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var ShowEffectiveAutokeyConfigResponse $response */
+        $response = $autokeyAdminClient->showEffectiveAutokeyConfig($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = AutokeyAdminClient::projectName('[PROJECT]');
+
+    show_effective_autokey_config_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_ShowEffectiveAutokeyConfig_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/test_iam_permissions.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/test_iam_permissions.php
new file mode 100644
index 000000000000..7e4fe649a041
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/test_iam_permissions.php
@@ -0,0 +1,84 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_TestIamPermissions_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+
+/**
+ * Returns permissions that a caller has on the specified resource. If the
+resource does not exist, this will return an empty set of
+permissions, not a `NOT_FOUND` error.
+
+Note: This operation is designed to be used for building
+permission-aware UIs and command-line tools, not for authorization
+checking. This operation may "fail open" without warning.
+ *
+ * @param string $resource           REQUIRED: The resource for which the policy detail is being requested.
+ *                                   See the operation documentation for the appropriate value for this field.
+ * @param string $permissionsElement The set of permissions to check for the `resource`. Permissions with
+ *                                   wildcards (such as '*' or 'storage.*') are not allowed. For more
+ *                                   information see
+ *                                   [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+ */
+function test_iam_permissions_sample(string $resource, string $permissionsElement): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $permissions = [$permissionsElement,];
+    $request = (new TestIamPermissionsRequest())
+        ->setResource($resource)
+        ->setPermissions($permissions);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var TestIamPermissionsResponse $response */
+        $response = $autokeyAdminClient->testIamPermissions($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+    $permissionsElement = '[PERMISSIONS]';
+
+    test_iam_permissions_sample($resource, $permissionsElement);
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_TestIamPermissions_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/update_autokey_config.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/update_autokey_config.php
new file mode 100644
index 000000000000..1eef8f2ebffd
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyAdminClient/update_autokey_config.php
@@ -0,0 +1,68 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_AutokeyAdmin_UpdateAutokeyConfig_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\AutokeyConfig;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Kms\V1\UpdateAutokeyConfigRequest;
+use Google\Protobuf\FieldMask;
+
+/**
+ * Updates the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
+ * folder. The caller must have both `cloudkms.autokeyConfigs.update`
+ * permission on the parent folder and `cloudkms.cryptoKeys.setIamPolicy`
+ * permission on the provided key project. A
+ * [KeyHandle][google.cloud.kms.v1.KeyHandle] creation in the folder's
+ * descendant projects will use this configuration to determine where to
+ * create the resulting [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function update_autokey_config_sample(): void
+{
+    // Create a client.
+    $autokeyAdminClient = new AutokeyAdminClient();
+
+    // Prepare the request message.
+    $autokeyConfig = new AutokeyConfig();
+    $updateMask = new FieldMask();
+    $request = (new UpdateAutokeyConfigRequest())
+        ->setAutokeyConfig($autokeyConfig)
+        ->setUpdateMask($updateMask);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var AutokeyConfig $response */
+        $response = $autokeyAdminClient->updateAutokeyConfig($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_AutokeyAdmin_UpdateAutokeyConfig_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/create_key_handle.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/create_key_handle.php
new file mode 100644
index 000000000000..f38155b3ecff
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/create_key_handle.php
@@ -0,0 +1,101 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_CreateKeyHandle_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\OperationResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Kms\V1\CreateKeyHandleRequest;
+use Google\Cloud\Kms\V1\KeyHandle;
+use Google\Rpc\Status;
+
+/**
+ * Creates a new [KeyHandle][google.cloud.kms.v1.KeyHandle], triggering the
+ * provisioning of a new [CryptoKey][google.cloud.kms.v1.CryptoKey] for CMEK
+ * use with the given resource type in the configured key project and the same
+ * location. [GetOperation][Operations.GetOperation] should be used to resolve
+ * the resulting long-running operation and get the resulting
+ * [KeyHandle][google.cloud.kms.v1.KeyHandle] and
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * @param string $formattedParent               Name of the resource project and location to create the
+ *                                              [KeyHandle][google.cloud.kms.v1.KeyHandle] in, e.g.
+ *                                              `projects/{PROJECT_ID}/locations/{LOCATION}`. Please see
+ *                                              {@see AutokeyClient::locationName()} for help formatting this field.
+ * @param string $keyHandleResourceTypeSelector Indicates the resource type that the resulting
+ *                                              [CryptoKey][google.cloud.kms.v1.CryptoKey] is meant to protect, e.g.
+ *                                              `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource
+ *                                              types.
+ */
+function create_key_handle_sample(
+    string $formattedParent,
+    string $keyHandleResourceTypeSelector
+): void {
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $keyHandle = (new KeyHandle())
+        ->setResourceTypeSelector($keyHandleResourceTypeSelector);
+    $request = (new CreateKeyHandleRequest())
+        ->setParent($formattedParent)
+        ->setKeyHandle($keyHandle);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var OperationResponse $response */
+        $response = $autokeyClient->createKeyHandle($request);
+        $response->pollUntilComplete();
+
+        if ($response->operationSucceeded()) {
+            /** @var KeyHandle $result */
+            $result = $response->getResult();
+            printf('Operation successful with response data: %s' . PHP_EOL, $result->serializeToJsonString());
+        } else {
+            /** @var Status $error */
+            $error = $response->getError();
+            printf('Operation failed with error data: %s' . PHP_EOL, $error->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = AutokeyClient::locationName('[PROJECT]', '[LOCATION]');
+    $keyHandleResourceTypeSelector = '[RESOURCE_TYPE_SELECTOR]';
+
+    create_key_handle_sample($formattedParent, $keyHandleResourceTypeSelector);
+}
+// [END cloudkms_v1_generated_Autokey_CreateKeyHandle_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_iam_policy.php
new file mode 100644
index 000000000000..d642ccb079f2
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_iam_policy.php
@@ -0,0 +1,72 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_GetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+
+/**
+ * Gets the access control policy for a resource. Returns an empty policy
+if the resource exists and does not have a policy set.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being requested.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function get_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $request = (new GetIamPolicyRequest())
+        ->setResource($resource);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $autokeyClient->getIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    get_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_Autokey_GetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_key_handle.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_key_handle.php
new file mode 100644
index 000000000000..e4e840e7cab7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_key_handle.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_GetKeyHandle_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Kms\V1\GetKeyHandleRequest;
+use Google\Cloud\Kms\V1\KeyHandle;
+
+/**
+ * Returns the [KeyHandle][google.cloud.kms.v1.KeyHandle].
+ *
+ * @param string $formattedName Name of the [KeyHandle][google.cloud.kms.v1.KeyHandle] resource,
+ *                              e.g.
+ *                              `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`. Please see
+ *                              {@see AutokeyClient::keyHandleName()} for help formatting this field.
+ */
+function get_key_handle_sample(string $formattedName): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $request = (new GetKeyHandleRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var KeyHandle $response */
+        $response = $autokeyClient->getKeyHandle($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = AutokeyClient::keyHandleName('[PROJECT]', '[LOCATION]', '[KEY_HANDLE]');
+
+    get_key_handle_sample($formattedName);
+}
+// [END cloudkms_v1_generated_Autokey_GetKeyHandle_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_location.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_location.php
new file mode 100644
index 000000000000..f38158f6bad1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/get_location.php
@@ -0,0 +1,57 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_GetLocation_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Gets information about a location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function get_location_sample(): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $request = new GetLocationRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Location $response */
+        $response = $autokeyClient->getLocation($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_Autokey_GetLocation_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_key_handles.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_key_handles.php
new file mode 100644
index 000000000000..900bc825fe12
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_key_handles.php
@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_ListKeyHandles_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Kms\V1\KeyHandle;
+use Google\Cloud\Kms\V1\ListKeyHandlesRequest;
+
+/**
+ * Lists [KeyHandles][google.cloud.kms.v1.KeyHandle].
+ *
+ * @param string $formattedParent Name of the resource project and location from which to list
+ *                                [KeyHandles][google.cloud.kms.v1.KeyHandle], e.g.
+ *                                `projects/{PROJECT_ID}/locations/{LOCATION}`. Please see
+ *                                {@see AutokeyClient::locationName()} for help formatting this field.
+ */
+function list_key_handles_sample(string $formattedParent): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $request = (new ListKeyHandlesRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $autokeyClient->listKeyHandles($request);
+
+        /** @var KeyHandle $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = AutokeyClient::locationName('[PROJECT]', '[LOCATION]');
+
+    list_key_handles_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_Autokey_ListKeyHandles_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_locations.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_locations.php
new file mode 100644
index 000000000000..f717fabf6b9a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/list_locations.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_ListLocations_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Lists information about the supported locations for this service.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function list_locations_sample(): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $request = new ListLocationsRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $autokeyClient->listLocations($request);
+
+        /** @var Location $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_Autokey_ListLocations_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/set_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/set_iam_policy.php
new file mode 100644
index 000000000000..db0f0ad6046c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/set_iam_policy.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_SetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+
+/**
+ * Sets the access control policy on the specified resource. Replaces
+any existing policy.
+
+Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+errors.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being specified.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function set_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $policy = new Policy();
+    $request = (new SetIamPolicyRequest())
+        ->setResource($resource)
+        ->setPolicy($policy);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $autokeyClient->setIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    set_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_Autokey_SetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/test_iam_permissions.php b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/test_iam_permissions.php
new file mode 100644
index 000000000000..e3588e89639f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/AutokeyClient/test_iam_permissions.php
@@ -0,0 +1,84 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_Autokey_TestIamPermissions_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+
+/**
+ * Returns permissions that a caller has on the specified resource. If the
+resource does not exist, this will return an empty set of
+permissions, not a `NOT_FOUND` error.
+
+Note: This operation is designed to be used for building
+permission-aware UIs and command-line tools, not for authorization
+checking. This operation may "fail open" without warning.
+ *
+ * @param string $resource           REQUIRED: The resource for which the policy detail is being requested.
+ *                                   See the operation documentation for the appropriate value for this field.
+ * @param string $permissionsElement The set of permissions to check for the `resource`. Permissions with
+ *                                   wildcards (such as '*' or 'storage.*') are not allowed. For more
+ *                                   information see
+ *                                   [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+ */
+function test_iam_permissions_sample(string $resource, string $permissionsElement): void
+{
+    // Create a client.
+    $autokeyClient = new AutokeyClient();
+
+    // Prepare the request message.
+    $permissions = [$permissionsElement,];
+    $request = (new TestIamPermissionsRequest())
+        ->setResource($resource)
+        ->setPermissions($permissions);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var TestIamPermissionsResponse $response */
+        $response = $autokeyClient->testIamPermissions($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+    $permissionsElement = '[PERMISSIONS]';
+
+    test_iam_permissions_sample($resource, $permissionsElement);
+}
+// [END cloudkms_v1_generated_Autokey_TestIamPermissions_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/create_ekm_connection.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/create_ekm_connection.php
new file mode 100644
index 000000000000..da0a80095906
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/create_ekm_connection.php
@@ -0,0 +1,80 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_CreateEkmConnection_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\CreateEkmConnectionRequest;
+use Google\Cloud\Kms\V1\EkmConnection;
+
+/**
+ * Creates a new [EkmConnection][google.cloud.kms.v1.EkmConnection] in a given
+ * Project and Location.
+ *
+ * @param string $formattedParent The resource name of the location associated with the
+ *                                [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+ *                                `projects/&#42;/locations/*`. Please see
+ *                                {@see EkmServiceClient::locationName()} for help formatting this field.
+ * @param string $ekmConnectionId It must be unique within a location and match the regular
+ *                                expression `[a-zA-Z0-9_-]{1,63}`.
+ */
+function create_ekm_connection_sample(string $formattedParent, string $ekmConnectionId): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $ekmConnection = new EkmConnection();
+    $request = (new CreateEkmConnectionRequest())
+        ->setParent($formattedParent)
+        ->setEkmConnectionId($ekmConnectionId)
+        ->setEkmConnection($ekmConnection);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EkmConnection $response */
+        $response = $ekmServiceClient->createEkmConnection($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = EkmServiceClient::locationName('[PROJECT]', '[LOCATION]');
+    $ekmConnectionId = '[EKM_CONNECTION_ID]';
+
+    create_ekm_connection_sample($formattedParent, $ekmConnectionId);
+}
+// [END cloudkms_v1_generated_EkmService_CreateEkmConnection_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_config.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_config.php
new file mode 100644
index 000000000000..513e4675c0f5
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_config.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_GetEkmConfig_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\EkmConfig;
+use Google\Cloud\Kms\V1\GetEkmConfigRequest;
+
+/**
+ * Returns the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+ * for a given project and location.
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.EkmConfig.name] of the
+ *                              [EkmConfig][google.cloud.kms.v1.EkmConfig] to get. Please see
+ *                              {@see EkmServiceClient::ekmConfigName()} for help formatting this field.
+ */
+function get_ekm_config_sample(string $formattedName): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetEkmConfigRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EkmConfig $response */
+        $response = $ekmServiceClient->getEkmConfig($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = EkmServiceClient::ekmConfigName('[PROJECT]', '[LOCATION]');
+
+    get_ekm_config_sample($formattedName);
+}
+// [END cloudkms_v1_generated_EkmService_GetEkmConfig_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_connection.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_connection.php
new file mode 100644
index 000000000000..af11f93fdf09
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_ekm_connection.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_GetEkmConnection_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\EkmConnection;
+use Google\Cloud\Kms\V1\GetEkmConnectionRequest;
+
+/**
+ * Returns metadata for a given
+ * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.EkmConnection.name] of the
+ *                              [EkmConnection][google.cloud.kms.v1.EkmConnection] to get. Please see
+ *                              {@see EkmServiceClient::ekmConnectionName()} for help formatting this field.
+ */
+function get_ekm_connection_sample(string $formattedName): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetEkmConnectionRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EkmConnection $response */
+        $response = $ekmServiceClient->getEkmConnection($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = EkmServiceClient::ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+
+    get_ekm_connection_sample($formattedName);
+}
+// [END cloudkms_v1_generated_EkmService_GetEkmConnection_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_iam_policy.php
new file mode 100644
index 000000000000..68149cdc7afa
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_iam_policy.php
@@ -0,0 +1,72 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_GetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+
+/**
+ * Gets the access control policy for a resource. Returns an empty policy
+if the resource exists and does not have a policy set.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being requested.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function get_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetIamPolicyRequest())
+        ->setResource($resource);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $ekmServiceClient->getIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    get_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_EkmService_GetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_location.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_location.php
new file mode 100644
index 000000000000..310924b508b7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/get_location.php
@@ -0,0 +1,57 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_GetLocation_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Gets information about a location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function get_location_sample(): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = new GetLocationRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Location $response */
+        $response = $ekmServiceClient->getLocation($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_EkmService_GetLocation_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_ekm_connections.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_ekm_connections.php
new file mode 100644
index 000000000000..d0be2f4c697e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_ekm_connections.php
@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_ListEkmConnections_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\EkmConnection;
+use Google\Cloud\Kms\V1\ListEkmConnectionsRequest;
+
+/**
+ * Lists [EkmConnections][google.cloud.kms.v1.EkmConnection].
+ *
+ * @param string $formattedParent The resource name of the location associated with the
+ *                                [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+ *                                `projects/&#42;/locations/*`. Please see
+ *                                {@see EkmServiceClient::locationName()} for help formatting this field.
+ */
+function list_ekm_connections_sample(string $formattedParent): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListEkmConnectionsRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $ekmServiceClient->listEkmConnections($request);
+
+        /** @var EkmConnection $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = EkmServiceClient::locationName('[PROJECT]', '[LOCATION]');
+
+    list_ekm_connections_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_EkmService_ListEkmConnections_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_locations.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_locations.php
new file mode 100644
index 000000000000..1bb19c6e2482
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/list_locations.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_ListLocations_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Lists information about the supported locations for this service.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function list_locations_sample(): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = new ListLocationsRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $ekmServiceClient->listLocations($request);
+
+        /** @var Location $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_EkmService_ListLocations_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/set_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/set_iam_policy.php
new file mode 100644
index 000000000000..8d33c45f5688
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/set_iam_policy.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_SetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+
+/**
+ * Sets the access control policy on the specified resource. Replaces
+any existing policy.
+
+Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+errors.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being specified.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function set_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $policy = new Policy();
+    $request = (new SetIamPolicyRequest())
+        ->setResource($resource)
+        ->setPolicy($policy);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $ekmServiceClient->setIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    set_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_EkmService_SetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/test_iam_permissions.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/test_iam_permissions.php
new file mode 100644
index 000000000000..5f04484afdcb
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/test_iam_permissions.php
@@ -0,0 +1,84 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_TestIamPermissions_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+
+/**
+ * Returns permissions that a caller has on the specified resource. If the
+resource does not exist, this will return an empty set of
+permissions, not a `NOT_FOUND` error.
+
+Note: This operation is designed to be used for building
+permission-aware UIs and command-line tools, not for authorization
+checking. This operation may "fail open" without warning.
+ *
+ * @param string $resource           REQUIRED: The resource for which the policy detail is being requested.
+ *                                   See the operation documentation for the appropriate value for this field.
+ * @param string $permissionsElement The set of permissions to check for the `resource`. Permissions with
+ *                                   wildcards (such as '*' or 'storage.*') are not allowed. For more
+ *                                   information see
+ *                                   [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+ */
+function test_iam_permissions_sample(string $resource, string $permissionsElement): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $permissions = [$permissionsElement,];
+    $request = (new TestIamPermissionsRequest())
+        ->setResource($resource)
+        ->setPermissions($permissions);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var TestIamPermissionsResponse $response */
+        $response = $ekmServiceClient->testIamPermissions($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+    $permissionsElement = '[PERMISSIONS]';
+
+    test_iam_permissions_sample($resource, $permissionsElement);
+}
+// [END cloudkms_v1_generated_EkmService_TestIamPermissions_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_config.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_config.php
new file mode 100644
index 000000000000..4545f68080e6
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_config.php
@@ -0,0 +1,63 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_UpdateEkmConfig_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\EkmConfig;
+use Google\Cloud\Kms\V1\UpdateEkmConfigRequest;
+use Google\Protobuf\FieldMask;
+
+/**
+ * Updates the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+ * for a given project and location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function update_ekm_config_sample(): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $ekmConfig = new EkmConfig();
+    $updateMask = new FieldMask();
+    $request = (new UpdateEkmConfigRequest())
+        ->setEkmConfig($ekmConfig)
+        ->setUpdateMask($updateMask);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EkmConfig $response */
+        $response = $ekmServiceClient->updateEkmConfig($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_EkmService_UpdateEkmConfig_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_connection.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_connection.php
new file mode 100644
index 000000000000..25e0f134db8c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/update_ekm_connection.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_UpdateEkmConnection_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\EkmConnection;
+use Google\Cloud\Kms\V1\UpdateEkmConnectionRequest;
+use Google\Protobuf\FieldMask;
+
+/**
+ * Updates an [EkmConnection][google.cloud.kms.v1.EkmConnection]'s metadata.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function update_ekm_connection_sample(): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $ekmConnection = new EkmConnection();
+    $updateMask = new FieldMask();
+    $request = (new UpdateEkmConnectionRequest())
+        ->setEkmConnection($ekmConnection)
+        ->setUpdateMask($updateMask);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EkmConnection $response */
+        $response = $ekmServiceClient->updateEkmConnection($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_EkmService_UpdateEkmConnection_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/verify_connectivity.php b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/verify_connectivity.php
new file mode 100644
index 000000000000..f3a099f99485
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/EkmServiceClient/verify_connectivity.php
@@ -0,0 +1,76 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_EkmService_VerifyConnectivity_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\VerifyConnectivityRequest;
+use Google\Cloud\Kms\V1\VerifyConnectivityResponse;
+
+/**
+ * Verifies that Cloud KMS can successfully connect to the external key
+ * manager specified by an [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ * If there is an error connecting to the EKM, this method returns a
+ * FAILED_PRECONDITION status containing structured information as described
+ * at https://cloud.google.com/kms/docs/reference/ekm_errors.
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.EkmConnection.name] of the
+ *                              [EkmConnection][google.cloud.kms.v1.EkmConnection] to verify. Please see
+ *                              {@see EkmServiceClient::ekmConnectionName()} for help formatting this field.
+ */
+function verify_connectivity_sample(string $formattedName): void
+{
+    // Create a client.
+    $ekmServiceClient = new EkmServiceClient();
+
+    // Prepare the request message.
+    $request = (new VerifyConnectivityRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var VerifyConnectivityResponse $response */
+        $response = $ekmServiceClient->verifyConnectivity($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = EkmServiceClient::ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+
+    verify_connectivity_sample($formattedName);
+}
+// [END cloudkms_v1_generated_EkmService_VerifyConnectivity_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_decrypt.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_decrypt.php
new file mode 100644
index 000000000000..09b3e01d23b1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_decrypt.php
@@ -0,0 +1,88 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_AsymmetricDecrypt_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\AsymmetricDecryptRequest;
+use Google\Cloud\Kms\V1\AsymmetricDecryptResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+
+/**
+ * Decrypts data that was encrypted with a public key retrieved from
+ * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+ * corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+ * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * ASYMMETRIC_DECRYPT.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                              decryption. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ * @param string $ciphertext    The data encrypted with the named
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
+ *                              OAEP.
+ */
+function asymmetric_decrypt_sample(string $formattedName, string $ciphertext): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new AsymmetricDecryptRequest())
+        ->setName($formattedName)
+        ->setCiphertext($ciphertext);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var AsymmetricDecryptResponse $response */
+        $response = $keyManagementServiceClient->asymmetricDecrypt($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+    $ciphertext = '...';
+
+    asymmetric_decrypt_sample($formattedName, $ciphertext);
+}
+// [END cloudkms_v1_generated_KeyManagementService_AsymmetricDecrypt_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_sign.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_sign.php
new file mode 100644
index 000000000000..b8467961948b
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/asymmetric_sign.php
@@ -0,0 +1,86 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_AsymmetricSign_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\AsymmetricSignRequest;
+use Google\Cloud\Kms\V1\AsymmetricSignResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\Digest;
+
+/**
+ * Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+ * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * ASYMMETRIC_SIGN, producing a signature that can be verified with the public
+ * key retrieved from
+ * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                              signing. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function asymmetric_sign_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $digest = new Digest();
+    $request = (new AsymmetricSignRequest())
+        ->setName($formattedName)
+        ->setDigest($digest);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var AsymmetricSignResponse $response */
+        $response = $keyManagementServiceClient->asymmetricSign($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    asymmetric_sign_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_AsymmetricSign_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key.php
new file mode 100644
index 000000000000..b2bc66b850b6
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_CreateCryptoKey_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\CryptoKey;
+
+/**
+ * Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+ * [KeyRing][google.cloud.kms.v1.KeyRing].
+ *
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+ * [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+ * are required.
+ *
+ * @param string $formattedParent The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
+ *                                associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. Please see
+ *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+ * @param string $cryptoKeyId     It must be unique within a KeyRing and match the regular
+ *                                expression `[a-zA-Z0-9_-]{1,63}`
+ */
+function create_crypto_key_sample(string $formattedParent, string $cryptoKeyId): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $cryptoKey = new CryptoKey();
+    $request = (new CreateCryptoKeyRequest())
+        ->setParent($formattedParent)
+        ->setCryptoKeyId($cryptoKeyId)
+        ->setCryptoKey($cryptoKey);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKey $response */
+        $response = $keyManagementServiceClient->createCryptoKey($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+    $cryptoKeyId = '[CRYPTO_KEY_ID]';
+
+    create_crypto_key_sample($formattedParent, $cryptoKeyId);
+}
+// [END cloudkms_v1_generated_KeyManagementService_CreateCryptoKey_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key_version.php
new file mode 100644
index 000000000000..71cc05d5681f
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_crypto_key_version.php
@@ -0,0 +1,85 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_CreateCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CreateCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+
+/**
+ * Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * The server will assign the next sequential id. If unset,
+ * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+ * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+ *
+ * @param string $formattedParent The [name][google.cloud.kms.v1.CryptoKey.name] of the
+ *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
+ *                                [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. Please see
+ *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ */
+function create_crypto_key_version_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $cryptoKeyVersion = new CryptoKeyVersion();
+    $request = (new CreateCryptoKeyVersionRequest())
+        ->setParent($formattedParent)
+        ->setCryptoKeyVersion($cryptoKeyVersion);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->createCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+
+    create_crypto_key_version_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_CreateCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_import_job.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_import_job.php
new file mode 100644
index 000000000000..510ff5be970a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_import_job.php
@@ -0,0 +1,106 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_CreateImportJob_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CreateImportJobRequest;
+use Google\Cloud\Kms\V1\ImportJob;
+use Google\Cloud\Kms\V1\ImportJob\ImportMethod;
+use Google\Cloud\Kms\V1\ProtectionLevel;
+
+/**
+ * Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+ * [KeyRing][google.cloud.kms.v1.KeyRing].
+ *
+ * [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is
+ * required.
+ *
+ * @param string $formattedParent          The [name][google.cloud.kms.v1.KeyRing.name] of the
+ *                                         [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+ *                                         [ImportJobs][google.cloud.kms.v1.ImportJob]. Please see
+ *                                         {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+ * @param string $importJobId              It must be unique within a KeyRing and match the regular
+ *                                         expression `[a-zA-Z0-9_-]{1,63}`
+ * @param int    $importJobImportMethod    Immutable. The wrapping method to be used for incoming key
+ *                                         material.
+ * @param int    $importJobProtectionLevel Immutable. The protection level of the
+ *                                         [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
+ *                                         [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+ *                                         of the [version_template][google.cloud.kms.v1.CryptoKey.version_template]
+ *                                         on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import
+ *                                         into.
+ */
+function create_import_job_sample(
+    string $formattedParent,
+    string $importJobId,
+    int $importJobImportMethod,
+    int $importJobProtectionLevel
+): void {
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $importJob = (new ImportJob())
+        ->setImportMethod($importJobImportMethod)
+        ->setProtectionLevel($importJobProtectionLevel);
+    $request = (new CreateImportJobRequest())
+        ->setParent($formattedParent)
+        ->setImportJobId($importJobId)
+        ->setImportJob($importJob);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var ImportJob $response */
+        $response = $keyManagementServiceClient->createImportJob($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+    $importJobId = '[IMPORT_JOB_ID]';
+    $importJobImportMethod = ImportMethod::IMPORT_METHOD_UNSPECIFIED;
+    $importJobProtectionLevel = ProtectionLevel::PROTECTION_LEVEL_UNSPECIFIED;
+
+    create_import_job_sample(
+        $formattedParent,
+        $importJobId,
+        $importJobImportMethod,
+        $importJobProtectionLevel
+    );
+}
+// [END cloudkms_v1_generated_KeyManagementService_CreateImportJob_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_key_ring.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_key_ring.php
new file mode 100644
index 000000000000..5f8ee1d3ad45
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/create_key_ring.php
@@ -0,0 +1,80 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_CreateKeyRing_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CreateKeyRingRequest;
+use Google\Cloud\Kms\V1\KeyRing;
+
+/**
+ * Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and
+ * Location.
+ *
+ * @param string $formattedParent The resource name of the location associated with the
+ *                                [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+ *                                `projects/&#42;/locations/*`. Please see
+ *                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
+ * @param string $keyRingId       It must be unique within a location and match the regular
+ *                                expression `[a-zA-Z0-9_-]{1,63}`
+ */
+function create_key_ring_sample(string $formattedParent, string $keyRingId): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $keyRing = new KeyRing();
+    $request = (new CreateKeyRingRequest())
+        ->setParent($formattedParent)
+        ->setKeyRingId($keyRingId)
+        ->setKeyRing($keyRing);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var KeyRing $response */
+        $response = $keyManagementServiceClient->createKeyRing($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::locationName('[PROJECT]', '[LOCATION]');
+    $keyRingId = '[KEY_RING_ID]';
+
+    create_key_ring_sample($formattedParent, $keyRingId);
+}
+// [END cloudkms_v1_generated_KeyManagementService_CreateKeyRing_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/decrypt.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/decrypt.php
new file mode 100644
index 000000000000..b5a474d68f41
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/decrypt.php
@@ -0,0 +1,85 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_Decrypt_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DecryptRequest;
+use Google\Cloud\Kms\V1\DecryptResponse;
+
+/**
+ * Decrypts data that was protected by
+ * [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+ * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
+ *                              server will choose the appropriate version. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ * @param string $ciphertext    The encrypted data originally returned in
+ *                              [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+ */
+function decrypt_sample(string $formattedName, string $ciphertext): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new DecryptRequest())
+        ->setName($formattedName)
+        ->setCiphertext($ciphertext);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var DecryptResponse $response */
+        $response = $keyManagementServiceClient->decrypt($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+    $ciphertext = '...';
+
+    decrypt_sample($formattedName, $ciphertext);
+}
+// [END cloudkms_v1_generated_KeyManagementService_Decrypt_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/destroy_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/destroy_crypto_key_version.php
new file mode 100644
index 000000000000..b0090eef2c77
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/destroy_crypto_key_version.php
@@ -0,0 +1,98 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_DestroyCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\DestroyCryptoKeyVersionRequest;
+
+/**
+ * Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+ * destruction.
+ *
+ * Upon calling this method,
+ * [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will
+ * be set to
+ * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
+ * and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
+ * be set to the time
+ * [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration]
+ * in the future. At that time, the
+ * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will automatically
+ * change to
+ * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+ * and the key material will be irrevocably destroyed.
+ *
+ * Before the
+ * [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is
+ * reached,
+ * [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+ * may be called to reverse the process.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function destroy_crypto_key_version_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new DestroyCryptoKeyVersionRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->destroyCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    destroy_crypto_key_version_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_DestroyCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/encrypt.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/encrypt.php
new file mode 100644
index 000000000000..7f719bcf2ef5
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/encrypt.php
@@ -0,0 +1,92 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_Encrypt_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\EncryptRequest;
+use Google\Cloud\Kms\V1\EncryptResponse;
+
+/**
+ * Encrypts data, so that it can only be recovered by a call to
+ * [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+ * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+ *
+ * @param string $name      The resource name of the
+ *                          [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+ *                          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                          encryption.
+ *
+ *                          If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
+ *                          will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
+ * @param string $plaintext The data to encrypt. Must be no larger than 64KiB.
+ *
+ *                          The maximum size depends on the key version's
+ *                          [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+ *                          For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+ *                          [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+ *                          [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
+ *                          plaintext must be no larger than 64KiB. For
+ *                          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+ *                          the plaintext and additional_authenticated_data fields must be no larger
+ *                          than 8KiB.
+ */
+function encrypt_sample(string $name, string $plaintext): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new EncryptRequest())
+        ->setName($name)
+        ->setPlaintext($plaintext);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var EncryptResponse $response */
+        $response = $keyManagementServiceClient->encrypt($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $name = '[NAME]';
+    $plaintext = '...';
+
+    encrypt_sample($name, $plaintext);
+}
+// [END cloudkms_v1_generated_KeyManagementService_Encrypt_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/generate_random_bytes.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/generate_random_bytes.php
new file mode 100644
index 000000000000..a63710011bfd
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/generate_random_bytes.php
@@ -0,0 +1,58 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GenerateRandomBytes_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GenerateRandomBytesRequest;
+use Google\Cloud\Kms\V1\GenerateRandomBytesResponse;
+
+/**
+ * Generate random bytes using the Cloud KMS randomness source in the provided
+ * location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function generate_random_bytes_sample(): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = new GenerateRandomBytesRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var GenerateRandomBytesResponse $response */
+        $response = $keyManagementServiceClient->generateRandomBytes($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_KeyManagementService_GenerateRandomBytes_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key.php
new file mode 100644
index 000000000000..4919946c0081
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key.php
@@ -0,0 +1,79 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetCryptoKey_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\GetCryptoKeyRequest;
+
+/**
+ * Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as
+ * well as its [primary][google.cloud.kms.v1.CryptoKey.primary]
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKey.name] of the
+ *                              [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ */
+function get_crypto_key_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetCryptoKeyRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKey $response */
+        $response = $keyManagementServiceClient->getCryptoKey($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+
+    get_crypto_key_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetCryptoKey_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key_version.php
new file mode 100644
index 000000000000..17903f74ced5
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_crypto_key_version.php
@@ -0,0 +1,79 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\GetCryptoKeyVersionRequest;
+
+/**
+ * Returns metadata for a given
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function get_crypto_key_version_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetCryptoKeyVersionRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->getCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    get_crypto_key_version_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_iam_policy.php
new file mode 100644
index 000000000000..71a0fe28319b
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_iam_policy.php
@@ -0,0 +1,72 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+
+/**
+ * Gets the access control policy for a resource. Returns an empty policy
+if the resource exists and does not have a policy set.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being requested.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function get_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetIamPolicyRequest())
+        ->setResource($resource);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $keyManagementServiceClient->getIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    get_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_import_job.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_import_job.php
new file mode 100644
index 000000000000..0d020d202343
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_import_job.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetImportJob_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetImportJobRequest;
+use Google\Cloud\Kms\V1\ImportJob;
+
+/**
+ * Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.ImportJob.name] of the
+ *                              [ImportJob][google.cloud.kms.v1.ImportJob] to get. Please see
+ *                              {@see KeyManagementServiceClient::importJobName()} for help formatting this field.
+ */
+function get_import_job_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetImportJobRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var ImportJob $response */
+        $response = $keyManagementServiceClient->getImportJob($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::importJobName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[IMPORT_JOB]'
+    );
+
+    get_import_job_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetImportJob_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_key_ring.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_key_ring.php
new file mode 100644
index 000000000000..b21c49ace1d3
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_key_ring.php
@@ -0,0 +1,72 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetKeyRing_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetKeyRingRequest;
+use Google\Cloud\Kms\V1\KeyRing;
+
+/**
+ * Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.KeyRing.name] of the
+ *                              [KeyRing][google.cloud.kms.v1.KeyRing] to get. Please see
+ *                              {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+ */
+function get_key_ring_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetKeyRingRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var KeyRing $response */
+        $response = $keyManagementServiceClient->getKeyRing($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+
+    get_key_ring_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetKeyRing_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_location.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_location.php
new file mode 100644
index 000000000000..d5aa66a0b9d9
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_location.php
@@ -0,0 +1,57 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetLocation_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Gets information about a location.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function get_location_sample(): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = new GetLocationRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Location $response */
+        $response = $keyManagementServiceClient->getLocation($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetLocation_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_public_key.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_public_key.php
new file mode 100644
index 000000000000..e30e488a9e65
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/get_public_key.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetPublicKey_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetPublicKeyRequest;
+use Google\Cloud\Kms\V1\PublicKey;
+
+/**
+ * Returns the public key for the given
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+ * [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+ * or
+ * [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function get_public_key_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetPublicKeyRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PublicKey $response */
+        $response = $keyManagementServiceClient->getPublicKey($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    get_public_key_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetPublicKey_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/import_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/import_crypto_key_version.php
new file mode 100644
index 000000000000..8e82a9df1cc8
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/import_crypto_key_version.php
@@ -0,0 +1,103 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ImportCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
+use Google\Cloud\Kms\V1\ImportCryptoKeyVersionRequest;
+
+/**
+ * Import wrapped key material into a
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+ *
+ * All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If
+ * a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is additionally
+ * specified in the request, key material will be reimported into that
+ * version. Otherwise, a new version will be created, and will be assigned the
+ * next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * @param string $formattedParent The [name][google.cloud.kms.v1.CryptoKey.name] of the
+ *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
+ *
+ *                                The create permission is only required on this key when creating a new
+ *                                [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Please see
+ *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ * @param int    $algorithm       The
+ *                                [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+ *                                of the key being imported. This does not need to match the
+ *                                [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
+ *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
+ * @param string $importJob       The [name][google.cloud.kms.v1.ImportJob.name] of the
+ *                                [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
+ *                                material.
+ */
+function import_crypto_key_version_sample(
+    string $formattedParent,
+    int $algorithm,
+    string $importJob
+): void {
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ImportCryptoKeyVersionRequest())
+        ->setParent($formattedParent)
+        ->setAlgorithm($algorithm)
+        ->setImportJob($importJob);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->importCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+    $algorithm = CryptoKeyVersionAlgorithm::CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED;
+    $importJob = '[IMPORT_JOB]';
+
+    import_crypto_key_version_sample($formattedParent, $algorithm, $importJob);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ImportCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_key_versions.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_key_versions.php
new file mode 100644
index 000000000000..015a526ed4d2
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_key_versions.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListCryptoKeyVersions_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\ListCryptoKeyVersionsRequest;
+
+/**
+ * Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+ *
+ * @param string $formattedParent The resource name of the
+ *                                [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+ *                                `projects/&#42;/locations/&#42;/keyRings/&#42;/cryptoKeys/*`. Please see
+ *                                {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ */
+function list_crypto_key_versions_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListCryptoKeyVersionsRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listCryptoKeyVersions($request);
+
+        /** @var CryptoKeyVersion $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+
+    list_crypto_key_versions_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListCryptoKeyVersions_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_keys.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_keys.php
new file mode 100644
index 000000000000..29a2ae2517ef
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_crypto_keys.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListCryptoKeys_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\ListCryptoKeysRequest;
+
+/**
+ * Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+ *
+ * @param string $formattedParent The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+ *                                to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
+ *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+ */
+function list_crypto_keys_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListCryptoKeysRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listCryptoKeys($request);
+
+        /** @var CryptoKey $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+
+    list_crypto_keys_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListCryptoKeys_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_import_jobs.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_import_jobs.php
new file mode 100644
index 000000000000..8ffb69c6a6de
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_import_jobs.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListImportJobs_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\ImportJob;
+use Google\Cloud\Kms\V1\ListImportJobsRequest;
+
+/**
+ * Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+ *
+ * @param string $formattedParent The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
+ *                                to list, in the format `projects/&#42;/locations/&#42;/keyRings/*`. Please see
+ *                                {@see KeyManagementServiceClient::keyRingName()} for help formatting this field.
+ */
+function list_import_jobs_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListImportJobsRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listImportJobs($request);
+
+        /** @var ImportJob $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+
+    list_import_jobs_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListImportJobs_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_key_rings.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_key_rings.php
new file mode 100644
index 000000000000..1aa8f0bbc947
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_key_rings.php
@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListKeyRings_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\KeyRing;
+use Google\Cloud\Kms\V1\ListKeyRingsRequest;
+
+/**
+ * Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+ *
+ * @param string $formattedParent The resource name of the location associated with the
+ *                                [KeyRings][google.cloud.kms.v1.KeyRing], in the format
+ *                                `projects/&#42;/locations/*`. Please see
+ *                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
+ */
+function list_key_rings_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListKeyRingsRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listKeyRings($request);
+
+        /** @var KeyRing $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::locationName('[PROJECT]', '[LOCATION]');
+
+    list_key_rings_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListKeyRings_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_locations.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_locations.php
new file mode 100644
index 000000000000..fa3ffc21350e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/list_locations.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListLocations_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+
+/**
+ * Lists information about the supported locations for this service.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function list_locations_sample(): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = new ListLocationsRequest();
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listLocations($request);
+
+        /** @var Location $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListLocations_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_sign.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_sign.php
new file mode 100644
index 000000000000..41eb52ab8f14
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_sign.php
@@ -0,0 +1,85 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_MacSign_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\MacSignRequest;
+use Google\Cloud\Kms\V1\MacSignResponse;
+
+/**
+ * Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+ * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
+ * producing a tag that can be verified by another source with the same key.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                              signing. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ * @param string $data          The data to sign. The MAC tag is computed over this data field
+ *                              based on the specific algorithm.
+ */
+function mac_sign_sample(string $formattedName, string $data): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new MacSignRequest())
+        ->setName($formattedName)
+        ->setData($data);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var MacSignResponse $response */
+        $response = $keyManagementServiceClient->macSign($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+    $data = '...';
+
+    mac_sign_sample($formattedName, $data);
+}
+// [END cloudkms_v1_generated_KeyManagementService_MacSign_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_verify.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_verify.php
new file mode 100644
index 000000000000..31bbf3714133
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/mac_verify.php
@@ -0,0 +1,90 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_MacVerify_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\MacVerifyRequest;
+use Google\Cloud\Kms\V1\MacVerifyResponse;
+
+/**
+ * Verifies MAC tag using a
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns
+ * a response that indicates whether or not the verification was successful.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                              verification. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ * @param string $data          The data used previously as a
+ *                              [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
+ *                              the MAC tag.
+ * @param string $mac           The signature to verify.
+ */
+function mac_verify_sample(string $formattedName, string $data, string $mac): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new MacVerifyRequest())
+        ->setName($formattedName)
+        ->setData($data)
+        ->setMac($mac);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var MacVerifyResponse $response */
+        $response = $keyManagementServiceClient->macVerify($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+    $data = '...';
+    $mac = '...';
+
+    mac_verify_sample($formattedName, $data, $mac);
+}
+// [END cloudkms_v1_generated_KeyManagementService_MacVerify_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_decrypt.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_decrypt.php
new file mode 100644
index 000000000000..45d7fd391947
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_decrypt.php
@@ -0,0 +1,84 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_RawDecrypt_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\RawDecryptRequest;
+use Google\Cloud\Kms\V1\RawDecryptResponse;
+
+/**
+ * Decrypts data that was originally encrypted using a raw cryptographic
+ * mechanism. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * must be
+ * [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT].
+ *
+ * @param string $name                 The resource name of the
+ *                                     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                                     decryption.
+ * @param string $ciphertext           The encrypted data originally returned in
+ *                                     [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext].
+ * @param string $initializationVector The initialization vector (IV) used during encryption, which must
+ *                                     match the data originally provided in
+ *                                     [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector].
+ */
+function raw_decrypt_sample(string $name, string $ciphertext, string $initializationVector): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new RawDecryptRequest())
+        ->setName($name)
+        ->setCiphertext($ciphertext)
+        ->setInitializationVector($initializationVector);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var RawDecryptResponse $response */
+        $response = $keyManagementServiceClient->rawDecrypt($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $name = '[NAME]';
+    $ciphertext = '...';
+    $initializationVector = '...';
+
+    raw_decrypt_sample($name, $ciphertext, $initializationVector);
+}
+// [END cloudkms_v1_generated_KeyManagementService_RawDecrypt_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_encrypt.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_encrypt.php
new file mode 100644
index 000000000000..6087bc112e2c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/raw_encrypt.php
@@ -0,0 +1,88 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_RawEncrypt_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\RawEncryptRequest;
+use Google\Cloud\Kms\V1\RawEncryptResponse;
+
+/**
+ * Encrypts data using portable cryptographic primitives. Most users should
+ * choose [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and
+ * [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt] rather than
+ * their raw counterparts. The
+ * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+ * [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT].
+ *
+ * @param string $name      The resource name of the
+ *                          [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                          encryption.
+ * @param string $plaintext The data to encrypt. Must be no larger than 64KiB.
+ *
+ *                          The maximum size depends on the key version's
+ *                          [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
+ *                          For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+ *                          plaintext must be no larger than 64KiB. For
+ *                          [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
+ *                          the plaintext and additional_authenticated_data fields must be no larger
+ *                          than 8KiB.
+ */
+function raw_encrypt_sample(string $name, string $plaintext): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new RawEncryptRequest())
+        ->setName($name)
+        ->setPlaintext($plaintext);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var RawEncryptResponse $response */
+        $response = $keyManagementServiceClient->rawEncrypt($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $name = '[NAME]';
+    $plaintext = '...';
+
+    raw_encrypt_sample($name, $plaintext);
+}
+// [END cloudkms_v1_generated_KeyManagementService_RawEncrypt_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/restore_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/restore_crypto_key_version.php
new file mode 100644
index 000000000000..5d17fc937aaf
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/restore_crypto_key_version.php
@@ -0,0 +1,86 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_RestoreCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\RestoreCryptoKeyVersionRequest;
+
+/**
+ * Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+ * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+ * state.
+ *
+ * Upon restoration of the CryptoKeyVersion,
+ * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+ * [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+ * and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
+ * be cleared.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function restore_crypto_key_version_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new RestoreCryptoKeyVersionRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->restoreCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    restore_crypto_key_version_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_RestoreCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/set_iam_policy.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/set_iam_policy.php
new file mode 100644
index 000000000000..e3db153a0131
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/set_iam_policy.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_SetIamPolicy_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+
+/**
+ * Sets the access control policy on the specified resource. Replaces
+any existing policy.
+
+Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+errors.
+ *
+ * @param string $resource REQUIRED: The resource for which the policy is being specified.
+ *                         See the operation documentation for the appropriate value for this field.
+ */
+function set_iam_policy_sample(string $resource): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $policy = new Policy();
+    $request = (new SetIamPolicyRequest())
+        ->setResource($resource)
+        ->setPolicy($policy);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var Policy $response */
+        $response = $keyManagementServiceClient->setIamPolicy($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+
+    set_iam_policy_sample($resource);
+}
+// [END cloudkms_v1_generated_KeyManagementService_SetIamPolicy_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/test_iam_permissions.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/test_iam_permissions.php
new file mode 100644
index 000000000000..f7d0482b677c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/test_iam_permissions.php
@@ -0,0 +1,84 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_TestIamPermissions_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+
+/**
+ * Returns permissions that a caller has on the specified resource. If the
+resource does not exist, this will return an empty set of
+permissions, not a `NOT_FOUND` error.
+
+Note: This operation is designed to be used for building
+permission-aware UIs and command-line tools, not for authorization
+checking. This operation may "fail open" without warning.
+ *
+ * @param string $resource           REQUIRED: The resource for which the policy detail is being requested.
+ *                                   See the operation documentation for the appropriate value for this field.
+ * @param string $permissionsElement The set of permissions to check for the `resource`. Permissions with
+ *                                   wildcards (such as '*' or 'storage.*') are not allowed. For more
+ *                                   information see
+ *                                   [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+ */
+function test_iam_permissions_sample(string $resource, string $permissionsElement): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $permissions = [$permissionsElement,];
+    $request = (new TestIamPermissionsRequest())
+        ->setResource($resource)
+        ->setPermissions($permissions);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var TestIamPermissionsResponse $response */
+        $response = $keyManagementServiceClient->testIamPermissions($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $resource = '[RESOURCE]';
+    $permissionsElement = '[PERMISSIONS]';
+
+    test_iam_permissions_sample($resource, $permissionsElement);
+}
+// [END cloudkms_v1_generated_KeyManagementService_TestIamPermissions_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key.php
new file mode 100644
index 000000000000..083529fff6b1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_UpdateCryptoKey_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyRequest;
+use Google\Protobuf\FieldMask;
+
+/**
+ * Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function update_crypto_key_sample(): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $cryptoKey = new CryptoKey();
+    $updateMask = new FieldMask();
+    $request = (new UpdateCryptoKeyRequest())
+        ->setCryptoKey($cryptoKey)
+        ->setUpdateMask($updateMask);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKey $response */
+        $response = $keyManagementServiceClient->updateCryptoKey($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_KeyManagementService_UpdateCryptoKey_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_primary_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_primary_version.php
new file mode 100644
index 000000000000..6bf7dc69fbd7
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_primary_version.php
@@ -0,0 +1,88 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_UpdateCryptoKeyPrimaryVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyPrimaryVersionRequest;
+
+/**
+ * Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that
+ * will be used in
+ * [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+ *
+ * Returns an error if called on a key whose purpose is not
+ * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+ *
+ * @param string $formattedName      The resource name of the
+ *                                   [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. Please see
+ *                                   {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ * @param string $cryptoKeyVersionId The id of the child
+ *                                   [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+ */
+function update_crypto_key_primary_version_sample(
+    string $formattedName,
+    string $cryptoKeyVersionId
+): void {
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new UpdateCryptoKeyPrimaryVersionRequest())
+        ->setName($formattedName)
+        ->setCryptoKeyVersionId($cryptoKeyVersionId);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKey $response */
+        $response = $keyManagementServiceClient->updateCryptoKeyPrimaryVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+    $cryptoKeyVersionId = '[CRYPTO_KEY_VERSION_ID]';
+
+    update_crypto_key_primary_version_sample($formattedName, $cryptoKeyVersionId);
+}
+// [END cloudkms_v1_generated_KeyManagementService_UpdateCryptoKeyPrimaryVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_version.php b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_version.php
new file mode 100644
index 000000000000..156a84fa5eae
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/samples/V1/KeyManagementServiceClient/update_crypto_key_version.php
@@ -0,0 +1,73 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_UpdateCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyVersionRequest;
+use Google\Protobuf\FieldMask;
+
+/**
+ * Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+ * metadata.
+ *
+ * [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
+ * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+ * and
+ * [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+ * using this method. See
+ * [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+ * and
+ * [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+ * to move between other states.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function update_crypto_key_version_sample(): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $cryptoKeyVersion = new CryptoKeyVersion();
+    $updateMask = new FieldMask();
+    $request = (new UpdateCryptoKeyVersionRequest())
+        ->setCryptoKeyVersion($cryptoKeyVersion)
+        ->setUpdateMask($updateMask);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var CryptoKeyVersion $response */
+        $response = $keyManagementServiceClient->updateCryptoKeyVersion($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+// [END cloudkms_v1_generated_KeyManagementService_UpdateCryptoKeyVersion_sync]
diff --git a/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyAdminClient.php b/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyAdminClient.php
new file mode 100644
index 000000000000..040357b8aa92
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyAdminClient.php
@@ -0,0 +1,479 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * Generated by gapic-generator-php from the file
+ * https://github.com/googleapis/googleapis/blob/master/google/cloud/kms/v1/autokey_admin.proto
+ * Updates to the above are reflected here through a refresh process.
+ */
+
+namespace Google\Cloud\Kms\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\GapicClientTrait;
+use Google\ApiCore\PagedListResponse;
+use Google\ApiCore\ResourceHelperTrait;
+use Google\ApiCore\RetrySettings;
+use Google\ApiCore\Transport\TransportInterface;
+use Google\ApiCore\ValidationException;
+use Google\Auth\FetchAuthTokenInterface;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\AutokeyConfig;
+use Google\Cloud\Kms\V1\GetAutokeyConfigRequest;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigRequest;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigResponse;
+use Google\Cloud\Kms\V1\UpdateAutokeyConfigRequest;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+use GuzzleHttp\Promise\PromiseInterface;
+
+/**
+ * Service Description: Provides interfaces for managing [Cloud KMS
+ * Autokey](https://cloud.google.com/kms/help/autokey) folder-level
+ * configurations. A configuration is inherited by all descendent projects. A
+ * configuration at one folder overrides any other configurations in its
+ * ancestry. Setting a configuration on a folder is a prerequisite for Cloud KMS
+ * Autokey, so that users working in a descendant project can request
+ * provisioned [CryptoKeys][google.cloud.kms.v1.CryptoKey], ready for Customer
+ * Managed Encryption Key (CMEK) use, on-demand.
+ *
+ * This class provides the ability to make remote calls to the backing service through method
+ * calls that map to API methods.
+ *
+ * Many parameters require resource names to be formatted in a particular way. To
+ * assist with these names, this class includes a format method for each type of
+ * name, and additionally a parseName method to extract the individual identifiers
+ * contained within formatted names that are returned by the API.
+ *
+ * @method PromiseInterface<AutokeyConfig> getAutokeyConfigAsync(GetAutokeyConfigRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<ShowEffectiveAutokeyConfigResponse> showEffectiveAutokeyConfigAsync(ShowEffectiveAutokeyConfigRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<AutokeyConfig> updateAutokeyConfigAsync(UpdateAutokeyConfigRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Location> getLocationAsync(GetLocationRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listLocationsAsync(ListLocationsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> getIamPolicyAsync(GetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> setIamPolicyAsync(SetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<TestIamPermissionsResponse> testIamPermissionsAsync(TestIamPermissionsRequest $request, array $optionalArgs = [])
+ */
+final class AutokeyAdminClient
+{
+    use GapicClientTrait;
+    use ResourceHelperTrait;
+
+    /** The name of the service. */
+    private const SERVICE_NAME = 'google.cloud.kms.v1.AutokeyAdmin';
+
+    /**
+     * The default address of the service.
+     *
+     * @deprecated SERVICE_ADDRESS_TEMPLATE should be used instead.
+     */
+    private const SERVICE_ADDRESS = 'cloudkms.googleapis.com';
+
+    /** The address template of the service. */
+    private const SERVICE_ADDRESS_TEMPLATE = 'cloudkms.UNIVERSE_DOMAIN';
+
+    /** The default port of the service. */
+    private const DEFAULT_SERVICE_PORT = 443;
+
+    /** The name of the code generator, to be included in the agent header. */
+    private const CODEGEN_NAME = 'gapic';
+
+    /** The default scopes required by the service. */
+    public static $serviceScopes = [
+        'https://www.googleapis.com/auth/cloud-platform',
+        'https://www.googleapis.com/auth/cloudkms',
+    ];
+
+    private static function getClientDefaults()
+    {
+        return [
+            'serviceName' => self::SERVICE_NAME,
+            'apiEndpoint' => self::SERVICE_ADDRESS . ':' . self::DEFAULT_SERVICE_PORT,
+            'clientConfig' => __DIR__ . '/../resources/autokey_admin_client_config.json',
+            'descriptorsConfigPath' => __DIR__ . '/../resources/autokey_admin_descriptor_config.php',
+            'gcpApiConfigPath' => __DIR__ . '/../resources/autokey_admin_grpc_config.json',
+            'credentialsConfig' => [
+                'defaultScopes' => self::$serviceScopes,
+            ],
+            'transportConfig' => [
+                'rest' => [
+                    'restClientConfigPath' => __DIR__ . '/../resources/autokey_admin_rest_client_config.php',
+                ],
+            ],
+        ];
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a
+     * autokey_config resource.
+     *
+     * @param string $folder
+     *
+     * @return string The formatted autokey_config resource.
+     */
+    public static function autokeyConfigName(string $folder): string
+    {
+        return self::getPathTemplate('autokeyConfig')->render([
+            'folder' => $folder,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a project
+     * resource.
+     *
+     * @param string $project
+     *
+     * @return string The formatted project resource.
+     */
+    public static function projectName(string $project): string
+    {
+        return self::getPathTemplate('project')->render([
+            'project' => $project,
+        ]);
+    }
+
+    /**
+     * Parses a formatted name string and returns an associative array of the components in the name.
+     * The following name formats are supported:
+     * Template: Pattern
+     * - autokeyConfig: folders/{folder}/autokeyConfig
+     * - project: projects/{project}
+     *
+     * The optional $template argument can be supplied to specify a particular pattern,
+     * and must match one of the templates listed above. If no $template argument is
+     * provided, or if the $template argument does not match one of the templates
+     * listed, then parseName will check each of the supported templates, and return
+     * the first match.
+     *
+     * @param string $formattedName The formatted name string
+     * @param string $template      Optional name of template to match
+     *
+     * @return array An associative array from name component IDs to component values.
+     *
+     * @throws ValidationException If $formattedName could not be matched.
+     */
+    public static function parseName(string $formattedName, string $template = null): array
+    {
+        return self::parseFormattedName($formattedName, $template);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $options {
+     *     Optional. Options for configuring the service API wrapper.
+     *
+     *     @type string $apiEndpoint
+     *           The address of the API remote host. May optionally include the port, formatted
+     *           as "<uri>:<port>". Default 'cloudkms.googleapis.com:443'.
+     *     @type string|array|FetchAuthTokenInterface|CredentialsWrapper $credentials
+     *           The credentials to be used by the client to authorize API calls. This option
+     *           accepts either a path to a credentials file, or a decoded credentials file as a
+     *           PHP array.
+     *           *Advanced usage*: In addition, this option can also accept a pre-constructed
+     *           {@see \Google\Auth\FetchAuthTokenInterface} object or
+     *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
+     *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *     @type array $credentialsConfig
+     *           Options used to configure credentials, including auth token caching, for the
+     *           client. For a full list of supporting configuration options, see
+     *           {@see \Google\ApiCore\CredentialsWrapper::build()} .
+     *     @type bool $disableRetries
+     *           Determines whether or not retries defined by the client configuration should be
+     *           disabled. Defaults to `false`.
+     *     @type string|array $clientConfig
+     *           Client method configuration, including retry settings. This option can be either
+     *           a path to a JSON file, or a PHP array containing the decoded JSON data. By
+     *           default this settings points to the default client config file, which is
+     *           provided in the resources folder.
+     *     @type string|TransportInterface $transport
+     *           The transport used for executing network requests. May be either the string
+     *           `rest` or `grpc`. Defaults to `grpc` if gRPC support is detected on the system.
+     *           *Advanced usage*: Additionally, it is possible to pass in an already
+     *           instantiated {@see \Google\ApiCore\Transport\TransportInterface} object. Note
+     *           that when this object is provided, any settings in $transportConfig, and any
+     *           $apiEndpoint setting, will be ignored.
+     *     @type array $transportConfig
+     *           Configuration options that will be used to construct the transport. Options for
+     *           each supported transport type should be passed in a key for that transport. For
+     *           example:
+     *           $transportConfig = [
+     *               'grpc' => [...],
+     *               'rest' => [...],
+     *           ];
+     *           See the {@see \Google\ApiCore\Transport\GrpcTransport::build()} and
+     *           {@see \Google\ApiCore\Transport\RestTransport::build()} methods for the
+     *           supported options.
+     *     @type callable $clientCertSource
+     *           A callable which returns the client cert as a string. This can be used to
+     *           provide a certificate and private key to the transport layer for mTLS.
+     * }
+     *
+     * @throws ValidationException
+     */
+    public function __construct(array $options = [])
+    {
+        $clientOptions = $this->buildClientOptions($options);
+        $this->setClientOptions($clientOptions);
+    }
+
+    /** Handles execution of the async variants for each documented method. */
+    public function __call($method, $args)
+    {
+        if (substr($method, -5) !== 'Async') {
+            trigger_error('Call to undefined method ' . __CLASS__ . "::$method()", E_USER_ERROR);
+        }
+
+        array_unshift($args, substr($method, 0, -5));
+        return call_user_func_array([$this, 'startAsyncCall'], $args);
+    }
+
+    /**
+     * Returns the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
+     * folder.
+     *
+     * The async variant is {@see AutokeyAdminClient::getAutokeyConfigAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/get_autokey_config.php
+     *
+     * @param GetAutokeyConfigRequest $request     A request to house fields associated with the call.
+     * @param array                   $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return AutokeyConfig
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getAutokeyConfig(GetAutokeyConfigRequest $request, array $callOptions = []): AutokeyConfig
+    {
+        return $this->startApiCall('GetAutokeyConfig', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns the effective Cloud KMS Autokey configuration for a given project.
+     *
+     * The async variant is
+     * {@see AutokeyAdminClient::showEffectiveAutokeyConfigAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/show_effective_autokey_config.php
+     *
+     * @param ShowEffectiveAutokeyConfigRequest $request     A request to house fields associated with the call.
+     * @param array                             $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return ShowEffectiveAutokeyConfigResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function showEffectiveAutokeyConfig(ShowEffectiveAutokeyConfigRequest $request, array $callOptions = []): ShowEffectiveAutokeyConfigResponse
+    {
+        return $this->startApiCall('ShowEffectiveAutokeyConfig', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Updates the [AutokeyConfig][google.cloud.kms.v1.AutokeyConfig] for a
+     * folder. The caller must have both `cloudkms.autokeyConfigs.update`
+     * permission on the parent folder and `cloudkms.cryptoKeys.setIamPolicy`
+     * permission on the provided key project. A
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] creation in the folder's
+     * descendant projects will use this configuration to determine where to
+     * create the resulting [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * The async variant is {@see AutokeyAdminClient::updateAutokeyConfigAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/update_autokey_config.php
+     *
+     * @param UpdateAutokeyConfigRequest $request     A request to house fields associated with the call.
+     * @param array                      $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return AutokeyConfig
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateAutokeyConfig(UpdateAutokeyConfigRequest $request, array $callOptions = []): AutokeyConfig
+    {
+        return $this->startApiCall('UpdateAutokeyConfig', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Gets information about a location.
+     *
+     * The async variant is {@see AutokeyAdminClient::getLocationAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/get_location.php
+     *
+     * @param GetLocationRequest $request     A request to house fields associated with the call.
+     * @param array              $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Location
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getLocation(GetLocationRequest $request, array $callOptions = []): Location
+    {
+        return $this->startApiCall('GetLocation', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists information about the supported locations for this service.
+     *
+     * The async variant is {@see AutokeyAdminClient::listLocationsAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/list_locations.php
+     *
+     * @param ListLocationsRequest $request     A request to house fields associated with the call.
+     * @param array                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listLocations(ListLocationsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListLocations', $request, $callOptions);
+    }
+
+    /**
+     * Gets the access control policy for a resource. Returns an empty policy
+    if the resource exists and does not have a policy set.
+     *
+     * The async variant is {@see AutokeyAdminClient::getIamPolicyAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/get_iam_policy.php
+     *
+     * @param GetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getIamPolicy(GetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('GetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Sets the access control policy on the specified resource. Replaces
+    any existing policy.
+
+    Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+    errors.
+     *
+     * The async variant is {@see AutokeyAdminClient::setIamPolicyAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/set_iam_policy.php
+     *
+     * @param SetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function setIamPolicy(SetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('SetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns permissions that a caller has on the specified resource. If the
+    resource does not exist, this will return an empty set of
+    permissions, not a `NOT_FOUND` error.
+
+    Note: This operation is designed to be used for building
+    permission-aware UIs and command-line tools, not for authorization
+    checking. This operation may "fail open" without warning.
+     *
+     * The async variant is {@see AutokeyAdminClient::testIamPermissionsAsync()} .
+     *
+     * @example samples/V1/AutokeyAdminClient/test_iam_permissions.php
+     *
+     * @param TestIamPermissionsRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return TestIamPermissionsResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function testIamPermissions(TestIamPermissionsRequest $request, array $callOptions = []): TestIamPermissionsResponse
+    {
+        return $this->startApiCall('TestIamPermissions', $request, $callOptions)->wait();
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyClient.php b/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyClient.php
new file mode 100644
index 000000000000..188f637648b5
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/Client/AutokeyClient.php
@@ -0,0 +1,568 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * Generated by gapic-generator-php from the file
+ * https://github.com/googleapis/googleapis/blob/master/google/cloud/kms/v1/autokey.proto
+ * Updates to the above are reflected here through a refresh process.
+ */
+
+namespace Google\Cloud\Kms\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\GapicClientTrait;
+use Google\ApiCore\OperationResponse;
+use Google\ApiCore\PagedListResponse;
+use Google\ApiCore\ResourceHelperTrait;
+use Google\ApiCore\RetrySettings;
+use Google\ApiCore\Transport\TransportInterface;
+use Google\ApiCore\ValidationException;
+use Google\Auth\FetchAuthTokenInterface;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\CreateKeyHandleRequest;
+use Google\Cloud\Kms\V1\GetKeyHandleRequest;
+use Google\Cloud\Kms\V1\KeyHandle;
+use Google\Cloud\Kms\V1\ListKeyHandlesRequest;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+use Google\LongRunning\Client\OperationsClient;
+use Google\LongRunning\Operation;
+use GuzzleHttp\Promise\PromiseInterface;
+
+/**
+ * Service Description: Provides interfaces for using [Cloud KMS
+ * Autokey](https://cloud.google.com/kms/help/autokey) to provision new
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey], ready for Customer Managed
+ * Encryption Key (CMEK) use, on-demand. To support certain client tooling, this
+ * feature is modeled around a [KeyHandle][google.cloud.kms.v1.KeyHandle]
+ * resource: creating a [KeyHandle][google.cloud.kms.v1.KeyHandle] in a resource
+ * project and given location triggers Cloud KMS Autokey to provision a
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey] in the configured key project and
+ * the same location.
+ *
+ * Prior to use in a given resource project,
+ * [UpdateAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.UpdateAutokeyConfig]
+ * should have been called on an ancestor folder, setting the key project where
+ * Cloud KMS Autokey should create new
+ * [CryptoKeys][google.cloud.kms.v1.CryptoKey]. See documentation for additional
+ * prerequisites. To check what key project, if any, is currently configured on
+ * a resource project's ancestor folder, see
+ * [ShowEffectiveAutokeyConfig][google.cloud.kms.v1.AutokeyAdmin.ShowEffectiveAutokeyConfig].
+ *
+ * This class provides the ability to make remote calls to the backing service through method
+ * calls that map to API methods.
+ *
+ * Many parameters require resource names to be formatted in a particular way. To
+ * assist with these names, this class includes a format method for each type of
+ * name, and additionally a parseName method to extract the individual identifiers
+ * contained within formatted names that are returned by the API.
+ *
+ * @method PromiseInterface<OperationResponse> createKeyHandleAsync(CreateKeyHandleRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<KeyHandle> getKeyHandleAsync(GetKeyHandleRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listKeyHandlesAsync(ListKeyHandlesRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Location> getLocationAsync(GetLocationRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listLocationsAsync(ListLocationsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> getIamPolicyAsync(GetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> setIamPolicyAsync(SetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<TestIamPermissionsResponse> testIamPermissionsAsync(TestIamPermissionsRequest $request, array $optionalArgs = [])
+ */
+final class AutokeyClient
+{
+    use GapicClientTrait;
+    use ResourceHelperTrait;
+
+    /** The name of the service. */
+    private const SERVICE_NAME = 'google.cloud.kms.v1.Autokey';
+
+    /**
+     * The default address of the service.
+     *
+     * @deprecated SERVICE_ADDRESS_TEMPLATE should be used instead.
+     */
+    private const SERVICE_ADDRESS = 'cloudkms.googleapis.com';
+
+    /** The address template of the service. */
+    private const SERVICE_ADDRESS_TEMPLATE = 'cloudkms.UNIVERSE_DOMAIN';
+
+    /** The default port of the service. */
+    private const DEFAULT_SERVICE_PORT = 443;
+
+    /** The name of the code generator, to be included in the agent header. */
+    private const CODEGEN_NAME = 'gapic';
+
+    /** The default scopes required by the service. */
+    public static $serviceScopes = [
+        'https://www.googleapis.com/auth/cloud-platform',
+        'https://www.googleapis.com/auth/cloudkms',
+    ];
+
+    private $operationsClient;
+
+    private static function getClientDefaults()
+    {
+        return [
+            'serviceName' => self::SERVICE_NAME,
+            'apiEndpoint' => self::SERVICE_ADDRESS . ':' . self::DEFAULT_SERVICE_PORT,
+            'clientConfig' => __DIR__ . '/../resources/autokey_client_config.json',
+            'descriptorsConfigPath' => __DIR__ . '/../resources/autokey_descriptor_config.php',
+            'gcpApiConfigPath' => __DIR__ . '/../resources/autokey_grpc_config.json',
+            'credentialsConfig' => [
+                'defaultScopes' => self::$serviceScopes,
+            ],
+            'transportConfig' => [
+                'rest' => [
+                    'restClientConfigPath' => __DIR__ . '/../resources/autokey_rest_client_config.php',
+                ],
+            ],
+        ];
+    }
+
+    /**
+     * Return an OperationsClient object with the same endpoint as $this.
+     *
+     * @return OperationsClient
+     */
+    public function getOperationsClient()
+    {
+        return $this->operationsClient;
+    }
+
+    /**
+     * Resume an existing long running operation that was previously started by a long
+     * running API method. If $methodName is not provided, or does not match a long
+     * running API method, then the operation can still be resumed, but the
+     * OperationResponse object will not deserialize the final response.
+     *
+     * @param string $operationName The name of the long running operation
+     * @param string $methodName    The name of the method used to start the operation
+     *
+     * @return OperationResponse
+     */
+    public function resumeOperation($operationName, $methodName = null)
+    {
+        $options = isset($this->descriptors[$methodName]['longRunning']) ? $this->descriptors[$methodName]['longRunning'] : [];
+        $operation = new OperationResponse($operationName, $this->getOperationsClient(), $options);
+        $operation->reload();
+        return $operation;
+    }
+
+    /**
+     * Create the default operation client for the service.
+     *
+     * @param array $options ClientOptions for the client.
+     *
+     * @return OperationsClient
+     */
+    private function createOperationsClient(array $options)
+    {
+        // Unset client-specific configuration options
+        unset($options['serviceName'], $options['clientConfig'], $options['descriptorsConfigPath']);
+
+        if (isset($options['operationsClient'])) {
+            return $options['operationsClient'];
+        }
+
+        return new OperationsClient($options);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a crypto_key
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyRing
+     * @param string $cryptoKey
+     *
+     * @return string The formatted crypto_key resource.
+     */
+    public static function cryptoKeyName(string $project, string $location, string $keyRing, string $cryptoKey): string
+    {
+        return self::getPathTemplate('cryptoKey')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_ring' => $keyRing,
+            'crypto_key' => $cryptoKey,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a key_handle
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyHandle
+     *
+     * @return string The formatted key_handle resource.
+     */
+    public static function keyHandleName(string $project, string $location, string $keyHandle): string
+    {
+        return self::getPathTemplate('keyHandle')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_handle' => $keyHandle,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a location
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     *
+     * @return string The formatted location resource.
+     */
+    public static function locationName(string $project, string $location): string
+    {
+        return self::getPathTemplate('location')->render([
+            'project' => $project,
+            'location' => $location,
+        ]);
+    }
+
+    /**
+     * Parses a formatted name string and returns an associative array of the components in the name.
+     * The following name formats are supported:
+     * Template: Pattern
+     * - cryptoKey: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}
+     * - keyHandle: projects/{project}/locations/{location}/keyHandles/{key_handle}
+     * - location: projects/{project}/locations/{location}
+     *
+     * The optional $template argument can be supplied to specify a particular pattern,
+     * and must match one of the templates listed above. If no $template argument is
+     * provided, or if the $template argument does not match one of the templates
+     * listed, then parseName will check each of the supported templates, and return
+     * the first match.
+     *
+     * @param string $formattedName The formatted name string
+     * @param string $template      Optional name of template to match
+     *
+     * @return array An associative array from name component IDs to component values.
+     *
+     * @throws ValidationException If $formattedName could not be matched.
+     */
+    public static function parseName(string $formattedName, string $template = null): array
+    {
+        return self::parseFormattedName($formattedName, $template);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $options {
+     *     Optional. Options for configuring the service API wrapper.
+     *
+     *     @type string $apiEndpoint
+     *           The address of the API remote host. May optionally include the port, formatted
+     *           as "<uri>:<port>". Default 'cloudkms.googleapis.com:443'.
+     *     @type string|array|FetchAuthTokenInterface|CredentialsWrapper $credentials
+     *           The credentials to be used by the client to authorize API calls. This option
+     *           accepts either a path to a credentials file, or a decoded credentials file as a
+     *           PHP array.
+     *           *Advanced usage*: In addition, this option can also accept a pre-constructed
+     *           {@see \Google\Auth\FetchAuthTokenInterface} object or
+     *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
+     *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *     @type array $credentialsConfig
+     *           Options used to configure credentials, including auth token caching, for the
+     *           client. For a full list of supporting configuration options, see
+     *           {@see \Google\ApiCore\CredentialsWrapper::build()} .
+     *     @type bool $disableRetries
+     *           Determines whether or not retries defined by the client configuration should be
+     *           disabled. Defaults to `false`.
+     *     @type string|array $clientConfig
+     *           Client method configuration, including retry settings. This option can be either
+     *           a path to a JSON file, or a PHP array containing the decoded JSON data. By
+     *           default this settings points to the default client config file, which is
+     *           provided in the resources folder.
+     *     @type string|TransportInterface $transport
+     *           The transport used for executing network requests. May be either the string
+     *           `rest` or `grpc`. Defaults to `grpc` if gRPC support is detected on the system.
+     *           *Advanced usage*: Additionally, it is possible to pass in an already
+     *           instantiated {@see \Google\ApiCore\Transport\TransportInterface} object. Note
+     *           that when this object is provided, any settings in $transportConfig, and any
+     *           $apiEndpoint setting, will be ignored.
+     *     @type array $transportConfig
+     *           Configuration options that will be used to construct the transport. Options for
+     *           each supported transport type should be passed in a key for that transport. For
+     *           example:
+     *           $transportConfig = [
+     *               'grpc' => [...],
+     *               'rest' => [...],
+     *           ];
+     *           See the {@see \Google\ApiCore\Transport\GrpcTransport::build()} and
+     *           {@see \Google\ApiCore\Transport\RestTransport::build()} methods for the
+     *           supported options.
+     *     @type callable $clientCertSource
+     *           A callable which returns the client cert as a string. This can be used to
+     *           provide a certificate and private key to the transport layer for mTLS.
+     * }
+     *
+     * @throws ValidationException
+     */
+    public function __construct(array $options = [])
+    {
+        $clientOptions = $this->buildClientOptions($options);
+        $this->setClientOptions($clientOptions);
+        $this->operationsClient = $this->createOperationsClient($clientOptions);
+    }
+
+    /** Handles execution of the async variants for each documented method. */
+    public function __call($method, $args)
+    {
+        if (substr($method, -5) !== 'Async') {
+            trigger_error('Call to undefined method ' . __CLASS__ . "::$method()", E_USER_ERROR);
+        }
+
+        array_unshift($args, substr($method, 0, -5));
+        return call_user_func_array([$this, 'startAsyncCall'], $args);
+    }
+
+    /**
+     * Creates a new [KeyHandle][google.cloud.kms.v1.KeyHandle], triggering the
+     * provisioning of a new [CryptoKey][google.cloud.kms.v1.CryptoKey] for CMEK
+     * use with the given resource type in the configured key project and the same
+     * location. [GetOperation][Operations.GetOperation] should be used to resolve
+     * the resulting long-running operation and get the resulting
+     * [KeyHandle][google.cloud.kms.v1.KeyHandle] and
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * The async variant is {@see AutokeyClient::createKeyHandleAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/create_key_handle.php
+     *
+     * @param CreateKeyHandleRequest $request     A request to house fields associated with the call.
+     * @param array                  $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return OperationResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createKeyHandle(CreateKeyHandleRequest $request, array $callOptions = []): OperationResponse
+    {
+        return $this->startApiCall('CreateKeyHandle', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns the [KeyHandle][google.cloud.kms.v1.KeyHandle].
+     *
+     * The async variant is {@see AutokeyClient::getKeyHandleAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/get_key_handle.php
+     *
+     * @param GetKeyHandleRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return KeyHandle
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getKeyHandle(GetKeyHandleRequest $request, array $callOptions = []): KeyHandle
+    {
+        return $this->startApiCall('GetKeyHandle', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists [KeyHandles][google.cloud.kms.v1.KeyHandle].
+     *
+     * The async variant is {@see AutokeyClient::listKeyHandlesAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/list_key_handles.php
+     *
+     * @param ListKeyHandlesRequest $request     A request to house fields associated with the call.
+     * @param array                 $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listKeyHandles(ListKeyHandlesRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListKeyHandles', $request, $callOptions);
+    }
+
+    /**
+     * Gets information about a location.
+     *
+     * The async variant is {@see AutokeyClient::getLocationAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/get_location.php
+     *
+     * @param GetLocationRequest $request     A request to house fields associated with the call.
+     * @param array              $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Location
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getLocation(GetLocationRequest $request, array $callOptions = []): Location
+    {
+        return $this->startApiCall('GetLocation', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists information about the supported locations for this service.
+     *
+     * The async variant is {@see AutokeyClient::listLocationsAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/list_locations.php
+     *
+     * @param ListLocationsRequest $request     A request to house fields associated with the call.
+     * @param array                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listLocations(ListLocationsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListLocations', $request, $callOptions);
+    }
+
+    /**
+     * Gets the access control policy for a resource. Returns an empty policy
+    if the resource exists and does not have a policy set.
+     *
+     * The async variant is {@see AutokeyClient::getIamPolicyAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/get_iam_policy.php
+     *
+     * @param GetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getIamPolicy(GetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('GetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Sets the access control policy on the specified resource. Replaces
+    any existing policy.
+
+    Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+    errors.
+     *
+     * The async variant is {@see AutokeyClient::setIamPolicyAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/set_iam_policy.php
+     *
+     * @param SetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function setIamPolicy(SetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('SetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns permissions that a caller has on the specified resource. If the
+    resource does not exist, this will return an empty set of
+    permissions, not a `NOT_FOUND` error.
+
+    Note: This operation is designed to be used for building
+    permission-aware UIs and command-line tools, not for authorization
+    checking. This operation may "fail open" without warning.
+     *
+     * The async variant is {@see AutokeyClient::testIamPermissionsAsync()} .
+     *
+     * @example samples/V1/AutokeyClient/test_iam_permissions.php
+     *
+     * @param TestIamPermissionsRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return TestIamPermissionsResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function testIamPermissions(TestIamPermissionsRequest $request, array $callOptions = []): TestIamPermissionsResponse
+    {
+        return $this->startApiCall('TestIamPermissions', $request, $callOptions)->wait();
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/Client/EkmServiceClient.php b/owl-bot-staging/Kms/v1/src/V1/Client/EkmServiceClient.php
new file mode 100644
index 000000000000..f8994719db68
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/Client/EkmServiceClient.php
@@ -0,0 +1,635 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * Generated by gapic-generator-php from the file
+ * https://github.com/googleapis/googleapis/blob/master/google/cloud/kms/v1/ekm_service.proto
+ * Updates to the above are reflected here through a refresh process.
+ */
+
+namespace Google\Cloud\Kms\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\GapicClientTrait;
+use Google\ApiCore\PagedListResponse;
+use Google\ApiCore\ResourceHelperTrait;
+use Google\ApiCore\RetrySettings;
+use Google\ApiCore\Transport\TransportInterface;
+use Google\ApiCore\ValidationException;
+use Google\Auth\FetchAuthTokenInterface;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\CreateEkmConnectionRequest;
+use Google\Cloud\Kms\V1\EkmConfig;
+use Google\Cloud\Kms\V1\EkmConnection;
+use Google\Cloud\Kms\V1\GetEkmConfigRequest;
+use Google\Cloud\Kms\V1\GetEkmConnectionRequest;
+use Google\Cloud\Kms\V1\ListEkmConnectionsRequest;
+use Google\Cloud\Kms\V1\UpdateEkmConfigRequest;
+use Google\Cloud\Kms\V1\UpdateEkmConnectionRequest;
+use Google\Cloud\Kms\V1\VerifyConnectivityRequest;
+use Google\Cloud\Kms\V1\VerifyConnectivityResponse;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+use GuzzleHttp\Promise\PromiseInterface;
+
+/**
+ * Service Description: Google Cloud Key Management EKM Service
+ *
+ * Manages external cryptographic keys and operations using those keys.
+ * Implements a REST model with the following objects:
+ * * [EkmConnection][google.cloud.kms.v1.EkmConnection]
+ *
+ * This class provides the ability to make remote calls to the backing service through method
+ * calls that map to API methods.
+ *
+ * Many parameters require resource names to be formatted in a particular way. To
+ * assist with these names, this class includes a format method for each type of
+ * name, and additionally a parseName method to extract the individual identifiers
+ * contained within formatted names that are returned by the API.
+ *
+ * @method PromiseInterface<EkmConnection> createEkmConnectionAsync(CreateEkmConnectionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<EkmConfig> getEkmConfigAsync(GetEkmConfigRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<EkmConnection> getEkmConnectionAsync(GetEkmConnectionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listEkmConnectionsAsync(ListEkmConnectionsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<EkmConfig> updateEkmConfigAsync(UpdateEkmConfigRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<EkmConnection> updateEkmConnectionAsync(UpdateEkmConnectionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<VerifyConnectivityResponse> verifyConnectivityAsync(VerifyConnectivityRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Location> getLocationAsync(GetLocationRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listLocationsAsync(ListLocationsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> getIamPolicyAsync(GetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> setIamPolicyAsync(SetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<TestIamPermissionsResponse> testIamPermissionsAsync(TestIamPermissionsRequest $request, array $optionalArgs = [])
+ */
+final class EkmServiceClient
+{
+    use GapicClientTrait;
+    use ResourceHelperTrait;
+
+    /** The name of the service. */
+    private const SERVICE_NAME = 'google.cloud.kms.v1.EkmService';
+
+    /**
+     * The default address of the service.
+     *
+     * @deprecated SERVICE_ADDRESS_TEMPLATE should be used instead.
+     */
+    private const SERVICE_ADDRESS = 'cloudkms.googleapis.com';
+
+    /** The address template of the service. */
+    private const SERVICE_ADDRESS_TEMPLATE = 'cloudkms.UNIVERSE_DOMAIN';
+
+    /** The default port of the service. */
+    private const DEFAULT_SERVICE_PORT = 443;
+
+    /** The name of the code generator, to be included in the agent header. */
+    private const CODEGEN_NAME = 'gapic';
+
+    /** The default scopes required by the service. */
+    public static $serviceScopes = [
+        'https://www.googleapis.com/auth/cloud-platform',
+        'https://www.googleapis.com/auth/cloudkms',
+    ];
+
+    private static function getClientDefaults()
+    {
+        return [
+            'serviceName' => self::SERVICE_NAME,
+            'apiEndpoint' => self::SERVICE_ADDRESS . ':' . self::DEFAULT_SERVICE_PORT,
+            'clientConfig' => __DIR__ . '/../resources/ekm_service_client_config.json',
+            'descriptorsConfigPath' => __DIR__ . '/../resources/ekm_service_descriptor_config.php',
+            'gcpApiConfigPath' => __DIR__ . '/../resources/ekm_service_grpc_config.json',
+            'credentialsConfig' => [
+                'defaultScopes' => self::$serviceScopes,
+            ],
+            'transportConfig' => [
+                'rest' => [
+                    'restClientConfigPath' => __DIR__ . '/../resources/ekm_service_rest_client_config.php',
+                ],
+            ],
+        ];
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a ekm_config
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     *
+     * @return string The formatted ekm_config resource.
+     */
+    public static function ekmConfigName(string $project, string $location): string
+    {
+        return self::getPathTemplate('ekmConfig')->render([
+            'project' => $project,
+            'location' => $location,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a
+     * ekm_connection resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $ekmConnection
+     *
+     * @return string The formatted ekm_connection resource.
+     */
+    public static function ekmConnectionName(string $project, string $location, string $ekmConnection): string
+    {
+        return self::getPathTemplate('ekmConnection')->render([
+            'project' => $project,
+            'location' => $location,
+            'ekm_connection' => $ekmConnection,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a location
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     *
+     * @return string The formatted location resource.
+     */
+    public static function locationName(string $project, string $location): string
+    {
+        return self::getPathTemplate('location')->render([
+            'project' => $project,
+            'location' => $location,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a service
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $namespace
+     * @param string $service
+     *
+     * @return string The formatted service resource.
+     */
+    public static function serviceName(string $project, string $location, string $namespace, string $service): string
+    {
+        return self::getPathTemplate('service')->render([
+            'project' => $project,
+            'location' => $location,
+            'namespace' => $namespace,
+            'service' => $service,
+        ]);
+    }
+
+    /**
+     * Parses a formatted name string and returns an associative array of the components in the name.
+     * The following name formats are supported:
+     * Template: Pattern
+     * - ekmConfig: projects/{project}/locations/{location}/ekmConfig
+     * - ekmConnection: projects/{project}/locations/{location}/ekmConnections/{ekm_connection}
+     * - location: projects/{project}/locations/{location}
+     * - service: projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}
+     *
+     * The optional $template argument can be supplied to specify a particular pattern,
+     * and must match one of the templates listed above. If no $template argument is
+     * provided, or if the $template argument does not match one of the templates
+     * listed, then parseName will check each of the supported templates, and return
+     * the first match.
+     *
+     * @param string $formattedName The formatted name string
+     * @param string $template      Optional name of template to match
+     *
+     * @return array An associative array from name component IDs to component values.
+     *
+     * @throws ValidationException If $formattedName could not be matched.
+     */
+    public static function parseName(string $formattedName, string $template = null): array
+    {
+        return self::parseFormattedName($formattedName, $template);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $options {
+     *     Optional. Options for configuring the service API wrapper.
+     *
+     *     @type string $apiEndpoint
+     *           The address of the API remote host. May optionally include the port, formatted
+     *           as "<uri>:<port>". Default 'cloudkms.googleapis.com:443'.
+     *     @type string|array|FetchAuthTokenInterface|CredentialsWrapper $credentials
+     *           The credentials to be used by the client to authorize API calls. This option
+     *           accepts either a path to a credentials file, or a decoded credentials file as a
+     *           PHP array.
+     *           *Advanced usage*: In addition, this option can also accept a pre-constructed
+     *           {@see \Google\Auth\FetchAuthTokenInterface} object or
+     *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
+     *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *     @type array $credentialsConfig
+     *           Options used to configure credentials, including auth token caching, for the
+     *           client. For a full list of supporting configuration options, see
+     *           {@see \Google\ApiCore\CredentialsWrapper::build()} .
+     *     @type bool $disableRetries
+     *           Determines whether or not retries defined by the client configuration should be
+     *           disabled. Defaults to `false`.
+     *     @type string|array $clientConfig
+     *           Client method configuration, including retry settings. This option can be either
+     *           a path to a JSON file, or a PHP array containing the decoded JSON data. By
+     *           default this settings points to the default client config file, which is
+     *           provided in the resources folder.
+     *     @type string|TransportInterface $transport
+     *           The transport used for executing network requests. May be either the string
+     *           `rest` or `grpc`. Defaults to `grpc` if gRPC support is detected on the system.
+     *           *Advanced usage*: Additionally, it is possible to pass in an already
+     *           instantiated {@see \Google\ApiCore\Transport\TransportInterface} object. Note
+     *           that when this object is provided, any settings in $transportConfig, and any
+     *           $apiEndpoint setting, will be ignored.
+     *     @type array $transportConfig
+     *           Configuration options that will be used to construct the transport. Options for
+     *           each supported transport type should be passed in a key for that transport. For
+     *           example:
+     *           $transportConfig = [
+     *               'grpc' => [...],
+     *               'rest' => [...],
+     *           ];
+     *           See the {@see \Google\ApiCore\Transport\GrpcTransport::build()} and
+     *           {@see \Google\ApiCore\Transport\RestTransport::build()} methods for the
+     *           supported options.
+     *     @type callable $clientCertSource
+     *           A callable which returns the client cert as a string. This can be used to
+     *           provide a certificate and private key to the transport layer for mTLS.
+     * }
+     *
+     * @throws ValidationException
+     */
+    public function __construct(array $options = [])
+    {
+        $clientOptions = $this->buildClientOptions($options);
+        $this->setClientOptions($clientOptions);
+    }
+
+    /** Handles execution of the async variants for each documented method. */
+    public function __call($method, $args)
+    {
+        if (substr($method, -5) !== 'Async') {
+            trigger_error('Call to undefined method ' . __CLASS__ . "::$method()", E_USER_ERROR);
+        }
+
+        array_unshift($args, substr($method, 0, -5));
+        return call_user_func_array([$this, 'startAsyncCall'], $args);
+    }
+
+    /**
+     * Creates a new [EkmConnection][google.cloud.kms.v1.EkmConnection] in a given
+     * Project and Location.
+     *
+     * The async variant is {@see EkmServiceClient::createEkmConnectionAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/create_ekm_connection.php
+     *
+     * @param CreateEkmConnectionRequest $request     A request to house fields associated with the call.
+     * @param array                      $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EkmConnection
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createEkmConnection(CreateEkmConnectionRequest $request, array $callOptions = []): EkmConnection
+    {
+        return $this->startApiCall('CreateEkmConnection', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+     * for a given project and location.
+     *
+     * The async variant is {@see EkmServiceClient::getEkmConfigAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/get_ekm_config.php
+     *
+     * @param GetEkmConfigRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EkmConfig
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getEkmConfig(GetEkmConfigRequest $request, array $callOptions = []): EkmConfig
+    {
+        return $this->startApiCall('GetEkmConfig', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns metadata for a given
+     * [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     *
+     * The async variant is {@see EkmServiceClient::getEkmConnectionAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/get_ekm_connection.php
+     *
+     * @param GetEkmConnectionRequest $request     A request to house fields associated with the call.
+     * @param array                   $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EkmConnection
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getEkmConnection(GetEkmConnectionRequest $request, array $callOptions = []): EkmConnection
+    {
+        return $this->startApiCall('GetEkmConnection', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists [EkmConnections][google.cloud.kms.v1.EkmConnection].
+     *
+     * The async variant is {@see EkmServiceClient::listEkmConnectionsAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/list_ekm_connections.php
+     *
+     * @param ListEkmConnectionsRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listEkmConnections(ListEkmConnectionsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListEkmConnections', $request, $callOptions);
+    }
+
+    /**
+     * Updates the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+     * for a given project and location.
+     *
+     * The async variant is {@see EkmServiceClient::updateEkmConfigAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/update_ekm_config.php
+     *
+     * @param UpdateEkmConfigRequest $request     A request to house fields associated with the call.
+     * @param array                  $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EkmConfig
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateEkmConfig(UpdateEkmConfigRequest $request, array $callOptions = []): EkmConfig
+    {
+        return $this->startApiCall('UpdateEkmConfig', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Updates an [EkmConnection][google.cloud.kms.v1.EkmConnection]'s metadata.
+     *
+     * The async variant is {@see EkmServiceClient::updateEkmConnectionAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/update_ekm_connection.php
+     *
+     * @param UpdateEkmConnectionRequest $request     A request to house fields associated with the call.
+     * @param array                      $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EkmConnection
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateEkmConnection(UpdateEkmConnectionRequest $request, array $callOptions = []): EkmConnection
+    {
+        return $this->startApiCall('UpdateEkmConnection', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Verifies that Cloud KMS can successfully connect to the external key
+     * manager specified by an [EkmConnection][google.cloud.kms.v1.EkmConnection].
+     * If there is an error connecting to the EKM, this method returns a
+     * FAILED_PRECONDITION status containing structured information as described
+     * at https://cloud.google.com/kms/docs/reference/ekm_errors.
+     *
+     * The async variant is {@see EkmServiceClient::verifyConnectivityAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/verify_connectivity.php
+     *
+     * @param VerifyConnectivityRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return VerifyConnectivityResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function verifyConnectivity(VerifyConnectivityRequest $request, array $callOptions = []): VerifyConnectivityResponse
+    {
+        return $this->startApiCall('VerifyConnectivity', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Gets information about a location.
+     *
+     * The async variant is {@see EkmServiceClient::getLocationAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/get_location.php
+     *
+     * @param GetLocationRequest $request     A request to house fields associated with the call.
+     * @param array              $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Location
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getLocation(GetLocationRequest $request, array $callOptions = []): Location
+    {
+        return $this->startApiCall('GetLocation', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists information about the supported locations for this service.
+     *
+     * The async variant is {@see EkmServiceClient::listLocationsAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/list_locations.php
+     *
+     * @param ListLocationsRequest $request     A request to house fields associated with the call.
+     * @param array                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listLocations(ListLocationsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListLocations', $request, $callOptions);
+    }
+
+    /**
+     * Gets the access control policy for a resource. Returns an empty policy
+    if the resource exists and does not have a policy set.
+     *
+     * The async variant is {@see EkmServiceClient::getIamPolicyAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/get_iam_policy.php
+     *
+     * @param GetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getIamPolicy(GetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('GetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Sets the access control policy on the specified resource. Replaces
+    any existing policy.
+
+    Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+    errors.
+     *
+     * The async variant is {@see EkmServiceClient::setIamPolicyAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/set_iam_policy.php
+     *
+     * @param SetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function setIamPolicy(SetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('SetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns permissions that a caller has on the specified resource. If the
+    resource does not exist, this will return an empty set of
+    permissions, not a `NOT_FOUND` error.
+
+    Note: This operation is designed to be used for building
+    permission-aware UIs and command-line tools, not for authorization
+    checking. This operation may "fail open" without warning.
+     *
+     * The async variant is {@see EkmServiceClient::testIamPermissionsAsync()} .
+     *
+     * @example samples/V1/EkmServiceClient/test_iam_permissions.php
+     *
+     * @param TestIamPermissionsRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return TestIamPermissionsResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function testIamPermissions(TestIamPermissionsRequest $request, array $callOptions = []): TestIamPermissionsResponse
+    {
+        return $this->startApiCall('TestIamPermissions', $request, $callOptions)->wait();
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/Client/KeyManagementServiceClient.php b/owl-bot-staging/Kms/v1/src/V1/Client/KeyManagementServiceClient.php
new file mode 100644
index 000000000000..72768aa4a476
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/Client/KeyManagementServiceClient.php
@@ -0,0 +1,1374 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * Generated by gapic-generator-php from the file
+ * https://github.com/googleapis/googleapis/blob/master/google/cloud/kms/v1/service.proto
+ * Updates to the above are reflected here through a refresh process.
+ */
+
+namespace Google\Cloud\Kms\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\GapicClientTrait;
+use Google\ApiCore\PagedListResponse;
+use Google\ApiCore\ResourceHelperTrait;
+use Google\ApiCore\RetrySettings;
+use Google\ApiCore\Transport\TransportInterface;
+use Google\ApiCore\ValidationException;
+use Google\Auth\FetchAuthTokenInterface;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\AsymmetricDecryptRequest;
+use Google\Cloud\Kms\V1\AsymmetricDecryptResponse;
+use Google\Cloud\Kms\V1\AsymmetricSignRequest;
+use Google\Cloud\Kms\V1\AsymmetricSignResponse;
+use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\CreateCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\CreateImportJobRequest;
+use Google\Cloud\Kms\V1\CreateKeyRingRequest;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\DecryptRequest;
+use Google\Cloud\Kms\V1\DecryptResponse;
+use Google\Cloud\Kms\V1\DestroyCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\EncryptRequest;
+use Google\Cloud\Kms\V1\EncryptResponse;
+use Google\Cloud\Kms\V1\GenerateRandomBytesRequest;
+use Google\Cloud\Kms\V1\GenerateRandomBytesResponse;
+use Google\Cloud\Kms\V1\GetCryptoKeyRequest;
+use Google\Cloud\Kms\V1\GetCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\GetImportJobRequest;
+use Google\Cloud\Kms\V1\GetKeyRingRequest;
+use Google\Cloud\Kms\V1\GetPublicKeyRequest;
+use Google\Cloud\Kms\V1\ImportCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\ImportJob;
+use Google\Cloud\Kms\V1\KeyRing;
+use Google\Cloud\Kms\V1\ListCryptoKeyVersionsRequest;
+use Google\Cloud\Kms\V1\ListCryptoKeysRequest;
+use Google\Cloud\Kms\V1\ListImportJobsRequest;
+use Google\Cloud\Kms\V1\ListKeyRingsRequest;
+use Google\Cloud\Kms\V1\MacSignRequest;
+use Google\Cloud\Kms\V1\MacSignResponse;
+use Google\Cloud\Kms\V1\MacVerifyRequest;
+use Google\Cloud\Kms\V1\MacVerifyResponse;
+use Google\Cloud\Kms\V1\PublicKey;
+use Google\Cloud\Kms\V1\RawDecryptRequest;
+use Google\Cloud\Kms\V1\RawDecryptResponse;
+use Google\Cloud\Kms\V1\RawEncryptRequest;
+use Google\Cloud\Kms\V1\RawEncryptResponse;
+use Google\Cloud\Kms\V1\RestoreCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyPrimaryVersionRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyVersionRequest;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\Location;
+use GuzzleHttp\Promise\PromiseInterface;
+
+/**
+ * Service Description: Google Cloud Key Management Service
+ *
+ * Manages cryptographic keys and operations using those keys. Implements a REST
+ * model with the following objects:
+ *
+ * * [KeyRing][google.cloud.kms.v1.KeyRing]
+ * * [CryptoKey][google.cloud.kms.v1.CryptoKey]
+ * * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+ * * [ImportJob][google.cloud.kms.v1.ImportJob]
+ *
+ * If you are using manual gRPC libraries, see
+ * [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
+ *
+ * This class provides the ability to make remote calls to the backing service through method
+ * calls that map to API methods.
+ *
+ * Many parameters require resource names to be formatted in a particular way. To
+ * assist with these names, this class includes a format method for each type of
+ * name, and additionally a parseName method to extract the individual identifiers
+ * contained within formatted names that are returned by the API.
+ *
+ * @method PromiseInterface<AsymmetricDecryptResponse> asymmetricDecryptAsync(AsymmetricDecryptRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<AsymmetricSignResponse> asymmetricSignAsync(AsymmetricSignRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKey> createCryptoKeyAsync(CreateCryptoKeyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> createCryptoKeyVersionAsync(CreateCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<ImportJob> createImportJobAsync(CreateImportJobRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<KeyRing> createKeyRingAsync(CreateKeyRingRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<DecryptResponse> decryptAsync(DecryptRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> destroyCryptoKeyVersionAsync(DestroyCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<EncryptResponse> encryptAsync(EncryptRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<GenerateRandomBytesResponse> generateRandomBytesAsync(GenerateRandomBytesRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKey> getCryptoKeyAsync(GetCryptoKeyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> getCryptoKeyVersionAsync(GetCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<ImportJob> getImportJobAsync(GetImportJobRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<KeyRing> getKeyRingAsync(GetKeyRingRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PublicKey> getPublicKeyAsync(GetPublicKeyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> importCryptoKeyVersionAsync(ImportCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listCryptoKeyVersionsAsync(ListCryptoKeyVersionsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listCryptoKeysAsync(ListCryptoKeysRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listImportJobsAsync(ListImportJobsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listKeyRingsAsync(ListKeyRingsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<MacSignResponse> macSignAsync(MacSignRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<MacVerifyResponse> macVerifyAsync(MacVerifyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<RawDecryptResponse> rawDecryptAsync(RawDecryptRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<RawEncryptResponse> rawEncryptAsync(RawEncryptRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> restoreCryptoKeyVersionAsync(RestoreCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKey> updateCryptoKeyAsync(UpdateCryptoKeyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKey> updateCryptoKeyPrimaryVersionAsync(UpdateCryptoKeyPrimaryVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<CryptoKeyVersion> updateCryptoKeyVersionAsync(UpdateCryptoKeyVersionRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Location> getLocationAsync(GetLocationRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<PagedListResponse> listLocationsAsync(ListLocationsRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> getIamPolicyAsync(GetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<Policy> setIamPolicyAsync(SetIamPolicyRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<TestIamPermissionsResponse> testIamPermissionsAsync(TestIamPermissionsRequest $request, array $optionalArgs = [])
+ */
+final class KeyManagementServiceClient
+{
+    use GapicClientTrait;
+    use ResourceHelperTrait;
+
+    /** The name of the service. */
+    private const SERVICE_NAME = 'google.cloud.kms.v1.KeyManagementService';
+
+    /**
+     * The default address of the service.
+     *
+     * @deprecated SERVICE_ADDRESS_TEMPLATE should be used instead.
+     */
+    private const SERVICE_ADDRESS = 'cloudkms.googleapis.com';
+
+    /** The address template of the service. */
+    private const SERVICE_ADDRESS_TEMPLATE = 'cloudkms.UNIVERSE_DOMAIN';
+
+    /** The default port of the service. */
+    private const DEFAULT_SERVICE_PORT = 443;
+
+    /** The name of the code generator, to be included in the agent header. */
+    private const CODEGEN_NAME = 'gapic';
+
+    /** The default scopes required by the service. */
+    public static $serviceScopes = [
+        'https://www.googleapis.com/auth/cloud-platform',
+        'https://www.googleapis.com/auth/cloudkms',
+    ];
+
+    private static function getClientDefaults()
+    {
+        return [
+            'serviceName' => self::SERVICE_NAME,
+            'apiEndpoint' => self::SERVICE_ADDRESS . ':' . self::DEFAULT_SERVICE_PORT,
+            'clientConfig' => __DIR__ . '/../resources/key_management_service_client_config.json',
+            'descriptorsConfigPath' => __DIR__ . '/../resources/key_management_service_descriptor_config.php',
+            'gcpApiConfigPath' => __DIR__ . '/../resources/key_management_service_grpc_config.json',
+            'credentialsConfig' => [
+                'defaultScopes' => self::$serviceScopes,
+            ],
+            'transportConfig' => [
+                'rest' => [
+                    'restClientConfigPath' => __DIR__ . '/../resources/key_management_service_rest_client_config.php',
+                ],
+            ],
+        ];
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a crypto_key
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyRing
+     * @param string $cryptoKey
+     *
+     * @return string The formatted crypto_key resource.
+     */
+    public static function cryptoKeyName(string $project, string $location, string $keyRing, string $cryptoKey): string
+    {
+        return self::getPathTemplate('cryptoKey')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_ring' => $keyRing,
+            'crypto_key' => $cryptoKey,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a
+     * crypto_key_version resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyRing
+     * @param string $cryptoKey
+     * @param string $cryptoKeyVersion
+     *
+     * @return string The formatted crypto_key_version resource.
+     */
+    public static function cryptoKeyVersionName(string $project, string $location, string $keyRing, string $cryptoKey, string $cryptoKeyVersion): string
+    {
+        return self::getPathTemplate('cryptoKeyVersion')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_ring' => $keyRing,
+            'crypto_key' => $cryptoKey,
+            'crypto_key_version' => $cryptoKeyVersion,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a import_job
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyRing
+     * @param string $importJob
+     *
+     * @return string The formatted import_job resource.
+     */
+    public static function importJobName(string $project, string $location, string $keyRing, string $importJob): string
+    {
+        return self::getPathTemplate('importJob')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_ring' => $keyRing,
+            'import_job' => $importJob,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a key_ring
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     * @param string $keyRing
+     *
+     * @return string The formatted key_ring resource.
+     */
+    public static function keyRingName(string $project, string $location, string $keyRing): string
+    {
+        return self::getPathTemplate('keyRing')->render([
+            'project' => $project,
+            'location' => $location,
+            'key_ring' => $keyRing,
+        ]);
+    }
+
+    /**
+     * Formats a string containing the fully-qualified path to represent a location
+     * resource.
+     *
+     * @param string $project
+     * @param string $location
+     *
+     * @return string The formatted location resource.
+     */
+    public static function locationName(string $project, string $location): string
+    {
+        return self::getPathTemplate('location')->render([
+            'project' => $project,
+            'location' => $location,
+        ]);
+    }
+
+    /**
+     * Parses a formatted name string and returns an associative array of the components in the name.
+     * The following name formats are supported:
+     * Template: Pattern
+     * - cryptoKey: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}
+     * - cryptoKeyVersion: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}
+     * - importJob: projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}
+     * - keyRing: projects/{project}/locations/{location}/keyRings/{key_ring}
+     * - location: projects/{project}/locations/{location}
+     *
+     * The optional $template argument can be supplied to specify a particular pattern,
+     * and must match one of the templates listed above. If no $template argument is
+     * provided, or if the $template argument does not match one of the templates
+     * listed, then parseName will check each of the supported templates, and return
+     * the first match.
+     *
+     * @param string $formattedName The formatted name string
+     * @param string $template      Optional name of template to match
+     *
+     * @return array An associative array from name component IDs to component values.
+     *
+     * @throws ValidationException If $formattedName could not be matched.
+     */
+    public static function parseName(string $formattedName, string $template = null): array
+    {
+        return self::parseFormattedName($formattedName, $template);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param array $options {
+     *     Optional. Options for configuring the service API wrapper.
+     *
+     *     @type string $apiEndpoint
+     *           The address of the API remote host. May optionally include the port, formatted
+     *           as "<uri>:<port>". Default 'cloudkms.googleapis.com:443'.
+     *     @type string|array|FetchAuthTokenInterface|CredentialsWrapper $credentials
+     *           The credentials to be used by the client to authorize API calls. This option
+     *           accepts either a path to a credentials file, or a decoded credentials file as a
+     *           PHP array.
+     *           *Advanced usage*: In addition, this option can also accept a pre-constructed
+     *           {@see \Google\Auth\FetchAuthTokenInterface} object or
+     *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
+     *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *     @type array $credentialsConfig
+     *           Options used to configure credentials, including auth token caching, for the
+     *           client. For a full list of supporting configuration options, see
+     *           {@see \Google\ApiCore\CredentialsWrapper::build()} .
+     *     @type bool $disableRetries
+     *           Determines whether or not retries defined by the client configuration should be
+     *           disabled. Defaults to `false`.
+     *     @type string|array $clientConfig
+     *           Client method configuration, including retry settings. This option can be either
+     *           a path to a JSON file, or a PHP array containing the decoded JSON data. By
+     *           default this settings points to the default client config file, which is
+     *           provided in the resources folder.
+     *     @type string|TransportInterface $transport
+     *           The transport used for executing network requests. May be either the string
+     *           `rest` or `grpc`. Defaults to `grpc` if gRPC support is detected on the system.
+     *           *Advanced usage*: Additionally, it is possible to pass in an already
+     *           instantiated {@see \Google\ApiCore\Transport\TransportInterface} object. Note
+     *           that when this object is provided, any settings in $transportConfig, and any
+     *           $apiEndpoint setting, will be ignored.
+     *     @type array $transportConfig
+     *           Configuration options that will be used to construct the transport. Options for
+     *           each supported transport type should be passed in a key for that transport. For
+     *           example:
+     *           $transportConfig = [
+     *               'grpc' => [...],
+     *               'rest' => [...],
+     *           ];
+     *           See the {@see \Google\ApiCore\Transport\GrpcTransport::build()} and
+     *           {@see \Google\ApiCore\Transport\RestTransport::build()} methods for the
+     *           supported options.
+     *     @type callable $clientCertSource
+     *           A callable which returns the client cert as a string. This can be used to
+     *           provide a certificate and private key to the transport layer for mTLS.
+     * }
+     *
+     * @throws ValidationException
+     */
+    public function __construct(array $options = [])
+    {
+        $clientOptions = $this->buildClientOptions($options);
+        $this->setClientOptions($clientOptions);
+    }
+
+    /** Handles execution of the async variants for each documented method. */
+    public function __call($method, $args)
+    {
+        if (substr($method, -5) !== 'Async') {
+            trigger_error('Call to undefined method ' . __CLASS__ . "::$method()", E_USER_ERROR);
+        }
+
+        array_unshift($args, substr($method, 0, -5));
+        return call_user_func_array([$this, 'startAsyncCall'], $args);
+    }
+
+    /**
+     * Decrypts data that was encrypted with a public key retrieved from
+     * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+     * corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * ASYMMETRIC_DECRYPT.
+     *
+     * The async variant is {@see KeyManagementServiceClient::asymmetricDecryptAsync()}
+     * .
+     *
+     * @example samples/V1/KeyManagementServiceClient/asymmetric_decrypt.php
+     *
+     * @param AsymmetricDecryptRequest $request     A request to house fields associated with the call.
+     * @param array                    $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return AsymmetricDecryptResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function asymmetricDecrypt(AsymmetricDecryptRequest $request, array $callOptions = []): AsymmetricDecryptResponse
+    {
+        return $this->startApiCall('AsymmetricDecrypt', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * ASYMMETRIC_SIGN, producing a signature that can be verified with the public
+     * key retrieved from
+     * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+     *
+     * The async variant is {@see KeyManagementServiceClient::asymmetricSignAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/asymmetric_sign.php
+     *
+     * @param AsymmetricSignRequest $request     A request to house fields associated with the call.
+     * @param array                 $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return AsymmetricSignResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function asymmetricSign(AsymmetricSignRequest $request, array $callOptions = []): AsymmetricSignResponse
+    {
+        return $this->startApiCall('AsymmetricSign', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
+     * [KeyRing][google.cloud.kms.v1.KeyRing].
+     *
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+     * [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+     * are required.
+     *
+     * The async variant is {@see KeyManagementServiceClient::createCryptoKeyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/create_crypto_key.php
+     *
+     * @param CreateCryptoKeyRequest $request     A request to house fields associated with the call.
+     * @param array                  $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKey
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createCryptoKey(CreateCryptoKeyRequest $request, array $callOptions = []): CryptoKey
+    {
+        return $this->startApiCall('CreateCryptoKey', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
+     * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * The server will assign the next sequential id. If unset,
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::createCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/create_crypto_key_version.php
+     *
+     * @param CreateCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                         $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createCryptoKeyVersion(CreateCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('CreateCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
+     * [KeyRing][google.cloud.kms.v1.KeyRing].
+     *
+     * [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is
+     * required.
+     *
+     * The async variant is {@see KeyManagementServiceClient::createImportJobAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/create_import_job.php
+     *
+     * @param CreateImportJobRequest $request     A request to house fields associated with the call.
+     * @param array                  $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return ImportJob
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createImportJob(CreateImportJobRequest $request, array $callOptions = []): ImportJob
+    {
+        return $this->startApiCall('CreateImportJob', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and
+     * Location.
+     *
+     * The async variant is {@see KeyManagementServiceClient::createKeyRingAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/create_key_ring.php
+     *
+     * @param CreateKeyRingRequest $request     A request to house fields associated with the call.
+     * @param array                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return KeyRing
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function createKeyRing(CreateKeyRingRequest $request, array $callOptions = []): KeyRing
+    {
+        return $this->startApiCall('CreateKeyRing', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Decrypts data that was protected by
+     * [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * The async variant is {@see KeyManagementServiceClient::decryptAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/decrypt.php
+     *
+     * @param DecryptRequest $request     A request to house fields associated with the call.
+     * @param array          $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return DecryptResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function decrypt(DecryptRequest $request, array $callOptions = []): DecryptResponse
+    {
+        return $this->startApiCall('Decrypt', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
+     * destruction.
+     *
+     * Upon calling this method,
+     * [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will
+     * be set to
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
+     * and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
+     * be set to the time
+     * [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration]
+     * in the future. At that time, the
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will automatically
+     * change to
+     * [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
+     * and the key material will be irrevocably destroyed.
+     *
+     * Before the
+     * [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is
+     * reached,
+     * [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+     * may be called to reverse the process.
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::destroyCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/destroy_crypto_key_version.php
+     *
+     * @param DestroyCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                          $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function destroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('DestroyCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Encrypts data, so that it can only be recovered by a call to
+     * [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * The async variant is {@see KeyManagementServiceClient::encryptAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/encrypt.php
+     *
+     * @param EncryptRequest $request     A request to house fields associated with the call.
+     * @param array          $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return EncryptResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function encrypt(EncryptRequest $request, array $callOptions = []): EncryptResponse
+    {
+        return $this->startApiCall('Encrypt', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Generate random bytes using the Cloud KMS randomness source in the provided
+     * location.
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::generateRandomBytesAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/generate_random_bytes.php
+     *
+     * @param GenerateRandomBytesRequest $request     A request to house fields associated with the call.
+     * @param array                      $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return GenerateRandomBytesResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function generateRandomBytes(GenerateRandomBytesRequest $request, array $callOptions = []): GenerateRandomBytesResponse
+    {
+        return $this->startApiCall('GenerateRandomBytes', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as
+     * well as its [primary][google.cloud.kms.v1.CryptoKey.primary]
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * The async variant is {@see KeyManagementServiceClient::getCryptoKeyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_crypto_key.php
+     *
+     * @param GetCryptoKeyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKey
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getCryptoKey(GetCryptoKeyRequest $request, array $callOptions = []): CryptoKey
+    {
+        return $this->startApiCall('GetCryptoKey', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns metadata for a given
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::getCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_crypto_key_version.php
+     *
+     * @param GetCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                      $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getCryptoKeyVersion(GetCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('GetCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
+     *
+     * The async variant is {@see KeyManagementServiceClient::getImportJobAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_import_job.php
+     *
+     * @param GetImportJobRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return ImportJob
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getImportJob(GetImportJobRequest $request, array $callOptions = []): ImportJob
+    {
+        return $this->startApiCall('GetImportJob', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
+     *
+     * The async variant is {@see KeyManagementServiceClient::getKeyRingAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_key_ring.php
+     *
+     * @param GetKeyRingRequest $request     A request to house fields associated with the call.
+     * @param array             $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return KeyRing
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getKeyRing(GetKeyRingRequest $request, array $callOptions = []): KeyRing
+    {
+        return $this->startApiCall('GetKeyRing', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns the public key for the given
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+     * [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
+     * or
+     * [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+     *
+     * The async variant is {@see KeyManagementServiceClient::getPublicKeyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_public_key.php
+     *
+     * @param GetPublicKeyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PublicKey
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getPublicKey(GetPublicKeyRequest $request, array $callOptions = []): PublicKey
+    {
+        return $this->startApiCall('GetPublicKey', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Import wrapped key material into a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If
+     * a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is additionally
+     * specified in the request, key material will be reimported into that
+     * version. Otherwise, a new version will be created, and will be assigned the
+     * next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::importCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/import_crypto_key_version.php
+     *
+     * @param ImportCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                         $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function importCryptoKeyVersion(ImportCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('ImportCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::listCryptoKeyVersionsAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/list_crypto_key_versions.php
+     *
+     * @param ListCryptoKeyVersionsRequest $request     A request to house fields associated with the call.
+     * @param array                        $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listCryptoKeyVersions(ListCryptoKeyVersionsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListCryptoKeyVersions', $request, $callOptions);
+    }
+
+    /**
+     * Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+     *
+     * The async variant is {@see KeyManagementServiceClient::listCryptoKeysAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/list_crypto_keys.php
+     *
+     * @param ListCryptoKeysRequest $request     A request to house fields associated with the call.
+     * @param array                 $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listCryptoKeys(ListCryptoKeysRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListCryptoKeys', $request, $callOptions);
+    }
+
+    /**
+     * Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+     *
+     * The async variant is {@see KeyManagementServiceClient::listImportJobsAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/list_import_jobs.php
+     *
+     * @param ListImportJobsRequest $request     A request to house fields associated with the call.
+     * @param array                 $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listImportJobs(ListImportJobsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListImportJobs', $request, $callOptions);
+    }
+
+    /**
+     * Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+     *
+     * The async variant is {@see KeyManagementServiceClient::listKeyRingsAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/list_key_rings.php
+     *
+     * @param ListKeyRingsRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listKeyRings(ListKeyRingsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListKeyRings', $request, $callOptions);
+    }
+
+    /**
+     * Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
+     * producing a tag that can be verified by another source with the same key.
+     *
+     * The async variant is {@see KeyManagementServiceClient::macSignAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/mac_sign.php
+     *
+     * @param MacSignRequest $request     A request to house fields associated with the call.
+     * @param array          $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return MacSignResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function macSign(MacSignRequest $request, array $callOptions = []): MacSignResponse
+    {
+        return $this->startApiCall('MacSign', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Verifies MAC tag using a
+     * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns
+     * a response that indicates whether or not the verification was successful.
+     *
+     * The async variant is {@see KeyManagementServiceClient::macVerifyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/mac_verify.php
+     *
+     * @param MacVerifyRequest $request     A request to house fields associated with the call.
+     * @param array            $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return MacVerifyResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function macVerify(MacVerifyRequest $request, array $callOptions = []): MacVerifyResponse
+    {
+        return $this->startApiCall('MacVerify', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Decrypts data that was originally encrypted using a raw cryptographic
+     * mechanism. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * must be
+     * [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT].
+     *
+     * The async variant is {@see KeyManagementServiceClient::rawDecryptAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/raw_decrypt.php
+     *
+     * @param RawDecryptRequest $request     A request to house fields associated with the call.
+     * @param array             $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return RawDecryptResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function rawDecrypt(RawDecryptRequest $request, array $callOptions = []): RawDecryptResponse
+    {
+        return $this->startApiCall('RawDecrypt', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Encrypts data using portable cryptographic primitives. Most users should
+     * choose [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and
+     * [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt] rather than
+     * their raw counterparts. The
+     * [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+     * [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT].
+     *
+     * The async variant is {@see KeyManagementServiceClient::rawEncryptAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/raw_encrypt.php
+     *
+     * @param RawEncryptRequest $request     A request to house fields associated with the call.
+     * @param array             $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return RawEncryptResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function rawEncrypt(RawEncryptRequest $request, array $callOptions = []): RawEncryptResponse
+    {
+        return $this->startApiCall('RawEncrypt', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+     * [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+     * state.
+     *
+     * Upon restoration of the CryptoKeyVersion,
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+     * [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+     * and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
+     * be cleared.
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::restoreCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/restore_crypto_key_version.php
+     *
+     * @param RestoreCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                          $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function restoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('RestoreCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+     *
+     * The async variant is {@see KeyManagementServiceClient::updateCryptoKeyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/update_crypto_key.php
+     *
+     * @param UpdateCryptoKeyRequest $request     A request to house fields associated with the call.
+     * @param array                  $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKey
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateCryptoKey(UpdateCryptoKeyRequest $request, array $callOptions = []): CryptoKey
+    {
+        return $this->startApiCall('UpdateCryptoKey', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that
+     * will be used in
+     * [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+     *
+     * Returns an error if called on a key whose purpose is not
+     * [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::updateCryptoKeyPrimaryVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/update_crypto_key_primary_version.php
+     *
+     * @param UpdateCryptoKeyPrimaryVersionRequest $request     A request to house fields associated with the call.
+     * @param array                                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKey
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest $request, array $callOptions = []): CryptoKey
+    {
+        return $this->startApiCall('UpdateCryptoKeyPrimaryVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
+     * metadata.
+     *
+     * [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
+     * [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
+     * and
+     * [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
+     * using this method. See
+     * [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
+     * and
+     * [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+     * to move between other states.
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::updateCryptoKeyVersionAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/update_crypto_key_version.php
+     *
+     * @param UpdateCryptoKeyVersionRequest $request     A request to house fields associated with the call.
+     * @param array                         $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return CryptoKeyVersion
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function updateCryptoKeyVersion(UpdateCryptoKeyVersionRequest $request, array $callOptions = []): CryptoKeyVersion
+    {
+        return $this->startApiCall('UpdateCryptoKeyVersion', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Gets information about a location.
+     *
+     * The async variant is {@see KeyManagementServiceClient::getLocationAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_location.php
+     *
+     * @param GetLocationRequest $request     A request to house fields associated with the call.
+     * @param array              $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Location
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getLocation(GetLocationRequest $request, array $callOptions = []): Location
+    {
+        return $this->startApiCall('GetLocation', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Lists information about the supported locations for this service.
+     *
+     * The async variant is {@see KeyManagementServiceClient::listLocationsAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/list_locations.php
+     *
+     * @param ListLocationsRequest $request     A request to house fields associated with the call.
+     * @param array                $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return PagedListResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function listLocations(ListLocationsRequest $request, array $callOptions = []): PagedListResponse
+    {
+        return $this->startApiCall('ListLocations', $request, $callOptions);
+    }
+
+    /**
+     * Gets the access control policy for a resource. Returns an empty policy
+    if the resource exists and does not have a policy set.
+     *
+     * The async variant is {@see KeyManagementServiceClient::getIamPolicyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/get_iam_policy.php
+     *
+     * @param GetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function getIamPolicy(GetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('GetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Sets the access control policy on the specified resource. Replaces
+    any existing policy.
+
+    Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+    errors.
+     *
+     * The async variant is {@see KeyManagementServiceClient::setIamPolicyAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/set_iam_policy.php
+     *
+     * @param SetIamPolicyRequest $request     A request to house fields associated with the call.
+     * @param array               $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return Policy
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function setIamPolicy(SetIamPolicyRequest $request, array $callOptions = []): Policy
+    {
+        return $this->startApiCall('SetIamPolicy', $request, $callOptions)->wait();
+    }
+
+    /**
+     * Returns permissions that a caller has on the specified resource. If the
+    resource does not exist, this will return an empty set of
+    permissions, not a `NOT_FOUND` error.
+
+    Note: This operation is designed to be used for building
+    permission-aware UIs and command-line tools, not for authorization
+    checking. This operation may "fail open" without warning.
+     *
+     * The async variant is
+     * {@see KeyManagementServiceClient::testIamPermissionsAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/test_iam_permissions.php
+     *
+     * @param TestIamPermissionsRequest $request     A request to house fields associated with the call.
+     * @param array                     $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return TestIamPermissionsResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function testIamPermissions(TestIamPermissionsRequest $request, array $callOptions = []): TestIamPermissionsResponse
+    {
+        return $this->startApiCall('TestIamPermissions', $request, $callOptions)->wait();
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/gapic_metadata.json b/owl-bot-staging/Kms/v1/src/V1/gapic_metadata.json
new file mode 100644
index 000000000000..3682f60f663a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/gapic_metadata.json
@@ -0,0 +1,350 @@
+{
+    "schema": "1.0",
+    "comment": "This file maps proto services\/RPCs to the corresponding library clients\/methods",
+    "language": "php",
+    "protoPackage": "google.cloud.kms.v1",
+    "libraryPackage": "Google\\Cloud\\Kms\\V1",
+    "services": {
+        "Autokey": {
+            "clients": {
+                "grpc": {
+                    "libraryClient": "AutokeyGapicClient",
+                    "rpcs": {
+                        "CreateKeyHandle": {
+                            "methods": [
+                                "createKeyHandle"
+                            ]
+                        },
+                        "GetKeyHandle": {
+                            "methods": [
+                                "getKeyHandle"
+                            ]
+                        },
+                        "ListKeyHandles": {
+                            "methods": [
+                                "listKeyHandles"
+                            ]
+                        },
+                        "GetLocation": {
+                            "methods": [
+                                "getLocation"
+                            ]
+                        },
+                        "ListLocations": {
+                            "methods": [
+                                "listLocations"
+                            ]
+                        },
+                        "GetIamPolicy": {
+                            "methods": [
+                                "getIamPolicy"
+                            ]
+                        },
+                        "SetIamPolicy": {
+                            "methods": [
+                                "setIamPolicy"
+                            ]
+                        },
+                        "TestIamPermissions": {
+                            "methods": [
+                                "testIamPermissions"
+                            ]
+                        }
+                    }
+                }
+            }
+        },
+        "AutokeyAdmin": {
+            "clients": {
+                "grpc": {
+                    "libraryClient": "AutokeyAdminGapicClient",
+                    "rpcs": {
+                        "GetAutokeyConfig": {
+                            "methods": [
+                                "getAutokeyConfig"
+                            ]
+                        },
+                        "ShowEffectiveAutokeyConfig": {
+                            "methods": [
+                                "showEffectiveAutokeyConfig"
+                            ]
+                        },
+                        "UpdateAutokeyConfig": {
+                            "methods": [
+                                "updateAutokeyConfig"
+                            ]
+                        },
+                        "GetLocation": {
+                            "methods": [
+                                "getLocation"
+                            ]
+                        },
+                        "ListLocations": {
+                            "methods": [
+                                "listLocations"
+                            ]
+                        },
+                        "GetIamPolicy": {
+                            "methods": [
+                                "getIamPolicy"
+                            ]
+                        },
+                        "SetIamPolicy": {
+                            "methods": [
+                                "setIamPolicy"
+                            ]
+                        },
+                        "TestIamPermissions": {
+                            "methods": [
+                                "testIamPermissions"
+                            ]
+                        }
+                    }
+                }
+            }
+        },
+        "EkmService": {
+            "clients": {
+                "grpc": {
+                    "libraryClient": "EkmServiceGapicClient",
+                    "rpcs": {
+                        "CreateEkmConnection": {
+                            "methods": [
+                                "createEkmConnection"
+                            ]
+                        },
+                        "GetEkmConfig": {
+                            "methods": [
+                                "getEkmConfig"
+                            ]
+                        },
+                        "GetEkmConnection": {
+                            "methods": [
+                                "getEkmConnection"
+                            ]
+                        },
+                        "ListEkmConnections": {
+                            "methods": [
+                                "listEkmConnections"
+                            ]
+                        },
+                        "UpdateEkmConfig": {
+                            "methods": [
+                                "updateEkmConfig"
+                            ]
+                        },
+                        "UpdateEkmConnection": {
+                            "methods": [
+                                "updateEkmConnection"
+                            ]
+                        },
+                        "VerifyConnectivity": {
+                            "methods": [
+                                "verifyConnectivity"
+                            ]
+                        },
+                        "GetLocation": {
+                            "methods": [
+                                "getLocation"
+                            ]
+                        },
+                        "ListLocations": {
+                            "methods": [
+                                "listLocations"
+                            ]
+                        },
+                        "GetIamPolicy": {
+                            "methods": [
+                                "getIamPolicy"
+                            ]
+                        },
+                        "SetIamPolicy": {
+                            "methods": [
+                                "setIamPolicy"
+                            ]
+                        },
+                        "TestIamPermissions": {
+                            "methods": [
+                                "testIamPermissions"
+                            ]
+                        }
+                    }
+                }
+            }
+        },
+        "KeyManagementService": {
+            "clients": {
+                "grpc": {
+                    "libraryClient": "KeyManagementServiceGapicClient",
+                    "rpcs": {
+                        "AsymmetricDecrypt": {
+                            "methods": [
+                                "asymmetricDecrypt"
+                            ]
+                        },
+                        "AsymmetricSign": {
+                            "methods": [
+                                "asymmetricSign"
+                            ]
+                        },
+                        "CreateCryptoKey": {
+                            "methods": [
+                                "createCryptoKey"
+                            ]
+                        },
+                        "CreateCryptoKeyVersion": {
+                            "methods": [
+                                "createCryptoKeyVersion"
+                            ]
+                        },
+                        "CreateImportJob": {
+                            "methods": [
+                                "createImportJob"
+                            ]
+                        },
+                        "CreateKeyRing": {
+                            "methods": [
+                                "createKeyRing"
+                            ]
+                        },
+                        "Decrypt": {
+                            "methods": [
+                                "decrypt"
+                            ]
+                        },
+                        "DestroyCryptoKeyVersion": {
+                            "methods": [
+                                "destroyCryptoKeyVersion"
+                            ]
+                        },
+                        "Encrypt": {
+                            "methods": [
+                                "encrypt"
+                            ]
+                        },
+                        "GenerateRandomBytes": {
+                            "methods": [
+                                "generateRandomBytes"
+                            ]
+                        },
+                        "GetCryptoKey": {
+                            "methods": [
+                                "getCryptoKey"
+                            ]
+                        },
+                        "GetCryptoKeyVersion": {
+                            "methods": [
+                                "getCryptoKeyVersion"
+                            ]
+                        },
+                        "GetImportJob": {
+                            "methods": [
+                                "getImportJob"
+                            ]
+                        },
+                        "GetKeyRing": {
+                            "methods": [
+                                "getKeyRing"
+                            ]
+                        },
+                        "GetPublicKey": {
+                            "methods": [
+                                "getPublicKey"
+                            ]
+                        },
+                        "ImportCryptoKeyVersion": {
+                            "methods": [
+                                "importCryptoKeyVersion"
+                            ]
+                        },
+                        "ListCryptoKeyVersions": {
+                            "methods": [
+                                "listCryptoKeyVersions"
+                            ]
+                        },
+                        "ListCryptoKeys": {
+                            "methods": [
+                                "listCryptoKeys"
+                            ]
+                        },
+                        "ListImportJobs": {
+                            "methods": [
+                                "listImportJobs"
+                            ]
+                        },
+                        "ListKeyRings": {
+                            "methods": [
+                                "listKeyRings"
+                            ]
+                        },
+                        "MacSign": {
+                            "methods": [
+                                "macSign"
+                            ]
+                        },
+                        "MacVerify": {
+                            "methods": [
+                                "macVerify"
+                            ]
+                        },
+                        "RawDecrypt": {
+                            "methods": [
+                                "rawDecrypt"
+                            ]
+                        },
+                        "RawEncrypt": {
+                            "methods": [
+                                "rawEncrypt"
+                            ]
+                        },
+                        "RestoreCryptoKeyVersion": {
+                            "methods": [
+                                "restoreCryptoKeyVersion"
+                            ]
+                        },
+                        "UpdateCryptoKey": {
+                            "methods": [
+                                "updateCryptoKey"
+                            ]
+                        },
+                        "UpdateCryptoKeyPrimaryVersion": {
+                            "methods": [
+                                "updateCryptoKeyPrimaryVersion"
+                            ]
+                        },
+                        "UpdateCryptoKeyVersion": {
+                            "methods": [
+                                "updateCryptoKeyVersion"
+                            ]
+                        },
+                        "GetLocation": {
+                            "methods": [
+                                "getLocation"
+                            ]
+                        },
+                        "ListLocations": {
+                            "methods": [
+                                "listLocations"
+                            ]
+                        },
+                        "GetIamPolicy": {
+                            "methods": [
+                                "getIamPolicy"
+                            ]
+                        },
+                        "SetIamPolicy": {
+                            "methods": [
+                                "setIamPolicy"
+                            ]
+                        },
+                        "TestIamPermissions": {
+                            "methods": [
+                                "testIamPermissions"
+                            ]
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_client_config.json b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_client_config.json
new file mode 100644
index 000000000000..b331d4cc45bf
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_client_config.json
@@ -0,0 +1,75 @@
+{
+    "interfaces": {
+        "google.cloud.kms.v1.AutokeyAdmin": {
+            "retry_codes": {
+                "no_retry_codes": [],
+                "retry_policy_1_codes": [
+                    "UNAVAILABLE",
+                    "DEADLINE_EXCEEDED"
+                ]
+            },
+            "retry_params": {
+                "no_retry_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 0,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 0,
+                    "total_timeout_millis": 0
+                },
+                "retry_policy_1_params": {
+                    "initial_retry_delay_millis": 100,
+                    "retry_delay_multiplier": 1.3,
+                    "max_retry_delay_millis": 60000,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                }
+            },
+            "methods": {
+                "GetAutokeyConfig": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ShowEffectiveAutokeyConfig": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "UpdateAutokeyConfig": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetLocation": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "ListLocations": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "SetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "TestIamPermissions": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                }
+            }
+        }
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_descriptor_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_descriptor_config.php
new file mode 100644
index 000000000000..b349e59725fc
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_descriptor_config.php
@@ -0,0 +1,142 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.AutokeyAdmin' => [
+            'GetAutokeyConfig' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\AutokeyConfig',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ShowEffectiveAutokeyConfig' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateAutokeyConfig' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\AutokeyConfig',
+                'headerParams' => [
+                    [
+                        'keyName' => 'autokey_config.name',
+                        'fieldAccessors' => [
+                            'getAutokeyConfig',
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetLocation' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Location\Location',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'ListLocations' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getLocations',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Location\ListLocationsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'GetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'SetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'TestIamPermissions' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\TestIamPermissionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'templateMap' => [
+                'autokeyConfig' => 'folders/{folder}/autokeyConfig',
+                'project' => 'projects/{project}',
+            ],
+        ],
+    ],
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_rest_client_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_rest_client_config.php
new file mode 100644
index 000000000000..2b0b2021b53c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_admin_rest_client_config.php
@@ -0,0 +1,203 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.AutokeyAdmin' => [
+            'GetAutokeyConfig' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=folders/*/autokeyConfig}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ShowEffectiveAutokeyConfig' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*}:showEffectiveAutokeyConfig',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateAutokeyConfig' => [
+                'method' => 'patch',
+                'uriTemplate' => '/v1/{autokey_config.name=folders/*/autokeyConfig}',
+                'body' => 'autokey_config',
+                'placeholders' => [
+                    'autokey_config.name' => [
+                        'getters' => [
+                            'getAutokeyConfig',
+                            'getName',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'update_mask',
+                ],
+            ],
+        ],
+        'google.cloud.location.Locations' => [
+            'GetLocation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListLocations' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*}/locations',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.iam.v1.IAMPolicy' => [
+            'GetIamPolicy' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:getIamPolicy',
+                'additionalBindings' => [
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:getIamPolicy',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'SetIamPolicy' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'TestIamPermissions' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:testIamPermissions',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.longrunning.Operations' => [
+            'GetOperation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/operations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+    ],
+    'numericEnums' => true,
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_client_config.json b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_client_config.json
new file mode 100644
index 000000000000..77a418964d09
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_client_config.json
@@ -0,0 +1,85 @@
+{
+    "interfaces": {
+        "google.cloud.kms.v1.Autokey": {
+            "retry_codes": {
+                "no_retry_codes": [],
+                "no_retry_1_codes": [],
+                "retry_policy_1_codes": [
+                    "UNAVAILABLE",
+                    "DEADLINE_EXCEEDED"
+                ]
+            },
+            "retry_params": {
+                "no_retry_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 0,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 0,
+                    "total_timeout_millis": 0
+                },
+                "no_retry_1_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                },
+                "retry_policy_1_params": {
+                    "initial_retry_delay_millis": 100,
+                    "retry_delay_multiplier": 1.3,
+                    "max_retry_delay_millis": 60000,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                }
+            },
+            "methods": {
+                "CreateKeyHandle": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_1_codes",
+                    "retry_params_name": "no_retry_1_params"
+                },
+                "GetKeyHandle": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ListKeyHandles": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetLocation": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "ListLocations": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "SetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "TestIamPermissions": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                }
+            }
+        }
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_descriptor_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_descriptor_config.php
new file mode 100644
index 000000000000..fc3e7e0fa238
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_descriptor_config.php
@@ -0,0 +1,157 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.Autokey' => [
+            'CreateKeyHandle' => [
+                'longRunning' => [
+                    'operationReturnType' => '\Google\Cloud\Kms\V1\KeyHandle',
+                    'metadataReturnType' => '\Google\Cloud\Kms\V1\CreateKeyHandleMetadata',
+                    'initialPollDelayMillis' => '500',
+                    'pollDelayMultiplier' => '1.5',
+                    'maxPollDelayMillis' => '5000',
+                    'totalPollTimeoutMillis' => '300000',
+                ],
+                'callType' => \Google\ApiCore\Call::LONGRUNNING_CALL,
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'GetKeyHandle' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\KeyHandle',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListKeyHandles' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getKeyHandles',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListKeyHandlesResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'GetLocation' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Location\Location',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'ListLocations' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getLocations',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Location\ListLocationsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'GetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'SetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'TestIamPermissions' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\TestIamPermissionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'templateMap' => [
+                'cryptoKey' => 'projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}',
+                'keyHandle' => 'projects/{project}/locations/{location}/keyHandles/{key_handle}',
+                'location' => 'projects/{project}/locations/{location}',
+            ],
+        ],
+    ],
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/autokey_rest_client_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_rest_client_config.php
new file mode 100644
index 000000000000..ac1650bdc846
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/autokey_rest_client_config.php
@@ -0,0 +1,199 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.Autokey' => [
+            'CreateKeyHandle' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/keyHandles',
+                'body' => 'key_handle',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'GetKeyHandle' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyHandles/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListKeyHandles' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/keyHandles',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.cloud.location.Locations' => [
+            'GetLocation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListLocations' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*}/locations',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.iam.v1.IAMPolicy' => [
+            'GetIamPolicy' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:getIamPolicy',
+                'additionalBindings' => [
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:getIamPolicy',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'SetIamPolicy' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'TestIamPermissions' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:testIamPermissions',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.longrunning.Operations' => [
+            'GetOperation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/operations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+    ],
+    'numericEnums' => true,
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_client_config.json b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_client_config.json
new file mode 100644
index 000000000000..8fd9c3e0bf3c
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_client_config.json
@@ -0,0 +1,95 @@
+{
+    "interfaces": {
+        "google.cloud.kms.v1.EkmService": {
+            "retry_codes": {
+                "no_retry_codes": [],
+                "retry_policy_1_codes": [
+                    "UNAVAILABLE",
+                    "DEADLINE_EXCEEDED"
+                ]
+            },
+            "retry_params": {
+                "no_retry_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 0,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 0,
+                    "total_timeout_millis": 0
+                },
+                "retry_policy_1_params": {
+                    "initial_retry_delay_millis": 100,
+                    "retry_delay_multiplier": 1.3,
+                    "max_retry_delay_millis": 60000,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                }
+            },
+            "methods": {
+                "CreateEkmConnection": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetEkmConfig": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetEkmConnection": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ListEkmConnections": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "UpdateEkmConfig": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "UpdateEkmConnection": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "VerifyConnectivity": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetLocation": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "ListLocations": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "SetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "TestIamPermissions": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                }
+            }
+        }
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_descriptor_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_descriptor_config.php
new file mode 100644
index 000000000000..bb7c6839d8fa
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_descriptor_config.php
@@ -0,0 +1,201 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.EkmService' => [
+            'CreateEkmConnection' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EkmConnection',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'GetEkmConfig' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EkmConfig',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetEkmConnection' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EkmConnection',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListEkmConnections' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getEkmConnections',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListEkmConnectionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateEkmConfig' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EkmConfig',
+                'headerParams' => [
+                    [
+                        'keyName' => 'ekm_config.name',
+                        'fieldAccessors' => [
+                            'getEkmConfig',
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateEkmConnection' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EkmConnection',
+                'headerParams' => [
+                    [
+                        'keyName' => 'ekm_connection.name',
+                        'fieldAccessors' => [
+                            'getEkmConnection',
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'VerifyConnectivity' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\VerifyConnectivityResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetLocation' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Location\Location',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'ListLocations' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getLocations',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Location\ListLocationsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'GetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'SetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'TestIamPermissions' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\TestIamPermissionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'templateMap' => [
+                'ekmConfig' => 'projects/{project}/locations/{location}/ekmConfig',
+                'ekmConnection' => 'projects/{project}/locations/{location}/ekmConnections/{ekm_connection}',
+                'location' => 'projects/{project}/locations/{location}',
+                'service' => 'projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}',
+            ],
+        ],
+    ],
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_rest_client_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_rest_client_config.php
new file mode 100644
index 000000000000..34f91a604708
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/ekm_service_rest_client_config.php
@@ -0,0 +1,256 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.EkmService' => [
+            'CreateEkmConnection' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/ekmConnections',
+                'body' => 'ekm_connection',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'ekm_connection_id',
+                ],
+            ],
+            'GetEkmConfig' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/ekmConfig}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetEkmConnection' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/ekmConnections/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListEkmConnections' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/ekmConnections',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateEkmConfig' => [
+                'method' => 'patch',
+                'uriTemplate' => '/v1/{ekm_config.name=projects/*/locations/*/ekmConfig}',
+                'body' => 'ekm_config',
+                'placeholders' => [
+                    'ekm_config.name' => [
+                        'getters' => [
+                            'getEkmConfig',
+                            'getName',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'update_mask',
+                ],
+            ],
+            'UpdateEkmConnection' => [
+                'method' => 'patch',
+                'uriTemplate' => '/v1/{ekm_connection.name=projects/*/locations/*/ekmConnections/*}',
+                'body' => 'ekm_connection',
+                'placeholders' => [
+                    'ekm_connection.name' => [
+                        'getters' => [
+                            'getEkmConnection',
+                            'getName',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'update_mask',
+                ],
+            ],
+            'VerifyConnectivity' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/ekmConnections/*}:verifyConnectivity',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.cloud.location.Locations' => [
+            'GetLocation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListLocations' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*}/locations',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.iam.v1.IAMPolicy' => [
+            'GetIamPolicy' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:getIamPolicy',
+                'additionalBindings' => [
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:getIamPolicy',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'SetIamPolicy' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'TestIamPermissions' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:testIamPermissions',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.longrunning.Operations' => [
+            'GetOperation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/operations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+    ],
+    'numericEnums' => true,
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_client_config.json b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_client_config.json
new file mode 100644
index 000000000000..029ea27c5978
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_client_config.json
@@ -0,0 +1,210 @@
+{
+    "interfaces": {
+        "google.cloud.kms.v1.KeyManagementService": {
+            "retry_codes": {
+                "no_retry_codes": [],
+                "no_retry_1_codes": [],
+                "retry_policy_1_codes": [
+                    "UNAVAILABLE",
+                    "DEADLINE_EXCEEDED"
+                ]
+            },
+            "retry_params": {
+                "no_retry_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 0,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 0,
+                    "total_timeout_millis": 0
+                },
+                "no_retry_1_params": {
+                    "initial_retry_delay_millis": 0,
+                    "retry_delay_multiplier": 0.0,
+                    "max_retry_delay_millis": 0,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                },
+                "retry_policy_1_params": {
+                    "initial_retry_delay_millis": 100,
+                    "retry_delay_multiplier": 1.3,
+                    "max_retry_delay_millis": 60000,
+                    "initial_rpc_timeout_millis": 60000,
+                    "rpc_timeout_multiplier": 1.0,
+                    "max_rpc_timeout_millis": 60000,
+                    "total_timeout_millis": 60000
+                }
+            },
+            "methods": {
+                "AsymmetricDecrypt": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "AsymmetricSign": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "CreateCryptoKey": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "CreateCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_1_codes",
+                    "retry_params_name": "no_retry_1_params"
+                },
+                "CreateImportJob": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "CreateKeyRing": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "Decrypt": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "DestroyCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "Encrypt": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GenerateRandomBytes": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetCryptoKey": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetImportJob": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetKeyRing": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetPublicKey": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ImportCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_1_codes",
+                    "retry_params_name": "no_retry_1_params"
+                },
+                "ListCryptoKeyVersions": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ListCryptoKeys": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ListImportJobs": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "ListKeyRings": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "MacSign": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "MacVerify": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "RawDecrypt": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "RawEncrypt": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "RestoreCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "UpdateCryptoKey": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "UpdateCryptoKeyPrimaryVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "UpdateCryptoKeyVersion": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "GetLocation": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "ListLocations": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "no_retry_codes",
+                    "retry_params_name": "no_retry_params"
+                },
+                "GetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "SetIamPolicy": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                },
+                "TestIamPermissions": {
+                    "timeout_millis": 60000,
+                    "retry_codes_name": "retry_policy_1_codes",
+                    "retry_params_name": "retry_policy_1_params"
+                }
+            }
+        }
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_descriptor_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_descriptor_config.php
new file mode 100644
index 000000000000..841c9a29088a
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_descriptor_config.php
@@ -0,0 +1,478 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.KeyManagementService' => [
+            'AsymmetricDecrypt' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\AsymmetricDecryptResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'AsymmetricSign' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\AsymmetricSignResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateCryptoKey' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKey',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateImportJob' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ImportJob',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateKeyRing' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\KeyRing',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'Decrypt' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\DecryptResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'DestroyCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'Encrypt' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\EncryptResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GenerateRandomBytes' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\GenerateRandomBytesResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'location',
+                        'fieldAccessors' => [
+                            'getLocation',
+                        ],
+                    ],
+                ],
+            ],
+            'GetCryptoKey' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKey',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetImportJob' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ImportJob',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetKeyRing' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\KeyRing',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetPublicKey' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\PublicKey',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ImportCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListCryptoKeyVersions' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getCryptoKeyVersions',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListCryptoKeyVersionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListCryptoKeys' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getCryptoKeys',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListCryptoKeysResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListImportJobs' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getImportJobs',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListImportJobsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListKeyRings' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getKeyRings',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\ListKeyRingsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'parent',
+                        'fieldAccessors' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'MacSign' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\MacSignResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'MacVerify' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\MacVerifyResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RawDecrypt' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\RawDecryptResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RawEncrypt' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\RawEncryptResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RestoreCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateCryptoKey' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKey',
+                'headerParams' => [
+                    [
+                        'keyName' => 'crypto_key.name',
+                        'fieldAccessors' => [
+                            'getCryptoKey',
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateCryptoKeyPrimaryVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKey',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateCryptoKeyVersion' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Kms\V1\CryptoKeyVersion',
+                'headerParams' => [
+                    [
+                        'keyName' => 'crypto_key_version.name',
+                        'fieldAccessors' => [
+                            'getCryptoKeyVersion',
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetLocation' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Location\Location',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'ListLocations' => [
+                'pageStreaming' => [
+                    'requestPageTokenGetMethod' => 'getPageToken',
+                    'requestPageTokenSetMethod' => 'setPageToken',
+                    'requestPageSizeGetMethod' => 'getPageSize',
+                    'requestPageSizeSetMethod' => 'setPageSize',
+                    'responsePageTokenGetMethod' => 'getNextPageToken',
+                    'resourcesGetMethod' => 'getLocations',
+                ],
+                'callType' => \Google\ApiCore\Call::PAGINATED_CALL,
+                'responseType' => 'Google\Cloud\Location\ListLocationsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'name',
+                        'fieldAccessors' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.cloud.location.Locations',
+            ],
+            'GetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'SetIamPolicy' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\Policy',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'TestIamPermissions' => [
+                'callType' => \Google\ApiCore\Call::UNARY_CALL,
+                'responseType' => 'Google\Cloud\Iam\V1\TestIamPermissionsResponse',
+                'headerParams' => [
+                    [
+                        'keyName' => 'resource',
+                        'fieldAccessors' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+                'interfaceOverride' => 'google.iam.v1.IAMPolicy',
+            ],
+            'templateMap' => [
+                'cryptoKey' => 'projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}',
+                'cryptoKeyVersion' => 'projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}',
+                'importJob' => 'projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}',
+                'keyRing' => 'projects/{project}/locations/{location}/keyRings/{key_ring}',
+                'location' => 'projects/{project}/locations/{location}',
+            ],
+        ],
+    ],
+];
diff --git a/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_rest_client_config.php b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_rest_client_config.php
new file mode 100644
index 000000000000..eb9b6897bb40
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/src/V1/resources/key_management_service_rest_client_config.php
@@ -0,0 +1,509 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+return [
+    'interfaces' => [
+        'google.cloud.kms.v1.KeyManagementService' => [
+            'AsymmetricDecrypt' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'AsymmetricSign' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateCryptoKey' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys',
+                'body' => 'crypto_key',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'crypto_key_id',
+                ],
+            ],
+            'CreateCryptoKeyVersion' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions',
+                'body' => 'crypto_key_version',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'CreateImportJob' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs',
+                'body' => 'import_job',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'import_job_id',
+                ],
+            ],
+            'CreateKeyRing' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/keyRings',
+                'body' => 'key_ring',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'key_ring_id',
+                ],
+            ],
+            'Decrypt' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'DestroyCryptoKeyVersion' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'Encrypt' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GenerateRandomBytes' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{location=projects/*/locations/*}:generateRandomBytes',
+                'body' => '*',
+                'placeholders' => [
+                    'location' => [
+                        'getters' => [
+                            'getLocation',
+                        ],
+                    ],
+                ],
+            ],
+            'GetCryptoKey' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetCryptoKeyVersion' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetImportJob' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetKeyRing' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'GetPublicKey' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ImportCryptoKeyVersion' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import',
+                'body' => '*',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListCryptoKeyVersions' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListCryptoKeys' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListImportJobs' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'ListKeyRings' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{parent=projects/*/locations/*}/keyRings',
+                'placeholders' => [
+                    'parent' => [
+                        'getters' => [
+                            'getParent',
+                        ],
+                    ],
+                ],
+            ],
+            'MacSign' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macSign',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'MacVerify' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macVerify',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RawDecrypt' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:rawDecrypt',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RawEncrypt' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:rawEncrypt',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'RestoreCryptoKeyVersion' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateCryptoKey' => [
+                'method' => 'patch',
+                'uriTemplate' => '/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}',
+                'body' => 'crypto_key',
+                'placeholders' => [
+                    'crypto_key.name' => [
+                        'getters' => [
+                            'getCryptoKey',
+                            'getName',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'update_mask',
+                ],
+            ],
+            'UpdateCryptoKeyPrimaryVersion' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion',
+                'body' => '*',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'UpdateCryptoKeyVersion' => [
+                'method' => 'patch',
+                'uriTemplate' => '/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}',
+                'body' => 'crypto_key_version',
+                'placeholders' => [
+                    'crypto_key_version.name' => [
+                        'getters' => [
+                            'getCryptoKeyVersion',
+                            'getName',
+                        ],
+                    ],
+                ],
+                'queryParams' => [
+                    'update_mask',
+                ],
+            ],
+        ],
+        'google.cloud.location.Locations' => [
+            'GetLocation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+            'ListLocations' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*}/locations',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.iam.v1.IAMPolicy' => [
+            'GetIamPolicy' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:getIamPolicy',
+                'additionalBindings' => [
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:getIamPolicy',
+                    ],
+                    [
+                        'method' => 'get',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:getIamPolicy',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'SetIamPolicy' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:setIamPolicy',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+            'TestIamPermissions' => [
+                'method' => 'post',
+                'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*}:testIamPermissions',
+                'body' => '*',
+                'additionalBindings' => [
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConfig}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                    [
+                        'method' => 'post',
+                        'uriTemplate' => '/v1/{resource=projects/*/locations/*/ekmConnections/*}:testIamPermissions',
+                        'body' => '*',
+                    ],
+                ],
+                'placeholders' => [
+                    'resource' => [
+                        'getters' => [
+                            'getResource',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+        'google.longrunning.Operations' => [
+            'GetOperation' => [
+                'method' => 'get',
+                'uriTemplate' => '/v1/{name=projects/*/locations/*/operations/*}',
+                'placeholders' => [
+                    'name' => [
+                        'getters' => [
+                            'getName',
+                        ],
+                    ],
+                ],
+            ],
+        ],
+    ],
+    'numericEnums' => true,
+];
diff --git a/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyAdminClientTest.php b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyAdminClientTest.php
new file mode 100644
index 000000000000..db3d68a16a74
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyAdminClientTest.php
@@ -0,0 +1,638 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+namespace Google\Cloud\Kms\Tests\Unit\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\Testing\GeneratedTest;
+use Google\ApiCore\Testing\MockTransport;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\AutokeyConfig;
+use Google\Cloud\Kms\V1\Client\AutokeyAdminClient;
+use Google\Cloud\Kms\V1\GetAutokeyConfigRequest;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigRequest;
+use Google\Cloud\Kms\V1\ShowEffectiveAutokeyConfigResponse;
+use Google\Cloud\Kms\V1\UpdateAutokeyConfigRequest;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\ListLocationsResponse;
+use Google\Cloud\Location\Location;
+use Google\Protobuf\FieldMask;
+use Google\Rpc\Code;
+use stdClass;
+
+/**
+ * @group kms
+ *
+ * @group gapic
+ */
+class AutokeyAdminClientTest extends GeneratedTest
+{
+    /** @return TransportInterface */
+    private function createTransport($deserialize = null)
+    {
+        return new MockTransport($deserialize);
+    }
+
+    /** @return CredentialsWrapper */
+    private function createCredentials()
+    {
+        return $this->getMockBuilder(CredentialsWrapper::class)->disableOriginalConstructor()->getMock();
+    }
+
+    /** @return AutokeyAdminClient */
+    private function createClient(array $options = [])
+    {
+        $options += [
+            'credentials' => $this->createCredentials(),
+        ];
+        return new AutokeyAdminClient($options);
+    }
+
+    /** @test */
+    public function getAutokeyConfigTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $keyProject = 'keyProject721994041';
+        $expectedResponse = new AutokeyConfig();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setKeyProject($keyProject);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->autokeyConfigName('[FOLDER]');
+        $request = (new GetAutokeyConfigRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getAutokeyConfig($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.AutokeyAdmin/GetAutokeyConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getAutokeyConfigExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->autokeyConfigName('[FOLDER]');
+        $request = (new GetAutokeyConfigRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getAutokeyConfig($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function showEffectiveAutokeyConfigTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $keyProject = 'keyProject721994041';
+        $expectedResponse = new ShowEffectiveAutokeyConfigResponse();
+        $expectedResponse->setKeyProject($keyProject);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->projectName('[PROJECT]');
+        $request = (new ShowEffectiveAutokeyConfigRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->showEffectiveAutokeyConfig($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.AutokeyAdmin/ShowEffectiveAutokeyConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function showEffectiveAutokeyConfigExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->projectName('[PROJECT]');
+        $request = (new ShowEffectiveAutokeyConfigRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->showEffectiveAutokeyConfig($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateAutokeyConfigTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $keyProject = 'keyProject721994041';
+        $expectedResponse = new AutokeyConfig();
+        $expectedResponse->setName($name);
+        $expectedResponse->setKeyProject($keyProject);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $autokeyConfig = new AutokeyConfig();
+        $updateMask = new FieldMask();
+        $request = (new UpdateAutokeyConfigRequest())
+            ->setAutokeyConfig($autokeyConfig)
+            ->setUpdateMask($updateMask);
+        $response = $gapicClient->updateAutokeyConfig($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.AutokeyAdmin/UpdateAutokeyConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getAutokeyConfig();
+        $this->assertProtobufEquals($autokeyConfig, $actualValue);
+        $actualValue = $actualRequestObject->getUpdateMask();
+        $this->assertProtobufEquals($updateMask, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateAutokeyConfigExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $autokeyConfig = new AutokeyConfig();
+        $updateMask = new FieldMask();
+        $request = (new UpdateAutokeyConfigRequest())
+            ->setAutokeyConfig($autokeyConfig)
+            ->setUpdateMask($updateMask);
+        try {
+            $gapicClient->updateAutokeyConfig($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $locationId = 'locationId552319461';
+        $displayName = 'displayName1615086568';
+        $expectedResponse = new Location();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setLocationId($locationId);
+        $expectedResponse->setDisplayName($displayName);
+        $transport->addResponse($expectedResponse);
+        $request = new GetLocationRequest();
+        $response = $gapicClient->getLocation($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/GetLocation', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new GetLocationRequest();
+        try {
+            $gapicClient->getLocation($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $locationsElement = new Location();
+        $locations = [
+            $locationsElement,
+        ];
+        $expectedResponse = new ListLocationsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setLocations($locations);
+        $transport->addResponse($expectedResponse);
+        $request = new ListLocationsRequest();
+        $response = $gapicClient->listLocations($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getLocations()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/ListLocations', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new ListLocationsRequest();
+        try {
+            $gapicClient->listLocations($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        $response = $gapicClient->getIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/GetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        try {
+            $gapicClient->getIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        $response = $gapicClient->setIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/SetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPolicy();
+        $this->assertProtobufEquals($policy, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        try {
+            $gapicClient->setIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $expectedResponse = new TestIamPermissionsResponse();
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        $response = $gapicClient->testIamPermissions($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/TestIamPermissions', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPermissions();
+        $this->assertProtobufEquals($permissions, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        try {
+            $gapicClient->testIamPermissions($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getAutokeyConfigAsyncTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $keyProject = 'keyProject721994041';
+        $expectedResponse = new AutokeyConfig();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setKeyProject($keyProject);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->autokeyConfigName('[FOLDER]');
+        $request = (new GetAutokeyConfigRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getAutokeyConfigAsync($request)->wait();
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.AutokeyAdmin/GetAutokeyConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyClientTest.php b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyClientTest.php
new file mode 100644
index 000000000000..c014d40dea8e
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/AutokeyClientTest.php
@@ -0,0 +1,761 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+namespace Google\Cloud\Kms\Tests\Unit\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\Testing\GeneratedTest;
+use Google\ApiCore\Testing\MockTransport;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\AutokeyClient;
+use Google\Cloud\Kms\V1\CreateKeyHandleRequest;
+use Google\Cloud\Kms\V1\GetKeyHandleRequest;
+use Google\Cloud\Kms\V1\KeyHandle;
+use Google\Cloud\Kms\V1\ListKeyHandlesRequest;
+use Google\Cloud\Kms\V1\ListKeyHandlesResponse;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\ListLocationsResponse;
+use Google\Cloud\Location\Location;
+use Google\LongRunning\Client\OperationsClient;
+use Google\LongRunning\GetOperationRequest;
+use Google\LongRunning\Operation;
+use Google\Protobuf\Any;
+use Google\Rpc\Code;
+use stdClass;
+
+/**
+ * @group kms
+ *
+ * @group gapic
+ */
+class AutokeyClientTest extends GeneratedTest
+{
+    /** @return TransportInterface */
+    private function createTransport($deserialize = null)
+    {
+        return new MockTransport($deserialize);
+    }
+
+    /** @return CredentialsWrapper */
+    private function createCredentials()
+    {
+        return $this->getMockBuilder(CredentialsWrapper::class)->disableOriginalConstructor()->getMock();
+    }
+
+    /** @return AutokeyClient */
+    private function createClient(array $options = [])
+    {
+        $options += [
+            'credentials' => $this->createCredentials(),
+        ];
+        return new AutokeyClient($options);
+    }
+
+    /** @test */
+    public function createKeyHandleTest()
+    {
+        $operationsTransport = $this->createTransport();
+        $operationsClient = new OperationsClient([
+            'apiEndpoint' => '',
+            'transport' => $operationsTransport,
+            'credentials' => $this->createCredentials(),
+        ]);
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+            'operationsClient' => $operationsClient,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+        // Mock response
+        $incompleteOperation = new Operation();
+        $incompleteOperation->setName('operations/createKeyHandleTest');
+        $incompleteOperation->setDone(false);
+        $transport->addResponse($incompleteOperation);
+        $name = 'name3373707';
+        $kmsKey = 'kmsKey-591635343';
+        $resourceTypeSelector = 'resourceTypeSelector-455377709';
+        $expectedResponse = new KeyHandle();
+        $expectedResponse->setName($name);
+        $expectedResponse->setKmsKey($kmsKey);
+        $expectedResponse->setResourceTypeSelector($resourceTypeSelector);
+        $anyResponse = new Any();
+        $anyResponse->setValue($expectedResponse->serializeToString());
+        $completeOperation = new Operation();
+        $completeOperation->setName('operations/createKeyHandleTest');
+        $completeOperation->setDone(true);
+        $completeOperation->setResponse($anyResponse);
+        $operationsTransport->addResponse($completeOperation);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $keyHandle = new KeyHandle();
+        $keyHandleResourceTypeSelector = 'keyHandleResourceTypeSelector-1310560146';
+        $keyHandle->setResourceTypeSelector($keyHandleResourceTypeSelector);
+        $request = (new CreateKeyHandleRequest())
+            ->setParent($formattedParent)
+            ->setKeyHandle($keyHandle);
+        $response = $gapicClient->createKeyHandle($request);
+        $this->assertFalse($response->isDone());
+        $this->assertNull($response->getResult());
+        $apiRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($apiRequests));
+        $operationsRequestsEmpty = $operationsTransport->popReceivedCalls();
+        $this->assertSame(0, count($operationsRequestsEmpty));
+        $actualApiFuncCall = $apiRequests[0]->getFuncCall();
+        $actualApiRequestObject = $apiRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.Autokey/CreateKeyHandle', $actualApiFuncCall);
+        $actualValue = $actualApiRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualApiRequestObject->getKeyHandle();
+        $this->assertProtobufEquals($keyHandle, $actualValue);
+        $expectedOperationsRequestObject = new GetOperationRequest();
+        $expectedOperationsRequestObject->setName('operations/createKeyHandleTest');
+        $response->pollUntilComplete([
+            'initialPollDelayMillis' => 1,
+        ]);
+        $this->assertTrue($response->isDone());
+        $this->assertEquals($expectedResponse, $response->getResult());
+        $apiRequestsEmpty = $transport->popReceivedCalls();
+        $this->assertSame(0, count($apiRequestsEmpty));
+        $operationsRequests = $operationsTransport->popReceivedCalls();
+        $this->assertSame(1, count($operationsRequests));
+        $actualOperationsFuncCall = $operationsRequests[0]->getFuncCall();
+        $actualOperationsRequestObject = $operationsRequests[0]->getRequestObject();
+        $this->assertSame('/google.longrunning.Operations/GetOperation', $actualOperationsFuncCall);
+        $this->assertEquals($expectedOperationsRequestObject, $actualOperationsRequestObject);
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+    }
+
+    /** @test */
+    public function createKeyHandleExceptionTest()
+    {
+        $operationsTransport = $this->createTransport();
+        $operationsClient = new OperationsClient([
+            'apiEndpoint' => '',
+            'transport' => $operationsTransport,
+            'credentials' => $this->createCredentials(),
+        ]);
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+            'operationsClient' => $operationsClient,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+        // Mock response
+        $incompleteOperation = new Operation();
+        $incompleteOperation->setName('operations/createKeyHandleTest');
+        $incompleteOperation->setDone(false);
+        $transport->addResponse($incompleteOperation);
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $operationsTransport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $keyHandle = new KeyHandle();
+        $keyHandleResourceTypeSelector = 'keyHandleResourceTypeSelector-1310560146';
+        $keyHandle->setResourceTypeSelector($keyHandleResourceTypeSelector);
+        $request = (new CreateKeyHandleRequest())
+            ->setParent($formattedParent)
+            ->setKeyHandle($keyHandle);
+        $response = $gapicClient->createKeyHandle($request);
+        $this->assertFalse($response->isDone());
+        $this->assertNull($response->getResult());
+        $expectedOperationsRequestObject = new GetOperationRequest();
+        $expectedOperationsRequestObject->setName('operations/createKeyHandleTest');
+        try {
+            $response->pollUntilComplete([
+                'initialPollDelayMillis' => 1,
+            ]);
+            // If the pollUntilComplete() method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stubs are exhausted
+        $transport->popReceivedCalls();
+        $operationsTransport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+    }
+
+    /** @test */
+    public function getKeyHandleTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $kmsKey = 'kmsKey-591635343';
+        $resourceTypeSelector = 'resourceTypeSelector-455377709';
+        $expectedResponse = new KeyHandle();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setKmsKey($kmsKey);
+        $expectedResponse->setResourceTypeSelector($resourceTypeSelector);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->keyHandleName('[PROJECT]', '[LOCATION]', '[KEY_HANDLE]');
+        $request = (new GetKeyHandleRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getKeyHandle($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.Autokey/GetKeyHandle', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getKeyHandleExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->keyHandleName('[PROJECT]', '[LOCATION]', '[KEY_HANDLE]');
+        $request = (new GetKeyHandleRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getKeyHandle($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listKeyHandlesTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $keyHandlesElement = new KeyHandle();
+        $keyHandles = [
+            $keyHandlesElement,
+        ];
+        $expectedResponse = new ListKeyHandlesResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setKeyHandles($keyHandles);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListKeyHandlesRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listKeyHandles($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getKeyHandles()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.Autokey/ListKeyHandles', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listKeyHandlesExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListKeyHandlesRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listKeyHandles($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $locationId = 'locationId552319461';
+        $displayName = 'displayName1615086568';
+        $expectedResponse = new Location();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setLocationId($locationId);
+        $expectedResponse->setDisplayName($displayName);
+        $transport->addResponse($expectedResponse);
+        $request = new GetLocationRequest();
+        $response = $gapicClient->getLocation($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/GetLocation', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new GetLocationRequest();
+        try {
+            $gapicClient->getLocation($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $locationsElement = new Location();
+        $locations = [
+            $locationsElement,
+        ];
+        $expectedResponse = new ListLocationsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setLocations($locations);
+        $transport->addResponse($expectedResponse);
+        $request = new ListLocationsRequest();
+        $response = $gapicClient->listLocations($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getLocations()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/ListLocations', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new ListLocationsRequest();
+        try {
+            $gapicClient->listLocations($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        $response = $gapicClient->getIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/GetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        try {
+            $gapicClient->getIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        $response = $gapicClient->setIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/SetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPolicy();
+        $this->assertProtobufEquals($policy, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        try {
+            $gapicClient->setIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $expectedResponse = new TestIamPermissionsResponse();
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        $response = $gapicClient->testIamPermissions($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/TestIamPermissions', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPermissions();
+        $this->assertProtobufEquals($permissions, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        try {
+            $gapicClient->testIamPermissions($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createKeyHandleAsyncTest()
+    {
+        $operationsTransport = $this->createTransport();
+        $operationsClient = new OperationsClient([
+            'apiEndpoint' => '',
+            'transport' => $operationsTransport,
+            'credentials' => $this->createCredentials(),
+        ]);
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+            'operationsClient' => $operationsClient,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+        // Mock response
+        $incompleteOperation = new Operation();
+        $incompleteOperation->setName('operations/createKeyHandleTest');
+        $incompleteOperation->setDone(false);
+        $transport->addResponse($incompleteOperation);
+        $name = 'name3373707';
+        $kmsKey = 'kmsKey-591635343';
+        $resourceTypeSelector = 'resourceTypeSelector-455377709';
+        $expectedResponse = new KeyHandle();
+        $expectedResponse->setName($name);
+        $expectedResponse->setKmsKey($kmsKey);
+        $expectedResponse->setResourceTypeSelector($resourceTypeSelector);
+        $anyResponse = new Any();
+        $anyResponse->setValue($expectedResponse->serializeToString());
+        $completeOperation = new Operation();
+        $completeOperation->setName('operations/createKeyHandleTest');
+        $completeOperation->setDone(true);
+        $completeOperation->setResponse($anyResponse);
+        $operationsTransport->addResponse($completeOperation);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $keyHandle = new KeyHandle();
+        $keyHandleResourceTypeSelector = 'keyHandleResourceTypeSelector-1310560146';
+        $keyHandle->setResourceTypeSelector($keyHandleResourceTypeSelector);
+        $request = (new CreateKeyHandleRequest())
+            ->setParent($formattedParent)
+            ->setKeyHandle($keyHandle);
+        $response = $gapicClient->createKeyHandleAsync($request)->wait();
+        $this->assertFalse($response->isDone());
+        $this->assertNull($response->getResult());
+        $apiRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($apiRequests));
+        $operationsRequestsEmpty = $operationsTransport->popReceivedCalls();
+        $this->assertSame(0, count($operationsRequestsEmpty));
+        $actualApiFuncCall = $apiRequests[0]->getFuncCall();
+        $actualApiRequestObject = $apiRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.Autokey/CreateKeyHandle', $actualApiFuncCall);
+        $actualValue = $actualApiRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualApiRequestObject->getKeyHandle();
+        $this->assertProtobufEquals($keyHandle, $actualValue);
+        $expectedOperationsRequestObject = new GetOperationRequest();
+        $expectedOperationsRequestObject->setName('operations/createKeyHandleTest');
+        $response->pollUntilComplete([
+            'initialPollDelayMillis' => 1,
+        ]);
+        $this->assertTrue($response->isDone());
+        $this->assertEquals($expectedResponse, $response->getResult());
+        $apiRequestsEmpty = $transport->popReceivedCalls();
+        $this->assertSame(0, count($apiRequestsEmpty));
+        $operationsRequests = $operationsTransport->popReceivedCalls();
+        $this->assertSame(1, count($operationsRequests));
+        $actualOperationsFuncCall = $operationsRequests[0]->getFuncCall();
+        $actualOperationsRequestObject = $operationsRequests[0]->getRequestObject();
+        $this->assertSame('/google.longrunning.Operations/GetOperation', $actualOperationsFuncCall);
+        $this->assertEquals($expectedOperationsRequestObject, $actualOperationsRequestObject);
+        $this->assertTrue($transport->isExhausted());
+        $this->assertTrue($operationsTransport->isExhausted());
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/EkmServiceClientTest.php b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/EkmServiceClientTest.php
new file mode 100644
index 000000000000..49e7f80489b6
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/EkmServiceClientTest.php
@@ -0,0 +1,948 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+namespace Google\Cloud\Kms\Tests\Unit\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\Testing\GeneratedTest;
+use Google\ApiCore\Testing\MockTransport;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\Client\EkmServiceClient;
+use Google\Cloud\Kms\V1\CreateEkmConnectionRequest;
+use Google\Cloud\Kms\V1\EkmConfig;
+use Google\Cloud\Kms\V1\EkmConnection;
+use Google\Cloud\Kms\V1\GetEkmConfigRequest;
+use Google\Cloud\Kms\V1\GetEkmConnectionRequest;
+use Google\Cloud\Kms\V1\ListEkmConnectionsRequest;
+use Google\Cloud\Kms\V1\ListEkmConnectionsResponse;
+use Google\Cloud\Kms\V1\UpdateEkmConfigRequest;
+use Google\Cloud\Kms\V1\UpdateEkmConnectionRequest;
+use Google\Cloud\Kms\V1\VerifyConnectivityRequest;
+use Google\Cloud\Kms\V1\VerifyConnectivityResponse;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\ListLocationsResponse;
+use Google\Cloud\Location\Location;
+use Google\Protobuf\FieldMask;
+use Google\Rpc\Code;
+use stdClass;
+
+/**
+ * @group kms
+ *
+ * @group gapic
+ */
+class EkmServiceClientTest extends GeneratedTest
+{
+    /** @return TransportInterface */
+    private function createTransport($deserialize = null)
+    {
+        return new MockTransport($deserialize);
+    }
+
+    /** @return CredentialsWrapper */
+    private function createCredentials()
+    {
+        return $this->getMockBuilder(CredentialsWrapper::class)->disableOriginalConstructor()->getMock();
+    }
+
+    /** @return EkmServiceClient */
+    private function createClient(array $options = [])
+    {
+        $options += [
+            'credentials' => $this->createCredentials(),
+        ];
+        return new EkmServiceClient($options);
+    }
+
+    /** @test */
+    public function createEkmConnectionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $etag = 'etag3123477';
+        $cryptoSpacePath = 'cryptoSpacePath-1229393412';
+        $expectedResponse = new EkmConnection();
+        $expectedResponse->setName($name);
+        $expectedResponse->setEtag($etag);
+        $expectedResponse->setCryptoSpacePath($cryptoSpacePath);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $ekmConnectionId = 'ekmConnectionId270499940';
+        $ekmConnection = new EkmConnection();
+        $request = (new CreateEkmConnectionRequest())
+            ->setParent($formattedParent)
+            ->setEkmConnectionId($ekmConnectionId)
+            ->setEkmConnection($ekmConnection);
+        $response = $gapicClient->createEkmConnection($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/CreateEkmConnection', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getEkmConnectionId();
+        $this->assertProtobufEquals($ekmConnectionId, $actualValue);
+        $actualValue = $actualRequestObject->getEkmConnection();
+        $this->assertProtobufEquals($ekmConnection, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createEkmConnectionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $ekmConnectionId = 'ekmConnectionId270499940';
+        $ekmConnection = new EkmConnection();
+        $request = (new CreateEkmConnectionRequest())
+            ->setParent($formattedParent)
+            ->setEkmConnectionId($ekmConnectionId)
+            ->setEkmConnection($ekmConnection);
+        try {
+            $gapicClient->createEkmConnection($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getEkmConfigTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $defaultEkmConnection = 'defaultEkmConnection1342549844';
+        $expectedResponse = new EkmConfig();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setDefaultEkmConnection($defaultEkmConnection);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->ekmConfigName('[PROJECT]', '[LOCATION]');
+        $request = (new GetEkmConfigRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getEkmConfig($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/GetEkmConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getEkmConfigExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->ekmConfigName('[PROJECT]', '[LOCATION]');
+        $request = (new GetEkmConfigRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getEkmConfig($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getEkmConnectionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $etag = 'etag3123477';
+        $cryptoSpacePath = 'cryptoSpacePath-1229393412';
+        $expectedResponse = new EkmConnection();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setEtag($etag);
+        $expectedResponse->setCryptoSpacePath($cryptoSpacePath);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+        $request = (new GetEkmConnectionRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getEkmConnection($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/GetEkmConnection', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getEkmConnectionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+        $request = (new GetEkmConnectionRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getEkmConnection($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listEkmConnectionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $totalSize = 705419236;
+        $ekmConnectionsElement = new EkmConnection();
+        $ekmConnections = [
+            $ekmConnectionsElement,
+        ];
+        $expectedResponse = new ListEkmConnectionsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setTotalSize($totalSize);
+        $expectedResponse->setEkmConnections($ekmConnections);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListEkmConnectionsRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listEkmConnections($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getEkmConnections()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/ListEkmConnections', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listEkmConnectionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListEkmConnectionsRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listEkmConnections($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateEkmConfigTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $defaultEkmConnection = 'defaultEkmConnection1342549844';
+        $expectedResponse = new EkmConfig();
+        $expectedResponse->setName($name);
+        $expectedResponse->setDefaultEkmConnection($defaultEkmConnection);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $ekmConfig = new EkmConfig();
+        $updateMask = new FieldMask();
+        $request = (new UpdateEkmConfigRequest())
+            ->setEkmConfig($ekmConfig)
+            ->setUpdateMask($updateMask);
+        $response = $gapicClient->updateEkmConfig($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/UpdateEkmConfig', $actualFuncCall);
+        $actualValue = $actualRequestObject->getEkmConfig();
+        $this->assertProtobufEquals($ekmConfig, $actualValue);
+        $actualValue = $actualRequestObject->getUpdateMask();
+        $this->assertProtobufEquals($updateMask, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateEkmConfigExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $ekmConfig = new EkmConfig();
+        $updateMask = new FieldMask();
+        $request = (new UpdateEkmConfigRequest())
+            ->setEkmConfig($ekmConfig)
+            ->setUpdateMask($updateMask);
+        try {
+            $gapicClient->updateEkmConfig($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateEkmConnectionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $etag = 'etag3123477';
+        $cryptoSpacePath = 'cryptoSpacePath-1229393412';
+        $expectedResponse = new EkmConnection();
+        $expectedResponse->setName($name);
+        $expectedResponse->setEtag($etag);
+        $expectedResponse->setCryptoSpacePath($cryptoSpacePath);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $ekmConnection = new EkmConnection();
+        $updateMask = new FieldMask();
+        $request = (new UpdateEkmConnectionRequest())
+            ->setEkmConnection($ekmConnection)
+            ->setUpdateMask($updateMask);
+        $response = $gapicClient->updateEkmConnection($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/UpdateEkmConnection', $actualFuncCall);
+        $actualValue = $actualRequestObject->getEkmConnection();
+        $this->assertProtobufEquals($ekmConnection, $actualValue);
+        $actualValue = $actualRequestObject->getUpdateMask();
+        $this->assertProtobufEquals($updateMask, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateEkmConnectionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $ekmConnection = new EkmConnection();
+        $updateMask = new FieldMask();
+        $request = (new UpdateEkmConnectionRequest())
+            ->setEkmConnection($ekmConnection)
+            ->setUpdateMask($updateMask);
+        try {
+            $gapicClient->updateEkmConnection($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function verifyConnectivityTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $expectedResponse = new VerifyConnectivityResponse();
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+        $request = (new VerifyConnectivityRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->verifyConnectivity($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/VerifyConnectivity', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function verifyConnectivityExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->ekmConnectionName('[PROJECT]', '[LOCATION]', '[EKM_CONNECTION]');
+        $request = (new VerifyConnectivityRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->verifyConnectivity($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $locationId = 'locationId552319461';
+        $displayName = 'displayName1615086568';
+        $expectedResponse = new Location();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setLocationId($locationId);
+        $expectedResponse->setDisplayName($displayName);
+        $transport->addResponse($expectedResponse);
+        $request = new GetLocationRequest();
+        $response = $gapicClient->getLocation($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/GetLocation', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new GetLocationRequest();
+        try {
+            $gapicClient->getLocation($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $locationsElement = new Location();
+        $locations = [
+            $locationsElement,
+        ];
+        $expectedResponse = new ListLocationsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setLocations($locations);
+        $transport->addResponse($expectedResponse);
+        $request = new ListLocationsRequest();
+        $response = $gapicClient->listLocations($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getLocations()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/ListLocations', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new ListLocationsRequest();
+        try {
+            $gapicClient->listLocations($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        $response = $gapicClient->getIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/GetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        try {
+            $gapicClient->getIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        $response = $gapicClient->setIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/SetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPolicy();
+        $this->assertProtobufEquals($policy, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        try {
+            $gapicClient->setIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $expectedResponse = new TestIamPermissionsResponse();
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        $response = $gapicClient->testIamPermissions($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/TestIamPermissions', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPermissions();
+        $this->assertProtobufEquals($permissions, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        try {
+            $gapicClient->testIamPermissions($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createEkmConnectionAsyncTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $etag = 'etag3123477';
+        $cryptoSpacePath = 'cryptoSpacePath-1229393412';
+        $expectedResponse = new EkmConnection();
+        $expectedResponse->setName($name);
+        $expectedResponse->setEtag($etag);
+        $expectedResponse->setCryptoSpacePath($cryptoSpacePath);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $ekmConnectionId = 'ekmConnectionId270499940';
+        $ekmConnection = new EkmConnection();
+        $request = (new CreateEkmConnectionRequest())
+            ->setParent($formattedParent)
+            ->setEkmConnectionId($ekmConnectionId)
+            ->setEkmConnection($ekmConnection);
+        $response = $gapicClient->createEkmConnectionAsync($request)->wait();
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.EkmService/CreateEkmConnection', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getEkmConnectionId();
+        $this->assertProtobufEquals($ekmConnectionId, $actualValue);
+        $actualValue = $actualRequestObject->getEkmConnection();
+        $this->assertProtobufEquals($ekmConnection, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+}
diff --git a/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/KeyManagementServiceClientTest.php b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/KeyManagementServiceClientTest.php
new file mode 100644
index 000000000000..a908438108e1
--- /dev/null
+++ b/owl-bot-staging/Kms/v1/tests/Unit/V1/Client/KeyManagementServiceClientTest.php
@@ -0,0 +1,2573 @@
+<?php
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+namespace Google\Cloud\Kms\Tests\Unit\V1\Client;
+
+use Google\ApiCore\ApiException;
+use Google\ApiCore\CredentialsWrapper;
+use Google\ApiCore\Testing\GeneratedTest;
+use Google\ApiCore\Testing\MockTransport;
+use Google\Cloud\Iam\V1\GetIamPolicyRequest;
+use Google\Cloud\Iam\V1\Policy;
+use Google\Cloud\Iam\V1\SetIamPolicyRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsRequest;
+use Google\Cloud\Iam\V1\TestIamPermissionsResponse;
+use Google\Cloud\Kms\V1\AsymmetricDecryptRequest;
+use Google\Cloud\Kms\V1\AsymmetricDecryptResponse;
+use Google\Cloud\Kms\V1\AsymmetricSignRequest;
+use Google\Cloud\Kms\V1\AsymmetricSignResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\CreateCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\CreateImportJobRequest;
+use Google\Cloud\Kms\V1\CreateKeyRingRequest;
+use Google\Cloud\Kms\V1\CryptoKey;
+use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
+use Google\Cloud\Kms\V1\DecryptRequest;
+use Google\Cloud\Kms\V1\DecryptResponse;
+use Google\Cloud\Kms\V1\DestroyCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\Digest;
+use Google\Cloud\Kms\V1\EncryptRequest;
+use Google\Cloud\Kms\V1\EncryptResponse;
+use Google\Cloud\Kms\V1\GenerateRandomBytesRequest;
+use Google\Cloud\Kms\V1\GenerateRandomBytesResponse;
+use Google\Cloud\Kms\V1\GetCryptoKeyRequest;
+use Google\Cloud\Kms\V1\GetCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\GetImportJobRequest;
+use Google\Cloud\Kms\V1\GetKeyRingRequest;
+use Google\Cloud\Kms\V1\GetPublicKeyRequest;
+use Google\Cloud\Kms\V1\ImportCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\ImportJob;
+use Google\Cloud\Kms\V1\ImportJob\ImportMethod;
+use Google\Cloud\Kms\V1\KeyRing;
+use Google\Cloud\Kms\V1\ListCryptoKeyVersionsRequest;
+use Google\Cloud\Kms\V1\ListCryptoKeyVersionsResponse;
+use Google\Cloud\Kms\V1\ListCryptoKeysRequest;
+use Google\Cloud\Kms\V1\ListCryptoKeysResponse;
+use Google\Cloud\Kms\V1\ListImportJobsRequest;
+use Google\Cloud\Kms\V1\ListImportJobsResponse;
+use Google\Cloud\Kms\V1\ListKeyRingsRequest;
+use Google\Cloud\Kms\V1\ListKeyRingsResponse;
+use Google\Cloud\Kms\V1\MacSignRequest;
+use Google\Cloud\Kms\V1\MacSignResponse;
+use Google\Cloud\Kms\V1\MacVerifyRequest;
+use Google\Cloud\Kms\V1\MacVerifyResponse;
+use Google\Cloud\Kms\V1\ProtectionLevel;
+use Google\Cloud\Kms\V1\PublicKey;
+use Google\Cloud\Kms\V1\RawDecryptRequest;
+use Google\Cloud\Kms\V1\RawDecryptResponse;
+use Google\Cloud\Kms\V1\RawEncryptRequest;
+use Google\Cloud\Kms\V1\RawEncryptResponse;
+use Google\Cloud\Kms\V1\RestoreCryptoKeyVersionRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyPrimaryVersionRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\UpdateCryptoKeyVersionRequest;
+use Google\Cloud\Location\GetLocationRequest;
+use Google\Cloud\Location\ListLocationsRequest;
+use Google\Cloud\Location\ListLocationsResponse;
+use Google\Cloud\Location\Location;
+use Google\Protobuf\FieldMask;
+use Google\Rpc\Code;
+use stdClass;
+
+/**
+ * @group kms
+ *
+ * @group gapic
+ */
+class KeyManagementServiceClientTest extends GeneratedTest
+{
+    /** @return TransportInterface */
+    private function createTransport($deserialize = null)
+    {
+        return new MockTransport($deserialize);
+    }
+
+    /** @return CredentialsWrapper */
+    private function createCredentials()
+    {
+        return $this->getMockBuilder(CredentialsWrapper::class)->disableOriginalConstructor()->getMock();
+    }
+
+    /** @return KeyManagementServiceClient */
+    private function createClient(array $options = [])
+    {
+        $options += [
+            'credentials' => $this->createCredentials(),
+        ];
+        return new KeyManagementServiceClient($options);
+    }
+
+    /** @test */
+    public function asymmetricDecryptTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $plaintext = '-9';
+        $verifiedCiphertextCrc32c = true;
+        $expectedResponse = new AsymmetricDecryptResponse();
+        $expectedResponse->setPlaintext($plaintext);
+        $expectedResponse->setVerifiedCiphertextCrc32c($verifiedCiphertextCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $ciphertext = '-72';
+        $request = (new AsymmetricDecryptRequest())
+            ->setName($formattedName)
+            ->setCiphertext($ciphertext);
+        $response = $gapicClient->asymmetricDecrypt($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/AsymmetricDecrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getCiphertext();
+        $this->assertProtobufEquals($ciphertext, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function asymmetricDecryptExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $ciphertext = '-72';
+        $request = (new AsymmetricDecryptRequest())
+            ->setName($formattedName)
+            ->setCiphertext($ciphertext);
+        try {
+            $gapicClient->asymmetricDecrypt($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function asymmetricSignTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $signature = '-72';
+        $verifiedDigestCrc32c = true;
+        $name2 = 'name2-1052831874';
+        $verifiedDataCrc32c = true;
+        $expectedResponse = new AsymmetricSignResponse();
+        $expectedResponse->setSignature($signature);
+        $expectedResponse->setVerifiedDigestCrc32c($verifiedDigestCrc32c);
+        $expectedResponse->setName($name2);
+        $expectedResponse->setVerifiedDataCrc32c($verifiedDataCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $digest = new Digest();
+        $request = (new AsymmetricSignRequest())
+            ->setName($formattedName)
+            ->setDigest($digest);
+        $response = $gapicClient->asymmetricSign($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/AsymmetricSign', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getDigest();
+        $this->assertProtobufEquals($digest, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function asymmetricSignExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $digest = new Digest();
+        $request = (new AsymmetricSignRequest())
+            ->setName($formattedName)
+            ->setDigest($digest);
+        try {
+            $gapicClient->asymmetricSign($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createCryptoKeyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $importOnly = true;
+        $cryptoKeyBackend = 'cryptoKeyBackend-1526615498';
+        $expectedResponse = new CryptoKey();
+        $expectedResponse->setName($name);
+        $expectedResponse->setImportOnly($importOnly);
+        $expectedResponse->setCryptoKeyBackend($cryptoKeyBackend);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $cryptoKeyId = 'cryptoKeyId-2123094983';
+        $cryptoKey = new CryptoKey();
+        $request = (new CreateCryptoKeyRequest())
+            ->setParent($formattedParent)
+            ->setCryptoKeyId($cryptoKeyId)
+            ->setCryptoKey($cryptoKey);
+        $response = $gapicClient->createCryptoKey($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/CreateCryptoKey', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getCryptoKeyId();
+        $this->assertProtobufEquals($cryptoKeyId, $actualValue);
+        $actualValue = $actualRequestObject->getCryptoKey();
+        $this->assertProtobufEquals($cryptoKey, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createCryptoKeyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $cryptoKeyId = 'cryptoKeyId-2123094983';
+        $cryptoKey = new CryptoKey();
+        $request = (new CreateCryptoKeyRequest())
+            ->setParent($formattedParent)
+            ->setCryptoKeyId($cryptoKeyId)
+            ->setCryptoKey($cryptoKey);
+        try {
+            $gapicClient->createCryptoKey($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $importJob = 'importJob2125587491';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name);
+        $expectedResponse->setImportJob($importJob);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $cryptoKeyVersion = new CryptoKeyVersion();
+        $request = (new CreateCryptoKeyVersionRequest())
+            ->setParent($formattedParent)
+            ->setCryptoKeyVersion($cryptoKeyVersion);
+        $response = $gapicClient->createCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/CreateCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getCryptoKeyVersion();
+        $this->assertProtobufEquals($cryptoKeyVersion, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $cryptoKeyVersion = new CryptoKeyVersion();
+        $request = (new CreateCryptoKeyVersionRequest())
+            ->setParent($formattedParent)
+            ->setCryptoKeyVersion($cryptoKeyVersion);
+        try {
+            $gapicClient->createCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createImportJobTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $expectedResponse = new ImportJob();
+        $expectedResponse->setName($name);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $importJobId = 'importJobId-1620773193';
+        $importJob = new ImportJob();
+        $importJobImportMethod = ImportMethod::IMPORT_METHOD_UNSPECIFIED;
+        $importJob->setImportMethod($importJobImportMethod);
+        $importJobProtectionLevel = ProtectionLevel::PROTECTION_LEVEL_UNSPECIFIED;
+        $importJob->setProtectionLevel($importJobProtectionLevel);
+        $request = (new CreateImportJobRequest())
+            ->setParent($formattedParent)
+            ->setImportJobId($importJobId)
+            ->setImportJob($importJob);
+        $response = $gapicClient->createImportJob($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/CreateImportJob', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getImportJobId();
+        $this->assertProtobufEquals($importJobId, $actualValue);
+        $actualValue = $actualRequestObject->getImportJob();
+        $this->assertProtobufEquals($importJob, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createImportJobExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $importJobId = 'importJobId-1620773193';
+        $importJob = new ImportJob();
+        $importJobImportMethod = ImportMethod::IMPORT_METHOD_UNSPECIFIED;
+        $importJob->setImportMethod($importJobImportMethod);
+        $importJobProtectionLevel = ProtectionLevel::PROTECTION_LEVEL_UNSPECIFIED;
+        $importJob->setProtectionLevel($importJobProtectionLevel);
+        $request = (new CreateImportJobRequest())
+            ->setParent($formattedParent)
+            ->setImportJobId($importJobId)
+            ->setImportJob($importJob);
+        try {
+            $gapicClient->createImportJob($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createKeyRingTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $expectedResponse = new KeyRing();
+        $expectedResponse->setName($name);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $keyRingId = 'keyRingId-2056646742';
+        $keyRing = new KeyRing();
+        $request = (new CreateKeyRingRequest())
+            ->setParent($formattedParent)
+            ->setKeyRingId($keyRingId)
+            ->setKeyRing($keyRing);
+        $response = $gapicClient->createKeyRing($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/CreateKeyRing', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getKeyRingId();
+        $this->assertProtobufEquals($keyRingId, $actualValue);
+        $actualValue = $actualRequestObject->getKeyRing();
+        $this->assertProtobufEquals($keyRing, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function createKeyRingExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $keyRingId = 'keyRingId-2056646742';
+        $keyRing = new KeyRing();
+        $request = (new CreateKeyRingRequest())
+            ->setParent($formattedParent)
+            ->setKeyRingId($keyRingId)
+            ->setKeyRing($keyRing);
+        try {
+            $gapicClient->createKeyRing($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function decryptTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $plaintext = '-9';
+        $usedPrimary = true;
+        $expectedResponse = new DecryptResponse();
+        $expectedResponse->setPlaintext($plaintext);
+        $expectedResponse->setUsedPrimary($usedPrimary);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $ciphertext = '-72';
+        $request = (new DecryptRequest())
+            ->setName($formattedName)
+            ->setCiphertext($ciphertext);
+        $response = $gapicClient->decrypt($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/Decrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getCiphertext();
+        $this->assertProtobufEquals($ciphertext, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function decryptExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $ciphertext = '-72';
+        $request = (new DecryptRequest())
+            ->setName($formattedName)
+            ->setCiphertext($ciphertext);
+        try {
+            $gapicClient->decrypt($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function destroyCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $importJob = 'importJob2125587491';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setImportJob($importJob);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new DestroyCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->destroyCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function destroyCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new DestroyCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->destroyCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function encryptTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $ciphertext = '-72';
+        $verifiedPlaintextCrc32c = false;
+        $verifiedAdditionalAuthenticatedDataCrc32c = true;
+        $expectedResponse = new EncryptResponse();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setCiphertext($ciphertext);
+        $expectedResponse->setVerifiedPlaintextCrc32c($verifiedPlaintextCrc32c);
+        $expectedResponse->setVerifiedAdditionalAuthenticatedDataCrc32c($verifiedAdditionalAuthenticatedDataCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $name = 'name3373707';
+        $plaintext = '-9';
+        $request = (new EncryptRequest())
+            ->setName($name)
+            ->setPlaintext($plaintext);
+        $response = $gapicClient->encrypt($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/Encrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($name, $actualValue);
+        $actualValue = $actualRequestObject->getPlaintext();
+        $this->assertProtobufEquals($plaintext, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function encryptExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $name = 'name3373707';
+        $plaintext = '-9';
+        $request = (new EncryptRequest())
+            ->setName($name)
+            ->setPlaintext($plaintext);
+        try {
+            $gapicClient->encrypt($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function generateRandomBytesTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $data = '-86';
+        $expectedResponse = new GenerateRandomBytesResponse();
+        $expectedResponse->setData($data);
+        $transport->addResponse($expectedResponse);
+        $request = new GenerateRandomBytesRequest();
+        $response = $gapicClient->generateRandomBytes($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GenerateRandomBytes', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function generateRandomBytesExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new GenerateRandomBytesRequest();
+        try {
+            $gapicClient->generateRandomBytes($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getCryptoKeyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $importOnly = true;
+        $cryptoKeyBackend = 'cryptoKeyBackend-1526615498';
+        $expectedResponse = new CryptoKey();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setImportOnly($importOnly);
+        $expectedResponse->setCryptoKeyBackend($cryptoKeyBackend);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $request = (new GetCryptoKeyRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getCryptoKey($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GetCryptoKey', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getCryptoKeyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $request = (new GetCryptoKeyRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getCryptoKey($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $importJob = 'importJob2125587491';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setImportJob($importJob);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new GetCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GetCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new GetCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getImportJobTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $expectedResponse = new ImportJob();
+        $expectedResponse->setName($name2);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->importJobName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[IMPORT_JOB]');
+        $request = (new GetImportJobRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getImportJob($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GetImportJob', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getImportJobExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->importJobName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[IMPORT_JOB]');
+        $request = (new GetImportJobRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getImportJob($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getKeyRingTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $expectedResponse = new KeyRing();
+        $expectedResponse->setName($name2);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new GetKeyRingRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getKeyRing($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GetKeyRing', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getKeyRingExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new GetKeyRingRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getKeyRing($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getPublicKeyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $pem = 'pem110872';
+        $name2 = 'name2-1052831874';
+        $expectedResponse = new PublicKey();
+        $expectedResponse->setPem($pem);
+        $expectedResponse->setName($name2);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new GetPublicKeyRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->getPublicKey($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/GetPublicKey', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getPublicKeyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new GetPublicKeyRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->getPublicKey($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function importCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $importJob2 = 'importJob2-1714851050';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name);
+        $expectedResponse->setImportJob($importJob2);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $algorithm = CryptoKeyVersionAlgorithm::CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED;
+        $importJob = 'importJob2125587491';
+        $request = (new ImportCryptoKeyVersionRequest())
+            ->setParent($formattedParent)
+            ->setAlgorithm($algorithm)
+            ->setImportJob($importJob);
+        $response = $gapicClient->importCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/ImportCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $actualValue = $actualRequestObject->getAlgorithm();
+        $this->assertProtobufEquals($algorithm, $actualValue);
+        $actualValue = $actualRequestObject->getImportJob();
+        $this->assertProtobufEquals($importJob, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function importCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $algorithm = CryptoKeyVersionAlgorithm::CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED;
+        $importJob = 'importJob2125587491';
+        $request = (new ImportCryptoKeyVersionRequest())
+            ->setParent($formattedParent)
+            ->setAlgorithm($algorithm)
+            ->setImportJob($importJob);
+        try {
+            $gapicClient->importCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listCryptoKeyVersionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $totalSize = 705419236;
+        $cryptoKeyVersionsElement = new CryptoKeyVersion();
+        $cryptoKeyVersions = [
+            $cryptoKeyVersionsElement,
+        ];
+        $expectedResponse = new ListCryptoKeyVersionsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setTotalSize($totalSize);
+        $expectedResponse->setCryptoKeyVersions($cryptoKeyVersions);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $request = (new ListCryptoKeyVersionsRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listCryptoKeyVersions($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getCryptoKeyVersions()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/ListCryptoKeyVersions', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listCryptoKeyVersionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $request = (new ListCryptoKeyVersionsRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listCryptoKeyVersions($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listCryptoKeysTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $totalSize = 705419236;
+        $cryptoKeysElement = new CryptoKey();
+        $cryptoKeys = [
+            $cryptoKeysElement,
+        ];
+        $expectedResponse = new ListCryptoKeysResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setTotalSize($totalSize);
+        $expectedResponse->setCryptoKeys($cryptoKeys);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new ListCryptoKeysRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listCryptoKeys($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getCryptoKeys()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/ListCryptoKeys', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listCryptoKeysExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new ListCryptoKeysRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listCryptoKeys($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listImportJobsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $totalSize = 705419236;
+        $importJobsElement = new ImportJob();
+        $importJobs = [
+            $importJobsElement,
+        ];
+        $expectedResponse = new ListImportJobsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setTotalSize($totalSize);
+        $expectedResponse->setImportJobs($importJobs);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new ListImportJobsRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listImportJobs($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getImportJobs()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/ListImportJobs', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listImportJobsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->keyRingName('[PROJECT]', '[LOCATION]', '[KEY_RING]');
+        $request = (new ListImportJobsRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listImportJobs($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listKeyRingsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $totalSize = 705419236;
+        $keyRingsElement = new KeyRing();
+        $keyRings = [
+            $keyRingsElement,
+        ];
+        $expectedResponse = new ListKeyRingsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setTotalSize($totalSize);
+        $expectedResponse->setKeyRings($keyRings);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListKeyRingsRequest())
+            ->setParent($formattedParent);
+        $response = $gapicClient->listKeyRings($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getKeyRings()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/ListKeyRings', $actualFuncCall);
+        $actualValue = $actualRequestObject->getParent();
+        $this->assertProtobufEquals($formattedParent, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listKeyRingsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedParent = $gapicClient->locationName('[PROJECT]', '[LOCATION]');
+        $request = (new ListKeyRingsRequest())
+            ->setParent($formattedParent);
+        try {
+            $gapicClient->listKeyRings($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function macSignTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $mac = '79';
+        $verifiedDataCrc32c = true;
+        $expectedResponse = new MacSignResponse();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setMac($mac);
+        $expectedResponse->setVerifiedDataCrc32c($verifiedDataCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $data = '-86';
+        $request = (new MacSignRequest())
+            ->setName($formattedName)
+            ->setData($data);
+        $response = $gapicClient->macSign($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/MacSign', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getData();
+        $this->assertProtobufEquals($data, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function macSignExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $data = '-86';
+        $request = (new MacSignRequest())
+            ->setName($formattedName)
+            ->setData($data);
+        try {
+            $gapicClient->macSign($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function macVerifyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $success = false;
+        $verifiedDataCrc32c = true;
+        $verifiedMacCrc32c = false;
+        $verifiedSuccessIntegrity = true;
+        $expectedResponse = new MacVerifyResponse();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setSuccess($success);
+        $expectedResponse->setVerifiedDataCrc32c($verifiedDataCrc32c);
+        $expectedResponse->setVerifiedMacCrc32c($verifiedMacCrc32c);
+        $expectedResponse->setVerifiedSuccessIntegrity($verifiedSuccessIntegrity);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $data = '-86';
+        $mac = '79';
+        $request = (new MacVerifyRequest())
+            ->setName($formattedName)
+            ->setData($data)
+            ->setMac($mac);
+        $response = $gapicClient->macVerify($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/MacVerify', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getData();
+        $this->assertProtobufEquals($data, $actualValue);
+        $actualValue = $actualRequestObject->getMac();
+        $this->assertProtobufEquals($mac, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function macVerifyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $data = '-86';
+        $mac = '79';
+        $request = (new MacVerifyRequest())
+            ->setName($formattedName)
+            ->setData($data)
+            ->setMac($mac);
+        try {
+            $gapicClient->macVerify($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function rawDecryptTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $plaintext = '-9';
+        $verifiedCiphertextCrc32c = true;
+        $verifiedAdditionalAuthenticatedDataCrc32c = true;
+        $verifiedInitializationVectorCrc32c = true;
+        $expectedResponse = new RawDecryptResponse();
+        $expectedResponse->setPlaintext($plaintext);
+        $expectedResponse->setVerifiedCiphertextCrc32c($verifiedCiphertextCrc32c);
+        $expectedResponse->setVerifiedAdditionalAuthenticatedDataCrc32c($verifiedAdditionalAuthenticatedDataCrc32c);
+        $expectedResponse->setVerifiedInitializationVectorCrc32c($verifiedInitializationVectorCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $name = 'name3373707';
+        $ciphertext = '-72';
+        $initializationVector = '-62';
+        $request = (new RawDecryptRequest())
+            ->setName($name)
+            ->setCiphertext($ciphertext)
+            ->setInitializationVector($initializationVector);
+        $response = $gapicClient->rawDecrypt($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/RawDecrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($name, $actualValue);
+        $actualValue = $actualRequestObject->getCiphertext();
+        $this->assertProtobufEquals($ciphertext, $actualValue);
+        $actualValue = $actualRequestObject->getInitializationVector();
+        $this->assertProtobufEquals($initializationVector, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function rawDecryptExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $name = 'name3373707';
+        $ciphertext = '-72';
+        $initializationVector = '-62';
+        $request = (new RawDecryptRequest())
+            ->setName($name)
+            ->setCiphertext($ciphertext)
+            ->setInitializationVector($initializationVector);
+        try {
+            $gapicClient->rawDecrypt($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function rawEncryptTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $ciphertext = '-72';
+        $initializationVector2 = '-11';
+        $tagLength = 172791595;
+        $verifiedPlaintextCrc32c = false;
+        $verifiedAdditionalAuthenticatedDataCrc32c = true;
+        $verifiedInitializationVectorCrc32c = true;
+        $name2 = 'name2-1052831874';
+        $expectedResponse = new RawEncryptResponse();
+        $expectedResponse->setCiphertext($ciphertext);
+        $expectedResponse->setInitializationVector($initializationVector2);
+        $expectedResponse->setTagLength($tagLength);
+        $expectedResponse->setVerifiedPlaintextCrc32c($verifiedPlaintextCrc32c);
+        $expectedResponse->setVerifiedAdditionalAuthenticatedDataCrc32c($verifiedAdditionalAuthenticatedDataCrc32c);
+        $expectedResponse->setVerifiedInitializationVectorCrc32c($verifiedInitializationVectorCrc32c);
+        $expectedResponse->setName($name2);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $name = 'name3373707';
+        $plaintext = '-9';
+        $request = (new RawEncryptRequest())
+            ->setName($name)
+            ->setPlaintext($plaintext);
+        $response = $gapicClient->rawEncrypt($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/RawEncrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($name, $actualValue);
+        $actualValue = $actualRequestObject->getPlaintext();
+        $this->assertProtobufEquals($plaintext, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function rawEncryptExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $name = 'name3373707';
+        $plaintext = '-9';
+        $request = (new RawEncryptRequest())
+            ->setName($name)
+            ->setPlaintext($plaintext);
+        try {
+            $gapicClient->rawEncrypt($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function restoreCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $importJob = 'importJob2125587491';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setImportJob($importJob);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new RestoreCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        $response = $gapicClient->restoreCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function restoreCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $request = (new RestoreCryptoKeyVersionRequest())
+            ->setName($formattedName);
+        try {
+            $gapicClient->restoreCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $importOnly = true;
+        $cryptoKeyBackend = 'cryptoKeyBackend-1526615498';
+        $expectedResponse = new CryptoKey();
+        $expectedResponse->setName($name);
+        $expectedResponse->setImportOnly($importOnly);
+        $expectedResponse->setCryptoKeyBackend($cryptoKeyBackend);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $cryptoKey = new CryptoKey();
+        $updateMask = new FieldMask();
+        $request = (new UpdateCryptoKeyRequest())
+            ->setCryptoKey($cryptoKey)
+            ->setUpdateMask($updateMask);
+        $response = $gapicClient->updateCryptoKey($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKey', $actualFuncCall);
+        $actualValue = $actualRequestObject->getCryptoKey();
+        $this->assertProtobufEquals($cryptoKey, $actualValue);
+        $actualValue = $actualRequestObject->getUpdateMask();
+        $this->assertProtobufEquals($updateMask, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $cryptoKey = new CryptoKey();
+        $updateMask = new FieldMask();
+        $request = (new UpdateCryptoKeyRequest())
+            ->setCryptoKey($cryptoKey)
+            ->setUpdateMask($updateMask);
+        try {
+            $gapicClient->updateCryptoKey($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyPrimaryVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $importOnly = true;
+        $cryptoKeyBackend = 'cryptoKeyBackend-1526615498';
+        $expectedResponse = new CryptoKey();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setImportOnly($importOnly);
+        $expectedResponse->setCryptoKeyBackend($cryptoKeyBackend);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $cryptoKeyVersionId = 'cryptoKeyVersionId729489152';
+        $request = (new UpdateCryptoKeyPrimaryVersionRequest())
+            ->setName($formattedName)
+            ->setCryptoKeyVersionId($cryptoKeyVersionId);
+        $response = $gapicClient->updateCryptoKeyPrimaryVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getCryptoKeyVersionId();
+        $this->assertProtobufEquals($cryptoKeyVersionId, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyPrimaryVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]');
+        $cryptoKeyVersionId = 'cryptoKeyVersionId729489152';
+        $request = (new UpdateCryptoKeyPrimaryVersionRequest())
+            ->setName($formattedName)
+            ->setCryptoKeyVersionId($cryptoKeyVersionId);
+        try {
+            $gapicClient->updateCryptoKeyPrimaryVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyVersionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name = 'name3373707';
+        $importJob = 'importJob2125587491';
+        $importFailureReason = 'importFailureReason-494073229';
+        $generationFailureReason = 'generationFailureReason1749803168';
+        $externalDestructionFailureReason = 'externalDestructionFailureReason-2122384710';
+        $reimportEligible = true;
+        $expectedResponse = new CryptoKeyVersion();
+        $expectedResponse->setName($name);
+        $expectedResponse->setImportJob($importJob);
+        $expectedResponse->setImportFailureReason($importFailureReason);
+        $expectedResponse->setGenerationFailureReason($generationFailureReason);
+        $expectedResponse->setExternalDestructionFailureReason($externalDestructionFailureReason);
+        $expectedResponse->setReimportEligible($reimportEligible);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $cryptoKeyVersion = new CryptoKeyVersion();
+        $updateMask = new FieldMask();
+        $request = (new UpdateCryptoKeyVersionRequest())
+            ->setCryptoKeyVersion($cryptoKeyVersion)
+            ->setUpdateMask($updateMask);
+        $response = $gapicClient->updateCryptoKeyVersion($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyVersion', $actualFuncCall);
+        $actualValue = $actualRequestObject->getCryptoKeyVersion();
+        $this->assertProtobufEquals($cryptoKeyVersion, $actualValue);
+        $actualValue = $actualRequestObject->getUpdateMask();
+        $this->assertProtobufEquals($updateMask, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function updateCryptoKeyVersionExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $cryptoKeyVersion = new CryptoKeyVersion();
+        $updateMask = new FieldMask();
+        $request = (new UpdateCryptoKeyVersionRequest())
+            ->setCryptoKeyVersion($cryptoKeyVersion)
+            ->setUpdateMask($updateMask);
+        try {
+            $gapicClient->updateCryptoKeyVersion($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $name2 = 'name2-1052831874';
+        $locationId = 'locationId552319461';
+        $displayName = 'displayName1615086568';
+        $expectedResponse = new Location();
+        $expectedResponse->setName($name2);
+        $expectedResponse->setLocationId($locationId);
+        $expectedResponse->setDisplayName($displayName);
+        $transport->addResponse($expectedResponse);
+        $request = new GetLocationRequest();
+        $response = $gapicClient->getLocation($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/GetLocation', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getLocationExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new GetLocationRequest();
+        try {
+            $gapicClient->getLocation($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $nextPageToken = '';
+        $locationsElement = new Location();
+        $locations = [
+            $locationsElement,
+        ];
+        $expectedResponse = new ListLocationsResponse();
+        $expectedResponse->setNextPageToken($nextPageToken);
+        $expectedResponse->setLocations($locations);
+        $transport->addResponse($expectedResponse);
+        $request = new ListLocationsRequest();
+        $response = $gapicClient->listLocations($request);
+        $this->assertEquals($expectedResponse, $response->getPage()->getResponseObject());
+        $resources = iterator_to_array($response->iterateAllElements());
+        $this->assertSame(1, count($resources));
+        $this->assertEquals($expectedResponse->getLocations()[0], $resources[0]);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.location.Locations/ListLocations', $actualFuncCall);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function listLocationsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        $request = new ListLocationsRequest();
+        try {
+            $gapicClient->listLocations($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        $response = $gapicClient->getIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/GetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function getIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $request = (new GetIamPolicyRequest())
+            ->setResource($resource);
+        try {
+            $gapicClient->getIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $version = 351608024;
+        $etag = '21';
+        $expectedResponse = new Policy();
+        $expectedResponse->setVersion($version);
+        $expectedResponse->setEtag($etag);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        $response = $gapicClient->setIamPolicy($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/SetIamPolicy', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPolicy();
+        $this->assertProtobufEquals($policy, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function setIamPolicyExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $policy = new Policy();
+        $request = (new SetIamPolicyRequest())
+            ->setResource($resource)
+            ->setPolicy($policy);
+        try {
+            $gapicClient->setIamPolicy($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $expectedResponse = new TestIamPermissionsResponse();
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        $response = $gapicClient->testIamPermissions($request);
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.iam.v1.IAMPolicy/TestIamPermissions', $actualFuncCall);
+        $actualValue = $actualRequestObject->getResource();
+        $this->assertProtobufEquals($resource, $actualValue);
+        $actualValue = $actualRequestObject->getPermissions();
+        $this->assertProtobufEquals($permissions, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function testIamPermissionsExceptionTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        $status = new stdClass();
+        $status->code = Code::DATA_LOSS;
+        $status->details = 'internal error';
+        $expectedExceptionMessage  = json_encode([
+            'message' => 'internal error',
+            'code' => Code::DATA_LOSS,
+            'status' => 'DATA_LOSS',
+            'details' => [],
+        ], JSON_PRETTY_PRINT);
+        $transport->addResponse(null, $status);
+        // Mock request
+        $resource = 'resource-341064690';
+        $permissions = [];
+        $request = (new TestIamPermissionsRequest())
+            ->setResource($resource)
+            ->setPermissions($permissions);
+        try {
+            $gapicClient->testIamPermissions($request);
+            // If the $gapicClient method call did not throw, fail the test
+            $this->fail('Expected an ApiException, but no exception was thrown.');
+        } catch (ApiException $ex) {
+            $this->assertEquals($status->code, $ex->getCode());
+            $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
+        }
+        // Call popReceivedCalls to ensure the stub is exhausted
+        $transport->popReceivedCalls();
+        $this->assertTrue($transport->isExhausted());
+    }
+
+    /** @test */
+    public function asymmetricDecryptAsyncTest()
+    {
+        $transport = $this->createTransport();
+        $gapicClient = $this->createClient([
+            'transport' => $transport,
+        ]);
+        $this->assertTrue($transport->isExhausted());
+        // Mock response
+        $plaintext = '-9';
+        $verifiedCiphertextCrc32c = true;
+        $expectedResponse = new AsymmetricDecryptResponse();
+        $expectedResponse->setPlaintext($plaintext);
+        $expectedResponse->setVerifiedCiphertextCrc32c($verifiedCiphertextCrc32c);
+        $transport->addResponse($expectedResponse);
+        // Mock request
+        $formattedName = $gapicClient->cryptoKeyVersionName('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY]', '[CRYPTO_KEY_VERSION]');
+        $ciphertext = '-72';
+        $request = (new AsymmetricDecryptRequest())
+            ->setName($formattedName)
+            ->setCiphertext($ciphertext);
+        $response = $gapicClient->asymmetricDecryptAsync($request)->wait();
+        $this->assertEquals($expectedResponse, $response);
+        $actualRequests = $transport->popReceivedCalls();
+        $this->assertSame(1, count($actualRequests));
+        $actualFuncCall = $actualRequests[0]->getFuncCall();
+        $actualRequestObject = $actualRequests[0]->getRequestObject();
+        $this->assertSame('/google.cloud.kms.v1.KeyManagementService/AsymmetricDecrypt', $actualFuncCall);
+        $actualValue = $actualRequestObject->getName();
+        $this->assertProtobufEquals($formattedName, $actualValue);
+        $actualValue = $actualRequestObject->getCiphertext();
+        $this->assertProtobufEquals($ciphertext, $actualValue);
+        $this->assertTrue($transport->isExhausted());
+    }
+}