Cloud KMS demo for managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
- Create a KMS keyring in the provided project
- Create zero or more keys in the keyring using KMS and imported key material
- Create IAM role bindings for owners, encrypters, decrypters
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) |
[] |
no |
| encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) |
[] |
no |
| key_algorithm | The algorithm to use when creating a version based on this template. See the documentation for possible inputs. | string |
"GOOGLE_SYMMETRIC_ENCRYPTION" |
no |
| key_protection_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | string |
"SOFTWARE" |
no |
| key_rotation_period | n/a | string |
"100000s" |
no |
| keyring | Keyring name. | string |
n/a | yes |
| keys | Key names. | list(string) |
[] |
no |
| labels | Labels, provided as a map | map(string) |
{} |
no |
| location | Location for the keyring. | string |
n/a | yes |
| owners | List of comma-separated owners for each key declared in set_owners_for. | list(string) |
[] |
no |
| project_id | Project id where the keyring will be created. | string |
n/a | yes |
| purpose | The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT. | string |
"ENCRYPT_DECRYPT" |
no |
| set_decrypters_for | Name of keys for which decrypters will be set. | list(string) |
[] |
no |
| set_encrypters_for | Name of keys for which encrypters will be set. | list(string) |
[] |
no |
| set_owners_for | Name of keys for which owners will be set. | list(string) |
[] |
no |
Each owners, encrypters and decrypters entry can have one of the following values:
allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
user:{emailid}: An email address that represents a specific Google account. For example, [email protected] or [email protected].
serviceAccount:{emailid}: An email address that represents a service account. For example, [email protected].
group:{emailid}: An email address that represents a Google group. For example, [email protected].
domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
openssl rand 32 > ${HOME}/test.bin
export CLOUDSDK_PYTHON_SITEPACKAGES=1
gcloud kms keys versions import --import-job job_name --location location --keyring keyring_name --key key_name --algorithm algorithm --target-key-file path --project project_name
| Name | Description |
|---|---|
| keyring | Self link of the keyring. |
| keyring_name | Name of the keyring. |
| keyring_resource | Keyring resource. |
| keys | Map of key name => key self link. |
A service account with one of the following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com