This page describes using organization policy constraints with Apigee.
Not every feature in Apigee utilizes CMEK for encryption of sensitive data. To ensure that data that requires encryption with CMEK doesn't unknowingly use features that aren't CMEK protected, those features will be disabled for CMEK-constrained projects until they are compliant. Only new usages of the features will be disabled (creating new resources or enabling an add-on). Features and resources that are already in use will remain available and editable, but not protected.
Eval orgs creation are blocked by both the gcloud alpha apigee organizations API and the eval provisioning wizard. When trying to view the eval provisioning wizard, you will see the message: Apigee evaluation is not available.
For more information on the features that are disabled for CMEK-constrained projects, see Organization policy constraints.
Terms
The following terms are used in this topic:
Term | Definition |
---|---|
CMEK | Customer-managed encryption key. See Customer-managed encryption keys for a detailed description. |
organization policy constraints | A constraint is a particular type of
restriction against a Google Cloud service or a list of Google Cloud
services. With regards to CMEK, there are
two relevant constraints:
|
Enforcement | A guarantee that Apigee's backend systems will adhere to a project's constraint (CMEK constraints in this case) |
Pre-validation | UI behaviors that guide you in selecting valid configurations in Apigee in accordance with CMEK org policies and do not expose features which are not compliant |
Resources | Apigee resources such as organizations and instances |
How to restrict non-CMEK services
This section describes how to restrict non-CMEK services.
- Meet the prerequisites.
- Select your Project in the Google Cloud console.
- Create a new organization policy constraint.
- Provision Apigee.
Prerequisites
You must:
-
Have the
Organization policy administrator role.
To get the permissions that you need to manage organization policies,
ask your administrator to grant you the
Organization policy administrator
(
roles/orgpolicy.policyAdmin
) IAM role on the organization. For more information about granting roles, see Manage access. - Have the prerequisites described in Introduction to provisioning.
- Use a paid organization (Subscription or Pay-as-you-go).
- Use data residency.
Open project
In the Google Cloud console, go to the Dashboard page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
Create an organization policy constraint
Organization policies are defined by the values set for each constraint. They are either configured at the level of this resource, inherited from the parent resource, or set to the Google-managed default behavior. In this case, you will be creating a constraint that requires CMEK and will be applied to the project and all resources that inherit from the project.
To ensure that customer-managed encryption keys are always used when encrypting your data in Apigee, create the following organization policy constraint:
In the Google Cloud console, go to the Organization policies page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
- In the Filter box, enter:
constraints/gcp.restrictNonCmekServices
- Click
Organization policy administrator
(
roles/orgpolicy.policyAdmin
) IAM role on the organization. See Prerequisites for more information.
More,
Edit policy. If Edit is disabled, you don't have the
required permissions and need to ask your administrator to grant you the
- For Policy source, select Override parent's policy. This resource will have a unique policy. In the next step you will specify how the parent policy rules are handled.
- For Policy enforcement, select one of the following:
- Replace. This option ignores the parent's policy and uses these rules.
- Merge with parent. This option adds rules in addition to the ones the parent resource has set.
See Understanding hierarchy evaluation for an explanation of organization policy inheritance.
- Click Add a rule.
- For Policy values, select Custom.
- For Policy type, select Deny.
- For Custom values, enter:
apigee.googleapis.com
- Click Done.
- Click Set policy. The Policy details page is displayed.
Once you have configured the policy and selected a project that inherits/uses the policy, you are ready to provision Apigee. Note that Apigee resources that were created before configuring CMEK organization policies will not be guaranteed to be compliant; only new resources that are created after the policy is in place will adhere to the CMEK constraints.
See also:
Provision Apigee
Provisioning Apigee where you have organization policy constraints consists of the same steps as provisioning Apigee where you don't have organization policy constraints; however, the UI prevents you from making selections that are not supported.
This section describes where the UI guides you on making selections.
In the Google Cloud console, go to the Apigee page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
- On the Welcome to Apigee API management page, Setup using defaults is disabled since you need to explicitly select CMEKs. Click Customize your setup.
- Enable APIs: Enable required APIs as described in Step 1: Enable required APIs.
- Set up networking: Set up networking as described in Step 2: Set up networking.
Configure hosting and encryption:
User journey D: Customer-managed encryption, with data residency is the only relevant user journey for organization policy constraints that restrict non-CMEK services.
- Click Edit to open the Hosting and encryption keys panel.
- In the Encryption type section, Google-managed encryption key is disabled and Customer-managed encryption key is enabled and cannot be disabled.
- Click Next.
- In the Control Plane section, Enable data residency is enabled and cannot be disabled.
- Continue configuring hosting and encryption as described in step 3.b. of User journey D: Customer-managed encryption, with data residency.
- Customize access routing: Customize access routing as described in Step 4: Customize access routing.
How to restrict CMEK crypto key projects
This section describes how to restrict CMEK crypto key projects.
You can restrict which projects can provide encryption keys through another
organization policy constraint: constraints/gcp.restrictCmekCryptoKeyProjects
With this constraint, you allowlist projects from which encryption keys
can be used.
Anywhere you can select a CMEK, which is currently while provisioning Apigee or creating an Apigee instance, this constraint is enforced.
If the current project selected in the Google Cloud console is not allowlisted
in the restrictCmekCryptoKeyProjects
constraint, then you will
not be able to select any keys from the encryption key select box. Instead,
you will need to use a key from a project that is allowlisted.
Prerequisites
You must:
-
Have the
Organization policy administrator role.
To get the permissions that you need to manage organization policies,
ask your administrator to grant you the
Organization policy administrator
(
roles/orgpolicy.policyAdmin
) IAM role on the organization. For more information about granting roles, see Manage access. - Have the prerequisites described in Introduction to provisioning.
- Use a paid organization (Subscription or Pay-as-you-go)
- Use data residency
- Provision using the Google Cloud console (Subscription or Pay-as-you-go).
- Know which project contains the keys you want to use.
Open project
In the Google Cloud console, go to the Dashboard page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
Create an organization policy constraint
Organization policies are defined by the values set for each constraint. They are either configured at the level of this resource, inherited from the parent resource, or set to the Google-managed default behavior. In this case, you will be creating a constraint that allows keys only from allowlisted projects. This constraint will be applied to the project and all resources that inherit from the project.
To ensure that customer-managed encryption keys are used only from specific projects, add them to an allowlist:
In the Google Cloud console, go to the Organization policies page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
- In the Filter box, enter:
restrictCmekCryptoKeyProjects
- Click
Organization policy administrator
(
roles/orgpolicy.policyAdmin
) IAM role on the organization. See Prerequisites for more information.
More,
Edit policy. If Edit is disabled, you don't have the
required permissions and need to ask your administrator to grant you the
- For Policy source, select Override parent's policy. This resource will have a unique policy. In the next step you will specify how the parent policy rules are handled.
- For Policy enforcement, select one of the following:
- Replace. This option ignores the parent's policy and uses these rules.
- Merge with parent. This option adds rules in addition to the ones the parent resource has set.
See Understanding hierarchy evaluation for an explanation of organization policy inheritance.
- Click Add a rule.
- For Policy values, select Custom.
- For Policy type, select Allow.
- For Custom values, enter:
projects/PROJECT_ID
Replace PROJECT_ID with the project ID where the Cloud KMS keys you want to use are located. For example,
my-kms-project
. - Click Done.
- Click Set policy. The Policy details page is displayed.
Once you have configured the policy and selected a project that inherits/uses the policy, you are ready to provision Apigee. Note that Apigee resources that were created before configuring CMEK organization policies will not be guaranteed to be compliant; only new resources that are created after the policy is in place will adhere to the CMEK constraints.
See also:
Provision Apigee
Provisioning Apigee where you have organization policy constraints consists of the same steps as provisioning Apigee where you don't have organization policy constraints; however, the UI prevents you from making selections that are not supported.
This section describes where the UI guides you on making selections.
In the Google Cloud console, go to the Apigee page.
- Select your project in the Google Cloud console drop-down list if it is not already selected.
- On the Welcome to Apigee API management page, Click Customize your setup.
- Enable APIs: Enable required APIs as described in Step 1: Enable required APIs.
- Set up networking: Set up networking as described in Step 2: Set up networking.
Configure hosting and encryption:
User journey D: Customer-managed encryption, with data residency is the only relevant user journey for organization policy constraints that restrict non-CMEK services.
- Click Edit to open the Hosting and encryption keys panel.
- In the Encryption type section, Google-managaged encryption key is disabled and Customer-managed encryption key is enabled and cannot be disabled.
- Click Next.
- In the Control Plane section, Enable data residency is enabled and cannot be disabled.
- Continue configuring hosting and encryption as described in step 3.b. of User journey D: Customer-managed encryption, with data residency.
- Customize access routing: Customize access routing as described in Step 4: Customize access routing.
Use a key from an allowlisted project
To use a key from a project that is allowlisted in Apigee, you will need to enter a key manually by its resource ID. Any key you enter manually will also be validated to ensure that its project is valid based on the allowlisted projects in the constraint.
How to get a Google Cloud KMS resource ID
See: Getting a Cloud KMS resource ID
Troubleshooting
The following table describes some common error conditions that may arise with CMEK and organization policy constraints.
Error message | Cause | Steps to take |
---|---|---|
Constraint constraints/gcp.restrictNonCmekServices violated for
projects/my-project attempting to create or enable trial org. CMEK is not
supported for trial orgs. To use trial orgs, adjust the
gcp.restrictNonCmekServices constraint for this project. |
You attempted to provision a trial org where an organization policy constraint exists for the project. |
CMEK is not supported for trial/eval orgs. You will have to update
organization policy constraint constraints/gcp.restrictNonCmekServices
to remove Apigee from the denied services list to be able to
provision a trial org. |
Constraint constraints/gcp.restrictNonCmekServices violated for
projects/my-project attempting to create or enable global org. CMEK is not
supported in location 'global', select another location or adjust the
code constraint for this project. |
You attempted to provision a global org where an organization policy constraint exists for the project. |
CMEK is not supported for global orgs. You will have to update organization
policy constraint constraints/gcp.restrictNonCmekServices
to remove Apigee from denied services list or use a different
location to create their orgs.
|
Constraint constraints/gcp.restrictNonCmekServices violated for
projects/my-project attempting to create a resource without specifying
a KMS CryptoKey. Provide a KMS CryptoKey to use for this resource.
|
You attempted to provision an org where an organization policy constraint exists for the project without specifying a KMS CryptoKey. |
You have set code in organization
policies which requires you to provide a CMEK to encrypt your
data. You will have to provide the CMEK key to be able to create an org or
instances. If you do not want to have CMEK enforcement, you can update
the organization policy constraint constraints/gcp.restrictNonCmekServices to remove
Apigee from the denied services list. |
Constraint constraints/gcp.restrictCmekCryptoKeyProjects violated for
projects/my-project attempting to use
projects/my-project/locations/my-location/keyRings/kr-1/cryptoKeys/ck-1
key. Use a key from a project that is allowed by
|
You attempted to provision an org where an organization policy constraint exists for the project and specified a KMS CryptoKey that is not allowlisted. |
You have set constraints/gcp.restrictCmekCryptoKeyProjects
in organization policies which require you to provide a CMEK key from the allowed
projects listed by you. You will have to provide the CMEK key from an
allowed project to be able to create an org or instances. Alternatively,
you can update the organization policy constraint
constraints/gcp.restrictCmekCryptoKeyProjects to allow keys
from the specific Google Cloud project you want.
|
Constraint constraints/gcp.restrictNonCmekServices violated for
projects/my-project attempting to create a portal. Integrated
portals do not support the use of CMEK. To use integrated portals,
adjust the gcp.restrictNonCmekServices policy constraint.
|
You attempted to create a portal where an organization policy constraint exists for the project. |
CMEK is not supported for Integrated Portals. You will have to update
organization policy constraint
constraints/gcp.restrictNonCmekServices to remove
Apigee from the denied services list to be able to create a new
portal.
|