Cloud KMS - encrypt task

The Cloud KMS - encrypt task lets you encrypt text or binary content using a Cloud Key Management Service (Cloud KMS) key. The text or binary content must be base-64 encoded before it can be encrypted by Cloud KMS. To recover the encrypted data, use the Cloud KMS - decrypt task.

Cloud KMS is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.

Before you begin

Ensure that you perform the following tasks in your Google Cloud project before configuring the Cloud KMS - encrypt task:

Enable the Cloud Key Management Service (KMS) API (cloudkms.googleapis.com).
Enable the Cloud Key Management Service (KMS) API
Create an authentication profile. Apigee Integration uses an authentication profile to connect to an authentication endpoint for the Cloud KMS - encrypt task.
Note: If you're creating an authentication profile of Service account type, then ensure that the service account is assigned with the IAM role that contains the following IAM permission(s):
- cloudkms.cryptoKeyVersions.useToEncrypt
To know about IAM permissions and the predefined IAM roles that grant them, see IAM permissions reference.

For information about granting additional roles or permissions to a service account, see Granting, changing, and revoking access.

Configure the Cloud KMS - encrypt task

In the Apigee UI, select your Apigee Organization.
Click Develop > Integrations.
Select an existing integration or create a new integration by clicking Create Integration.
If you are creating a new integration:
1. Enter a name and description in the Create Integration dialog.
2. Select a Region for the integration from the list of supported regions.
3. Click Create.
This opens the integration in the integration designer.
In the integration designer navigation bar, click +Add a task/trigger > Tasks to view the list of available tasks.
Click and place the Cloud KMS - encrypt element in the integration designer.
Click the Cloud KMS - encrypt element on the designer to view the Cloud KMS - encrypt task configuration pane.
Go to Authentication, and select an existing authentication profile that you want to use.
Optional. If you have not created an authentication profile prior to configuring the task, Click + New authentication profile and follow the steps as mentioned in Create a new authentication profile.
Go to Task Input, and configure the displayed inputs fields using the following Task input parameters table.
Changes to the inputs fields are saved automatically.

Task input parameters

The following table describes the input parameters of the Cloud KMS - encrypt task:

Property	Data type	Description
Region	String	Cloud KMS location for the key ring.
ProjectsId	String	Your Google Cloud project ID.
KeyRingsId	String	Name of the key ring where the key will be located.
CryptoKeysId	String	Name of the key to use for encryption.
Request	JSON	See request JSON structure. Specify the base64-encoded text to be encrypted in the `plaintext` field of the request body. Tip: You can base64-encode or decode data using the base64 command on Linux or macOS, or the Base64.exe command on Windows. Programming and scripting languages typically include libraries for base64-encoding. For command-line examples, see Base64 Encoding in the Cloud Vision API documentation.

Task output

The Cloud KMS - encrypt task returns a response containing the encrypted data in a base64-encoded format.

Error handling strategy

An error handling strategy for a task specifies the action to take if the task fails due to a temporary error. For information about how to use an error handling strategy, and to know about the different types of error handling strategies, see Error handling strategies.

What's next

Add edges and edge conditions.
Test and publish your integration.
Configure a trigger.
Add a Data Mapping task.
See all tasks for Google Cloud services.