The Cloud KMS - encrypt task lets you encrypt text or binary content using a Cloud Key Management Service (Cloud KMS) key. The text or binary content must be base-64 encoded before it can be encrypted by Cloud KMS. To recover the encrypted data, use the Cloud KMS - decrypt task.
Cloud KMS is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.
Before you begin
Ensure that you perform the following tasks in your Google Cloud project before configuring the Cloud KMS - encrypt task:
Enable the Cloud Key Management Service (KMS) API (cloudkms.googleapis.com).
Create an authentication profile. Application Integration uses an authentication profile to connect to an authentication endpoint for the Cloud KMS - encrypt task.
Configure the Cloud KMS - encrypt task
In the Google Cloud console, go to the Application Integration page.
The Integrations page appears listing all the integrations available in the Google Cloud project.
Select an existing integration or click Create integration to create a new one.
If you are creating a new integration:
Enter a name and description in the Create Integration pane.
Select a region for the integration.
Select a service account for the integration. You can change or update the service account details of an integration any time from the infoIntegration summary pane in the integration toolbar.
Click Create. The newly created integration opens in the integration editor.
In the integration editor navigation bar, click Tasks to view the list of available tasks and connectors.
Click and place the Cloud KMS - encrypt element in the integration editor.
Click the Cloud KMS - encrypt element on the designer to view the Cloud KMS - encrypt task configuration pane.
Go to Authentication, and select an existing authentication profile that you want to use.
Optional. If you have not created an authentication profile prior to configuring the task, Click + New authentication profile and follow the steps as mentioned in Create a new authentication profile.
Go to Task Input, and configure the displayed inputs fields using the following Task input parameters table.
Changes to the inputs fields are saved automatically.
Task input parameters
The following table describes the input parameters of the Cloud KMS - encrypt task:
Property
Data type
Description
Region
String
Cloud KMS location for the key ring.
ProjectsId
String
Your Google Cloud project ID.
KeyRingsId
String
Name of the key ring where the key will be located.
CryptoKeysId
String
Name of the key to use for encryption.
Request
JSON
See request JSON structure. Specify the base64-encoded text to be encrypted in the plaintext field of the request body.
Task output
The Cloud KMS - encrypt task returns a response containing the encrypted data in a base64-encoded format.
Error handling strategy
An error handling strategy for a task specifies the action to take if the task fails due to a temporary error. For information about how to use an error handling strategy, and to know about the different types of error handling strategies, see Error handling strategies.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[[["\u003cp\u003eThe Cloud KMS - encrypt task allows users to encrypt text or binary content using a Cloud Key Management Service (Cloud KMS) key, requiring the content to be base-64 encoded beforehand.\u003c/p\u003e\n"],["\u003cp\u003eBefore configuring this task, users must enable the Cloud Key Management Service (KMS) API and create an authentication profile, ensuring any associated service accounts have the \u003ccode\u003ecloudkms.cryptoKeyVersions.useToEncrypt\u003c/code\u003e IAM permission.\u003c/p\u003e\n"],["\u003cp\u003eTo configure the Cloud KMS - encrypt task, users navigate to the Application Integration page, select or create an integration, add the Cloud KMS - encrypt task, and then configure authentication and input parameters like Region, ProjectsId, KeyRingsId, CryptoKeysId, and the Request in the task configuration pane.\u003c/p\u003e\n"],["\u003cp\u003eThe task input requires setting parameters including the location of the Cloud KMS key ring, the Google Cloud project ID, the key ring name, and the key name, as well as the base64-encoded text to be encrypted within a JSON request.\u003c/p\u003e\n"],["\u003cp\u003eThe task output provides a response containing the encrypted data in base64-encoded format, which can then be decrypted using the Cloud KMS - decrypt task.\u003c/p\u003e\n"]]],[],null,[]]
