Use customer-managed encryption keys (CMEK)

This page describes how to use a Cloud Key Management Service (Cloud KMS) encryption key with Cloud Data Fusion.

A customer-managed encryption key (CMEK) enables encryption of data at rest with a key that you can control through Cloud KMS. CMEK provides user control over the data written to Google internal resources in tenant projects and data written by Cloud Data Fusion pipelines, including:

  • Pipeline logs and metadata
  • Dataproc cluster metadata
  • Various Cloud Storage, BigQuery, Pub/Sub, and Spanner data sinks, actions, and sources

Cloud Data Fusion resources

For a list of Cloud Data Fusion plugins that support CMEK, see the supported plugins.

Cloud Data Fusion supports CMEK for Dataproc clusters. Cloud Data Fusion creates a temporary Dataproc cluster for use in the pipeline, and then deletes the cluster when the pipeline completes. CMEK protects the cluster metadata written to the following:

  • Persistent disks (PD) attached to cluster VMs
  • Job driver output and other metadata written to the auto-created or user-created Dataproc staging bucket

Set up CMEK

Create a Cloud KMS key

Create a Cloud KMS key in the Google Cloud project that contains the Cloud Data Fusion instance or in a separate user project. The Cloud KMS key ring location must match the region where you create the instance. A multi-region or global region key isn't allowed at the instance level because Cloud Data Fusion is always associated with a particular region.

Get the resource name for the key

REST API

Get the resource name of the key that you created with the following command:

projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Replace the following:

  • PROJECT_ID: the customer project that hosts the Cloud Data Fusion instance
  • REGION: a Google Cloud region that's close to your location—for example, us-east1
  • KEY_RING_NAME: the name of the key ring that groups the cryptographic keys together
  • KEY_NAME: the Cloud KMS key name

Console

  1. Go to the Cryptographic keys page.

    Go to Cryptographic keys

  2. Next to your key, click More .

  3. Select Copy Resource Name to copy the resource name to the clipboard.

Update your project's service accounts to use the key

To set up your project's service accounts to use your key:

  1. Required: Grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Cloud Data Fusion service agent (see Granting roles to a service account for specific resources). This account is in the following format:

    service-PROJECT_NUMBER@gcp-sa-datafusion.iam.gserviceaccount.com

    Granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Data Fusion service agent enables Cloud Data Fusion to use CMEK to encrypt any customer data stored in tenant projects.

  2. Required: Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine service agent (see Assigning a Cloud KMS key to a Cloud Storage service account). This account, which by default is granted the Compute Engine Service Agent role, is of the form:

    service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

    Granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine service agent enables Cloud Data Fusion to use CMEK to encrypt persistent disk (PD) metadata written by the Dataproc cluster running in your pipeline.

  3. Required: Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service agent (see Assigning a Cloud KMS key to a Cloud Storage service agent). This service agent is of the form:

    service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com

    Granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service agent enables Cloud Data Fusion to use CMEK to encrypt data written to the Dataproc cluster staging bucket and any other Cloud Storage resources used by your pipeline.

  4. Required: Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Google Cloud Dataproc Service Agent. This service agent is of the form:

    service-PROJECT_NUMBER@dataproc-accounts.iam.gserviceaccount.com

  5. Optional: If your pipeline uses BigQuery resources, grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the BigQuery service account (see Grant encryption and decryption permission). This account is of the form:

    bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com

  6. Optional: If your pipeline uses Pub/Sub resources, grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Pub/Sub service account (see Using customer-managed encryption keys). This account is of the form:

    service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com

  7. Optional: If your pipeline uses Spanner resources, grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Spanner service account. This account is of the form:

    service-PROJECT_NUMBER@gcp-sa-spanner.iam.gserviceaccount.com

Create a Cloud Data Fusion instance with CMEK

CMEK is available in all editions of Cloud Data Fusion version 6.5.0 and later.

REST API

  1. To create an instance with a customer-managed encryption key, set the following environment variables:

    export PROJECT=PROJECT_ID
    export LOCATION=REGION
    export INSTANCE=INSTANCE_ID
    export DATA_FUSION_API_NAME=datafusion.googleapis.com
    export KEY=KEY_NAME
    

    Replace the following:

    • PROJECT_ID: the customer project that hosts the Cloud Data Fusion instance
    • REGION: a Google Cloud region that's close to your location—for example, us-east1
    • INSTANCE_ID: the name of the Cloud Data Fusion instance
    • KEY_NAME: the full resource name of the CMEK key
  2. Run the following command to create a Cloud Data Fusion instance:

    curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" https://$DATA_FUSION_API_NAME/v1/projects/$PROJECT/locations/$LOCATION/instances?instance_id=INSTANCE -X POST -d '{"description": "CMEK-enabled CDF instance created through REST.", "type": "BASIC", "cryptoKeyConfig": {"key_reference": "$KEY"} }'
    

Console

  1. Go to the Cloud Data Fusion page.

  2. Click Instances, and then click Create an instance.

    Go to Instances

  3. In the Advanced options, select Use a customer-managed encryption key (CMEK).

  4. In the Select a customer-managed key field, select the resource name for the key.

    Select the encryption key name

  5. After you enter all of the instance details, click Create. When the instance is ready to use, it appears on the Instances page.

Check if CMEK is enabled on an instance

Console

View the instance details:

  1. In the Google Cloud console, go to the Cloud Data Fusion page.

  2. Click Instances, and then click the instance's name to go to the Instance details page.

    Go to Instances

If CMEK is enabled, the Encryption key field is shown as Available.

If CMEK is disabled, the Encryption key field is shown as Not available.

Use CMEK with supported plugins

When you set the encryption key name, use the following form:

projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Encryption key names

The following table describes the behavior of the key in the Cloud Data Fusion plugins that support CMEK.

Supported plugins Behavior of key
Cloud Data Fusion sinks
Cloud Storage Encrypts data written to any bucket created by the plugin. If the bucket already exists, this value is ignored.
Cloud Storage multi-file Encrypts data written to any bucket created by the plugin.
BigQuery Encrypts data written to any bucket, dataset or table created by the plugin.
BigQuery multi-table Encrypts data written to any bucket, dataset or table created by the plugin.
Pub/Sub Encrypts data written to any topic created by the plugin. If the topic already exists, this value is ignored.
Spanner Encrypts data written to any database created by the plugin. If the database already exists, this value is ignored.
Cloud Data Fusion actions
Cloud Storage Create
Cloud Storage Copy
Cloud Storage Move
Cloud Storage Done File Marker
Encrypts data written to any bucket created by the plugin. If the bucket already exists, this value is ignored.
BigQuery Execute Encrypts data written to the dataset or table that the plugin creates to store the query results. It's only applicable if you store the query results in a BigQuery table.
Cloud Data Fusion sources
BigQuery source Encrypts data written to any bucket created by the plugin. If the bucket already exists, this value is ignored.
Cloud Data Fusion SQL engine
BigQuery Pushdown Engine Encrypts data written to any bucket, dataset, or table created by the plugin.

Use CMEK with Dataproc cluster metadata

The pre-created compute profiles use the CMEK key provided during instance creation to encrypt the Persistent Disk (PD) and the staging bucket metadata written by the Dataproc cluster running in your pipeline. You can modify to use another key by doing one of the following:

  • Recommended: Create a new Dataproc compute profile (Enterprise edition only).
  • Edit an existing Dataproc compute profile (Developer, Basic, or Enterprise editions).

Console

  1. Open the Cloud Data Fusion instance:

    1. In the Google Cloud console, go to the Cloud Data Fusion page.

    2. To open the instance in the Cloud Data Fusion web interface, click Instances, and then click View instance.

      Go to Instances

  2. Click System Admin > Configuration.

  3. Click the System Compute Profiles drop-down.

  4. Click Create New Profile, and select Dataproc.

  5. Enter a Profile label, Profile name, and Description.

  6. By default, Dataproc creates staging and temp buckets whenever an ephemeral cluster is created by Cloud Data Fusion. Cloud Data Fusion supports passing the Dataproc staging bucket as an argument in the compute profile. To encrypt the staging bucket, create a CMEK-enabled bucket and pass it as an argument to Dataproc in the compute profile.

  7. By default, Cloud Data Fusion auto-creates a Cloud Storage bucket to stage dependencies used by Dataproc. If you prefer to use a Cloud Storage bucket that already exists in your project, follow these steps:

    1. In the General Settings section, enter your existing Cloud Storage bucket in the Cloud Storage Bucket field.

    2. Add your Cloud KMS key to your Cloud Storage bucket.

  8. Get the resource ID of your Cloud KMS key. In the General Settings section, enter your resource ID in the Encryption Key Name field.

  9. Click Create.

  10. If more than one profile is listed in the System Compute Profiles section of the Configuration tab, make the new Dataproc profile the default profile by holding the pointer over the profile name field and clicking the star that appears.

    Select default profile.

Use CMEK with other resources

The provided CMEK key is set to the system preference during Cloud Data Fusion instance creation. It is used to encrypt data written to newly created resources by pipeline sinks such as Cloud Storage, BigQuery, Pub/Sub, or Spanner sinks.

This key only applies to newly created resources. If the resource already exists before pipeline execution, you should manually apply the CMEK key to those existing resources.

You can change the CMEK key by doing one of the following:

  • Use a runtime argument.
  • Set a Cloud Data Fusion system preference.

Runtime argument

  1. In the Cloud Data Fusion Pipeline Studio page, click the drop-down arrow to the right of the Run button.
  2. In the Name field, enter gcp.cmek.key.name.
  3. In the Value field, enter your key's resource ID.
    Select Data Fusion edition.
  4. Click Save.

    The runtime argument you set here applies only to runs of the current pipeline.

Preference

  1. In the Cloud Data Fusion UI, click SYSTEM ADMIN.
  2. Click the Configuration tab.
  3. Click the System Preferences drop-down.
  4. Click Edit System Preferences.
  5. In the Key field, enter gcp.cmek.key.name.
  6. In the Value field, enter your key's resource ID.
    Select Data Fusion edition.
  7. Click Save & Close.