Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to encrypt sensitive data in Google-provided template
parameters, by using encryption keys with Cloud KMS.
Overview
Some Google-provided templates enable you to encrypt sensitive data in the
template parameters, such as usernames, passwords, JDBC connection strings, and
API keys. When supported, these templates include a parameter to specify the
Cloud KMS encryption key, such as:
KMSEncryptionKey
tokenKMSEncryptionKey
apiKeyKMSEncryptionKey
To use Cloud KMS encryption keys with these templates, perform the
following steps:
When you run the template, specify the encryption key and use the encrypted
parameter values.
If you specify an encryption key, you must encrypt all of the parameters that
support encryption. To understand which parameters can be encrypted, see the
documentation for the specific template.
This section contains troubleshooting information for encrypting template
parameters.
Permission denied
When you run the job, you see a PERMISSION_DENIED error in the job logs,
similar to the following:
PERMISSION_DENIED: Permission cloudkms.cryptoKeyVersions.useToDecrypt denied on
resource RESOURCE_PATH (or it may not exist)
To decrypt the data, the Dataflow worker service account needs
the cloudkms.cryptoKeyVersions.useToDecrypt permission for the encryption
key. Make sure the worker service account has the
Cloud KMS CryptoKey Decrypter role. For more information, see
Dataflow security and permissions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis page guides users on encrypting sensitive data in Google-provided template parameters using Cloud KMS encryption keys.\u003c/p\u003e\n"],["\u003cp\u003eDataflow worker service accounts require the \u003cstrong\u003eCloud KMS CryptoKey Decrypter\u003c/strong\u003e role to decrypt the data.\u003c/p\u003e\n"],["\u003cp\u003eTo encrypt data, users must create an encryption key, encrypt the data, base64-encode it, and then specify the key and encrypted values when running the template.\u003c/p\u003e\n"],["\u003cp\u003eIf an encryption key is specified, all parameters supporting encryption must be encrypted.\u003c/p\u003e\n"],["\u003cp\u003eA troubleshooting section is included to address common issues such as \u003ccode\u003ePERMISSION_DENIED\u003c/code\u003e errors encountered when running the job, which is caused by a lack of the proper permissions for the Dataflow worker service account.\u003c/p\u003e\n"]]],[],null,["This page explains how to encrypt sensitive data in Google-provided template\nparameters, by using encryption keys with Cloud KMS.\n\nOverview\n\nSome Google-provided templates enable you to encrypt sensitive data in the\ntemplate parameters, such as usernames, passwords, JDBC connection strings, and\nAPI keys. When supported, these templates include a parameter to specify the\nCloud KMS encryption key, such as:\n\n- `KMSEncryptionKey`\n- `tokenKMSEncryptionKey`\n- `apiKeyKMSEncryptionKey`\n\nTo use Cloud KMS encryption keys with these templates, perform the\nfollowing steps:\n\n1. Grant the Dataflow [worker service account](/dataflow/docs/concepts/security-and-permissions#worker-service-account) the [**Cloud KMS CryptoKey Decrypter**](/kms/docs/reference/permissions-and-roles#predefined) role.\n2. [Create an encryption key](/kms/docs/create-encryption-keys).\n3. Use the key to encrypt the data.\n4. Base64-encode the encrypted data.\n5. When you run the template, specify the encryption key and use the encrypted parameter values.\n\nIf you specify an encryption key, you must encrypt all of the parameters that\nsupport encryption. To understand which parameters can be encrypted, see the\ndocumentation for the specific template.\n\nExample\n\nThe following example uses the\n[MySQL to BigQuery](/dataflow/docs/guides/templates/provided/mysql-to-bigquery)\ntemplate.\n\n1. Create a key ring.\n\n gcloud kms keyrings create \"\u003cvar translate=\"no\"\u003eKEY_RING_NAME\u003c/var\u003e\" \\\n --location \"global\"\n\n2. Create an encryption key.\n\n gcloud kms keys create \"\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e\" \\\n --location \"global\" \\\n --keyring \"\u003cvar translate=\"no\"\u003eKEY_RING_NAME\u003c/var\u003e\" \\\n --purpose \"encryption\"\n\n3. Encrypt and base64-encode the username, password, and JDBC connection string.\n\n export USER_NAME=`echo -n \"\u003cvar translate=\"no\"\u003eUSER_NAME\u003c/var\u003e\" \\\n | gcloud kms encrypt --key=quickstart --keyring=test --location=global --plaintext-file=- --ciphertext-file=- \\\n | base64 -w 0`\n export PASSWORD=`echo -n \"\u003cvar translate=\"no\"\u003ePASSWORD\u003c/var\u003e\" \\\n | gcloud kms encrypt --key=quickstart --keyring=test --location=global --plaintext-file=- --ciphertext-file=- \\\n | base64 -w 0`\n export CONNECTION_STRING=`echo -n \"\u003cvar translate=\"no\"\u003eCONNECTION_STRING\u003c/var\u003e\" \\\n | gcloud kms encrypt --key=quickstart --keyring=test --location=global --plaintext-file=- --ciphertext-file=- \\\n | base64 -w 0`\n\n4. Run the template.\n\n gcloud dataflow flex-template run mysql-job \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --region=us-central1 \\\n --template-file-gcs-location=gs://dataflow-templates-us-central1/latest/flex/MySQL_to_BigQuery \\\n --parameters \\\n connectionURL=\"$CONNECTION_STRING\",\\\n query=\"\u003cvar translate=\"no\"\u003eSOURCE_SQL_QUERY\u003c/var\u003e\",\\\n outputTable=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e:\u003cvar translate=\"no\"\u003eDATASET\u003c/var\u003e.\u003cvar translate=\"no\"\u003eTABLE_NAME\u003c/var\u003e,\\\n bigQueryLoadingTemporaryDirectory=\u003cvar translate=\"no\"\u003eCLOUD_STORAGE_PATH\u003c/var\u003e,\\\n username=\"$USER_NAME\",\\\n password=\"$PASSWORD\",\\\n KMSEncryptionKey=projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/global/keyRings/\u003cvar translate=\"no\"\u003eKEY_RING_NAME\u003c/var\u003e/cryptoKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e\n\nTroubleshooting\n\nThis section contains troubleshooting information for encrypting template\nparameters.\n\nPermission denied\n\nWhen you run the job, you see a `PERMISSION_DENIED` error in the job logs,\nsimilar to the following: \n\n PERMISSION_DENIED: Permission cloudkms.cryptoKeyVersions.useToDecrypt denied on\n resource \u003cvar translate=\"no\"\u003eRESOURCE_PATH\u003c/var\u003e (or it may not exist)\n\nTo decrypt the data, the Dataflow worker service account needs\nthe **cloudkms.cryptoKeyVersions.useToDecrypt** permission for the encryption\nkey. Make sure the worker service account has the\n**Cloud KMS CryptoKey Decrypter** role. For more information, see\n[Dataflow security and permissions](/dataflow/docs/concepts/security-and-permissions).\n\nWhat's next\n\n- Learn more about [Cloud Key Management Service](/kms/docs/key-management-service).\n- See the list of [Google-provided templates](/dataflow/docs/guides/templates/provided-templates)."]]
