Using customer-managed encryption keys

Google Cloud Deploy, along with its dependent services, allows you to manage your own encryption keys for storage and transit of any user data.

Google Cloud Deploy data

Google Cloud Deploy stores resource data encrypted. This does not include any user data.

Google Cloud Deploy dependent services can use customer-managed encryption keys. The sections that follow address the practices of each dependent service.

Cloud Build

Render and deploy operations are performed through Cloud Build, which is CMEK compliant. For more information on configuring Cloud Build to be CMEK compliant, see the Cloud Build documentation.

Rendering source and rendered manifests are stored in gcs buckets. Cloud Build stores logs using Cloud Logging, and Google Cloud Deploy explicitly turns off Cloud Storage logging for use with Google Cloud Deploy.

Cloud Storage

To use CMEK with Google Cloud Deploy, you need to use custom Cloud Storage buckets and configure those for CMEK.

To specify your custom, CMEK-managed Cloud Storage buckets for use with Google Cloud Deploy:

  • Include the --gcs-source-staging-dir flag on the gcloud deploy releases create command.

    This identifies the Cloud Storage bucket in which to store the rendering source files.

  • Change the storage location in your Google Cloud Deploy execution environment.

    This identifies the Cloud Storage bucket in which to store your rendered manifests.

Pub/Sub topics

Google Cloud Deploy uses Pub/Sub to publish notifications to topics. You can configure these topics to use customer-managed encryption keys.


Google Cloud Deploy and its dependent services publish logs to Cloud Logging, part of Google Cloud's operations suite.

You can configure Logging for CMEK.