Google Cloud Deploy, along with its dependent services, lets you manage your own encryption keys for storage and transit of any user data.
Google Cloud Deploy data
Google Cloud Deploy stores resource data encrypted. This storage does not include any user data.
Google Cloud Deploy dependent services can use customer-managed encryption keys. The sections that follow address the practices of each dependent service.
Cloud Build
Render and deploy operations are performed through Cloud Build, which is CMEK compliant. For more information on configuring Cloud Build to be CMEK compliant, see the Cloud Build documentation.
Rendering source and rendered manifests are stored in Cloud Storage buckets. Cloud Build stores its logs using Cloud Logging, and Google Cloud Deploy explicitly turns off Cloud Storage logging for use with Google Cloud Deploy.
Cloud Storage
To use CMEK with Google Cloud Deploy, you need to use custom Cloud Storage buckets and configure those buckets for CMEK.
To specify your custom, CMEK-managed Cloud Storage buckets for use with Google Cloud Deploy:
Include the
--gcs-source-staging-dir
flag on thegcloud deploy releases create
command.This flag identifies the Cloud Storage bucket in which to store the rendering source files.
Change the storage location in your Google Cloud Deploy execution environment.
This setting identifies the Cloud Storage bucket in which to store your rendered manifests.
Pub/Sub topics
Google Cloud Deploy uses Pub/Sub to publish notifications to topics. You can configure these topics to use customer-managed encryption keys.
Logging
Google Cloud Deploy and its dependent services publish logs to Cloud Logging, part of Google Cloud's operations suite.
You can configure Logging for CMEK.