Using CMEK

You can use Cloud Key Management Service customer-managed encryption keys (CMEK) to protect Cloud Functions and related data at rest. Such keys are created and managed through Cloud KMS and stored as software keys, in an HSM cluster, or externally.

Deploying a function with a CMEK protects the data associated with it by using an encryption key that only you can access. This type of encryption allows you to meet compliance requirements in certain industries, such as financial services. Because the key is owned by you and is not controlled by Google, no one (including you) can access the data protected by these encryption keys when the keys are disabled or destroyed.

The following types of Cloud Functions data are encrypted when using a CMEK:

  • Function source code uploaded for deployment and stored by Google in Cloud Storage, used in the build process.
  • The results of the function build process, including:
    • The container image built from your function source code.
    • Each instance of the function that is deployed.
  • At-rest data for internal event transport channels.

The function build process itself is protected by an ephemeral key uniquely generated for each build. See CMEK compliance in Cloud Build for more information. Additionally, note the following:

  • File metadata, such as filesystem paths or modification timestamps, is not encrypted.

  • If a key is disabled, the container image cannot be deployed and new instances cannot start.

  • Cloud Functions CMEK protection only applies to Google-managed Cloud Functions resources; you are responsible for protecting data and resources managed by you, such as your source code repositories or any services used by your functions.

Setting up CMEK for Cloud Functions entails the following:

  • Granting the Cloud Functions, Artifact Registry, and Cloud Storage service accounts access to the key.

  • Creating a CMEK-protected Artifact Registry repository to store your function images.

  • Enabling CMEK on your function.

These steps are described in more detail below.

Before you begin

  1. Create a single-region key to use to encrypt your functions. To learn how to create a key, see Creating symmetric encryption keys.

  2. Create an Artifact Registry repository that has CMEK enabled. You must use the same key for the Artifact Registry repository as you do when enabling CMEK for a function.

  3. Have an existing function you want to protect by enabling CMEK. If you don't have a function, see Your first function to create one.

Granting service accounts access to the key

You must grant the following three service accounts access to the key:

  • Cloud Functions service agent (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com)

  • Artifact Registry service agent (service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com)

  • Cloud Storage service agent (service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com)

To grant these service accounts access to the key, add each service account as a principal of the key and then grant the service account the Cloud KMS CryptoKey Encrypter/Decrypter role:

Console

  1. Go to the Cloud Key Management Service page in the Google Cloud console:
    Go to the Cloud KMS page

  2. Click the name of the key ring that contains the desired key.

  3. Click the name of the key to view the key details.

  4. In the Permissions tab, click Add.

  5. In the New principals field, enter the email addresses of all three service accounts above to assign permissions to all three accounts at once.

  6. In the Select a role dropdown, select Cloud KMS CryptoKey Encrypter/Decrypter.

  7. Click Save.

gcloud

For each service account above, run the following command:

gcloud kms keys add-iam-policy-binding KEY \
--keyring KEY_RING \
--location LOCATION \
--member serviceAccount:SERVICE_AGENT_EMAIL \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter

Replace the following:

  • KEY: The name of the key. For example, my-key.

  • KEY_RING: The name of the key ring. For example, my-keyring.

  • LOCATION: The location of the key. For example, us-central1.

  • SERVICE_AGENT_EMAIL: The email address of the service account.

Enabling CMEK for a function

After setting up an Artifact Registry repository with CMEK enabled and granting Cloud Functions access to your key, you're ready to enable CMEK for your function.

To enable CMEK for a function:

Console

  1. Go to the Cloud Functions page in the Google Cloud console:
    Go to the Cloud Functions page

  2. Click the name of the function you want to enable CMEK on.

  3. Click Edit.

  4. Click Runtime, build, connections and security settings to expand the advanced configuration options.

  5. Click Security to open the security tab.

  6. In the Encryption section, check the box next to Use a customer-managed encryption key (CMEK).

  7. Select a key from the dropdown.

  8. Under Container location, select Customer-managed Artifact Registry.

  9. In the Artifact registry dropdown, select the CMEK-protected repository.

  10. Click Next.

  11. Click Deploy.

gcloud

Run the following command:

gcloud functions deploy FUNCTION \
--kms-key KEY \
--docker-repository=REPOSITORY

Replace the following:

  • FUNCTION: The name of the function to enable CMEK on. For example, cmek-function.

  • KEY: The fully qualified key name, in the following format: projects/PROJECT_NAME/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME.

  • REPOSITORY: The fully qualified Artifact Registry repository name, in the following format: projects/PROJECT_NAME/locations/LOCATION/repositories/REPOSITORY.

CMEK is enabled for the function.

Note that Cloud Functions always uses the primary version of a key for CMEK protection. You cannot specify a particular key version to use when enabling CMEK for your functions.

If a key is destroyed or disabled, or the requisite permissions on it are revoked, active instances of functions protected by that key are not shut down. Function executions already in progress will continue to run, but new executions will fail as long as Cloud Functions does not have access to the key.

Testing CMEK protection

To verify that CMEK protection is working, you can disable the key you used to enable CMEK for a function, then try to trigger your function:

  1. Disable the key used to protect your function.

  2. Attempt to trigger the CMEK-protected function. The attempt should fail.

  3. After you have verified that CMEK protection is working, enable the key.

The function's CMEK protection is now confirmed.

What's next