Deploying a function with a CMEK protects the data associated with it by using an encryption key that only you can access. This type of encryption allows you to meet compliance requirements in certain industries, such as financial services. Because the CMEK key is owned by you and is not controlled by Google, no one (including you) can access the data protected by these encryption keys when the keys are disabled or destroyed.
The following types of Cloud Functions data are encrypted when using a CMEK:
- Data provided to the function at deployment.
- The results of the function build process, including:
- The container image built from your function's code.
- Each instance of the function that is deployed.
Note the following:
File metadata, such as the file path, is not encrypted.
If a CMEK key is disabled, the container image cannot be deployed and new instances cannot start.
Data provided to a function, such as the source code, must also be protected.
To set up CMEK for Cloud Functions, do the following:
Grant the Cloud Functions, Artifact Registry and Google Storage service account access to the key.
Create a CMEK-protected Artifact Registry repository to store your function's images.
Enable CMEK on your function.
These steps are described in more detail below.
Before you begin
Create a single-region key to use to encrypt your functions. To learn how to create a key, see Creating symmetric keys.
Have an existing function you want to protect by enabling CMEK. If you don't have a function, see Your first function to create one.
Granting service accounts access to the key
You must grant the following three service accounts access to the key:
Cloud Functions (
Artifact Registry (
Google Storage (
To grant these service accounts access to the key, add each service account as a
principal of the key and then grant the service account the
Cloud KMS CryptoKey Encrypter/Decrypter role.
If you use the Cloud Console, then Cloud Functions and
Artifact Registry are granted permissions automatically. If you use
then you must explicitly grant access to each service account.
Service accounts can be granted access to a
variety of different things, such as
projects, key rings, and keys. In the example below that uses
Cloud Console, the service account is
granted access to the project
rather than the key (unlike the
gcloud example). This provides a broad set of
permissions that may be convenient, but it is not as secure from the point of
view of the
principle of least privilege.
To assign permissions at the most restrictive level, see the guidelines provided in the Cloud Storage document Using customer-managed encryption keys.
To grant Cloud Functions access to the key:
Go to the IAM page in the Google Cloud Console:
Go to the IAM page
Check the box next to Include Google-provided role grants.
Filter the list of principals by typing
gcfin the filter field.
Find the Cloud Functions service account from the list. It has the following suffix:
Click the pencil icon next to the Cloud Functions service account.
Click Add another role.
Use the filter to locate the Cloud KMS CryptoKey Encrypter/Decrypter role and select it.
Cloud Functions now has access to Cloud KMS keys.
Run the following command:
gcloud kms keys add-iam-policy-binding \ (KEY : --keyring=KEYRING --location=LOCATION) \ --member=MEMBER \ --role='roles/cloudkms.cryptoKeyEncrypterDecrypter'
Replace the following:
KEY: The name of the key. For example,
KEYRING: The name of the keyring. For example,
LOCATION: The location of the key. For example,
MEMBER: The email of the service agent service agent. For example, with the suffix:
Alternatively, deploying a Cloud Functions without CMEK enabled will populate the Cloud Console user interface with the Cloud Storage service account.
Enabling CMEK for a function
After setting up a Artifact Registry repository with CMEK enabled and granting Cloud Functions access to your key, you're ready to enable CMEK for your function.
To enable CMEK for a function:
Go to the Cloud Functions page in the Google Cloud Console:
Go to the Cloud Functions page
Click the name of the function you want to enable CMEK on.
Click Runtime, build, connections and security settings to expand the advanced configuration options.
Click Security to open the security tab.
In the Encryption section, check the box next to Use a customer-managed encryption key (CMEK).
Select a key from the dropdown.
Select the CMEK-protected repository from the dropdown.
Run the following command:
gcloud beta functions deploy FUNCTION \ --kms-key KEY \ --docker-repository=REPOSITORY
Replace the following:
FUNCTION: The name of the function to enable CMEK on. For example,
KEY: The fully qualified key name, in the following format:
REPOSITORY: The fully qualified Artifact Registry repository name, in the following format:
CMEK is enabled for the function.
Testing CMEK protection
To verify that CMEK protection is working, you can disable the key you used to enable CMEK for a function, then try to trigger your function:
Disable the CMEK key used to protect your function.
Attempt to trigger the CMEK-protected function. The attempt should fail.
After you have verified that CMEK protection is working, enable the key.
The function's CMEK protection is now confirmed.