Using CMEK

You can use Cloud Key Management Service customer-managed encryption keys (CMEK) to protect Cloud Functions and related data at rest.

Deploying a function with a CMEK protects the data associated with it by using an encryption key that only you can access. This type of encryption allows you to meet compliance requirements in certain industries, such as financial services. Because the CMEK key is owned by you and is not controlled by Google, no one (including you) can access the data protected by these encryption keys when the keys are disabled or destroyed.

The following types of Cloud Functions data are encrypted when using a CMEK:

  • Data provided to the function at deployment.
  • The results of the function build process, including:
    • The container image built from your function's code.
    • Each instance of the function that is deployed.

Note the following:

  • File metadata, such as the file path, is not encrypted.

  • If a CMEK key is disabled, the container image cannot be deployed and new instances cannot start.

  • Data provided to a function, such as the source code, must also be protected.

To set up CMEK for Cloud Functions, do the following:

  • Grant the Cloud Functions, Artifact Registry and Google Storage service account access to the key.

  • Create a CMEK-protected Artifact Registry repository to store your function's images.

  • Enable CMEK on your function.

These steps are described in more detail below.

Before you begin

  1. Create a single-region key to use to encrypt your functions. To learn how to create a key, see Creating symmetric keys.

  2. Create an Artifact Registry repository that has CMEK enabled. You must use the same key for the Artifact Registry repository as you do when enabling CMEK for a function.

  3. Have an existing function you want to protect by enabling CMEK. If you don't have a function, see Your first function to create one.

Granting service accounts access to the key

You must grant the following three service accounts access to the key:

  • Cloud Functions (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com)

  • Artifact Registry (service-{project_number}@gcp-sa-artifactregistry.iam.gserviceaccount.com)

  • Google Storage (service-{project_number}@gs-project-accounts.iam.gserviceaccount.com)

To grant these service accounts access to the key, add each service account as a principal of the key and then grant the service account the Cloud KMS CryptoKey Encrypter/Decrypter role.

If you use the Cloud Console, then Cloud Functions and Artifact Registry are granted permissions automatically. If you use gcloud, then you must explicitly grant access to each service account.

Service accounts can be granted access to a variety of different things, such as projects, key rings, and keys. In the example below that uses Cloud Console, the service account is granted access to the project rather than the key (unlike the gcloud example). This provides a broad set of permissions that may be convenient, but it is not as secure from the point of view of the principle of least privilege.

To assign permissions at the most restrictive level, see the guidelines provided in the Cloud Storage document Using customer-managed encryption keys.

To grant Cloud Functions access to the key:

Console

  1. Go to the IAM page in the Google Cloud Console:
    Go to the IAM page

  2. Check the box next to Include Google-provided role grants.

  3. Filter the list of principals by typing gcf in the filter field.

  4. Find the Cloud Functions service account from the list. It has the following suffix: @gcf-admin-robot.iam.gserviceaccount.com.

  5. Click the pencil icon next to the Cloud Functions service account.

  6. Click Add another role.

  7. Use the filter to locate the Cloud KMS CryptoKey Encrypter/Decrypter role and select it.

  8. Click Save.

Cloud Functions now has access to Cloud KMS keys.

gcloud

Run the following command:

gcloud kms keys add-iam-policy-binding \
(KEY : --keyring=KEYRING --location=LOCATION) \
--member=MEMBER \
--role='roles/cloudkms.cryptoKeyEncrypterDecrypter'

Replace the following:

  • KEY: The name of the key. For example, my-key.

  • KEYRING: The name of the keyring. For example, my-keyring.

  • LOCATION: The location of the key. For example, us-central1.

  • MEMBER: The email of the service agent service agent. For example, with the suffix: @gcf-admin-robot.iam.gserviceaccount.com or @gcp-sa-artifactregistry.iam.gserviceaccount.com or @gs-project-accounts.iam.gserviceaccount.com

Alternatively, deploying a Cloud Functions without CMEK enabled will populate the Cloud Console user interface with the Cloud Storage service account.

Enabling CMEK for a function

After setting up a Artifact Registry repository with CMEK enabled and granting Cloud Functions access to your key, you're ready to enable CMEK for your function.

To enable CMEK for a function:

Console

  1. Go to the Cloud Functions page in the Google Cloud Console:
    Go to the Cloud Functions page

  2. Click the name of the function you want to enable CMEK on.

  3. Click Edit.

  4. Click Runtime, build, connections and security settings to expand the advanced configuration options.

  5. Click Security to open the security tab.

  6. In the Encryption section, check the box next to Use a customer-managed encryption key (CMEK).

  7. Select a key from the dropdown.

  8. Select the CMEK-protected repository from the dropdown.

  9. Click Next.

  10. Click Deploy.

gcloud

Run the following command:

gcloud beta functions deploy FUNCTION \
--kms-key KEY \
--docker-repository=REPOSITORY

Replace the following:

  • FUNCTION: The name of the function to enable CMEK on. For example, cmek-function.

  • KEY: The fully qualified key name, in the following format: projects/PROJECT_NAME/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME.

  • REPOSITORY: The fully qualified Artifact Registry repository name, in the following format: projects/PROJECT_NAME/locations/LOCATION/repositories/REPOSITORY.

CMEK is enabled for the function.

Testing CMEK protection

To verify that CMEK protection is working, you can disable the key you used to enable CMEK for a function, then try to trigger your function:

  1. Disable the CMEK key used to protect your function.

  2. Attempt to trigger the CMEK-protected function. The attempt should fail.

  3. After you have verified that CMEK protection is working, enable the key.

The function's CMEK protection is now confirmed.

What's next