Protect your data with CMEK
You can use Cloud Key Management Service customer-managed encryption keys (CMEK) to protect Cloud Run functions and related data at rest. Such keys are created and managed through Cloud KMS and stored as software keys, in an HSM cluster, or externally.
Deploying a function with a CMEK protects the data associated with it by using an encryption key that is in your full control. This type of encryption lets you meet compliance requirements in certain industries, such as financial services. Because the key is owned by you and is not controlled by Google, no one (including you) can access the data protected by these encryption keys when the keys are disabled or destroyed.
The following types of Cloud Run functions data are encrypted when using a CMEK:
- Function source code uploaded for deployment and stored by Google in Cloud Storage, used in the build process.
- The results of the function build process, including:
- The container image built from your function source code.
- Each instance of the function that is deployed.
The function build process itself is protected by an ephemeral key uniquely generated for each build. See CMEK compliance in Cloud Build for more information. Additionally, note the following:
File metadata, such as filesystem paths or modification timestamps, is not encrypted.
If a key is disabled, the container image cannot be deployed and new instances cannot start.
Cloud Run functions CMEK protection only applies to Google-managed Cloud Run functions resources; you are responsible for protecting data and resources managed by you, such as your source code repositories, event channels that live in the customer project, or any services used by your functions.
Setting up CMEK for Cloud Run functions entails the following:
Granting the necessary service accounts access to the key:
Creating a CMEK-protected Artifact Registry repository to store your function images.
Enabling CMEK on your function.
Optionally, enable CMEK organization policies to enforce all new functions to be CMEK compliant.
These steps are described in more detail below.
Before you begin
Create a single-region key to use to encrypt your functions. To learn how to create a key, see Creating symmetric encryption keys.
Create an Artifact Registry repository that has CMEK enabled. You must use the same key for the Artifact Registry repository as you do when enabling CMEK for a function.
For event-driven functions, follow the additional setup steps outlined in Enable CMEK for a Google channel.
Granting service accounts access to the key
For all functions, you must grant the following service accounts access to the key:
Cloud Run functions service agent (
service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com
)Artifact Registry service agent (
service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com
)Cloud Storage service agent (
service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com
)
You must additionally grant the following service accounts access to the key:
Cloud Run service agent (
service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com
)Eventarc service agent (
service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com
)
To grant these service accounts access to the key, add each service account as a
principal of the key and then grant the service account the
Cloud KMS CryptoKey Encrypter/Decrypter
role:
Console
Go to the Cloud Key Management Service page in the Google Cloud console:
Go to the Cloud KMS pageClick the name of the key ring that contains the chosen key.
Click the name of the key to view the key details.
In the Permissions tab, click Grant access.
In the New principals field, enter the email addresses of all three service accounts discussed earlier to assign permissions to all three accounts at once.
In the Select a role menu, select Cloud KMS CryptoKey Encrypter/Decrypter.
Click Save.
gcloud
For each service account discussed earlier, run the following command:
gcloud kms keys add-iam-policy-binding KEY \ --keyring KEY_RING \ --location LOCATION \ --member serviceAccount:SERVICE_AGENT_EMAIL \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
KEY
: The name of the key. For example,my-key
.KEY_RING
: The name of the key ring. For example,my-keyring
.LOCATION
: The location of the key. For example,us-central1
.SERVICE_AGENT_EMAIL
: The email address of the service account.
Enabling CMEK for a function
After setting up an Artifact Registry repository with CMEK enabled and granting Cloud Run functions access to your key, you're ready to enable CMEK for your function.
To enable CMEK for a function:
Console
Go to the Cloud Run functions page in the Google Cloud console:
Go to the Cloud Run functions pageClick the name of the function you want to enable CMEK on.
Click Edit.
Click Runtime, build... to expand the advanced configuration options.
Select the Security and image repo tab.
In the Encryption section, select Customer-managed encryption key (CMEK).
Select your chosen key from the dropdown.
Under Container location, select Customer-managed Artifact Registry.
In the Artifact registry dropdown, select the CMEK-protected repository.
Click Next.
Click Deploy.
gcloud
Run the following command.
gcloud functions deploy FUNCTION \ [--gen2] \ --kms-key=KEY \ --docker-repository=REPOSITORY \ --source=YOUR_SOURCE_LOCATION FLAGS...
Replace the following:
FUNCTION
: The name of the function to enable CMEK on. For example,cmek-function
.KEY
: The fully qualified key name, in the following format:projects/PROJECT_NAME/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME
.REPOSITORY
: The fully qualified Artifact Registry repository name, in the following format:projects/PROJECT_NAME/locations/LOCATION/repositories/REPOSITORY
.YOUR_SOURCE_LOCATION
: When enabling CMEK for a pre-existing function, make sure that the intended source code is being re-deployed by specifying this parameter explicitly.FLAGS...
: Additional flags that may be required to deploy your function, particularly for create deployments. For details, see Deploy a Cloud Run function.
CMEK is enabled for the function.
Note that Cloud Run functions always uses the primary version of a key for CMEK protection. You cannot specify a particular key version to use when enabling CMEK for your functions.
If a key is destroyed or disabled, or the requisite permissions on it are revoked, active instances of functions protected by that key are not shut down. Function executions already in progress will continue to run, but new executions will fail as long as Cloud Run functions does not have access to the key.
Testing CMEK protection
To verify that CMEK protection is working, you can disable the key you used to enable CMEK for a function, then try to trigger your function:
Disable the key used to protect your function.
Attempt to view the source code associated with this function. The attempt should fail.
Attempt to trigger the CMEK-protected function. The attempt should fail.
After you have verified that CMEK protection is working, enable the key.
The function's CMEK protection is now confirmed.
What's next
- Learn how to rotate your keys.
- Learn more about Google default encryption.
- Learn more about CMEK.
- Learn more about CMEK organization policies.