Clients can access the Google Cloud Key Management Service via our REST API. Thus, any language that supports sending HTTP requests can access the API. However, many users will prefer a more idiomatic client library.
In the long run, we'll want clients to use gRPC for the substantial performance improvements. However, gRPC is not yet available on Google App Engine, and some developers may be more familiar with the existing Google API Client Libraries. So, we currently recommend using the libraries built on our REST API.
There is also a web-based interface for Cloud KMS on the Cloud Console, which allows for key management operations. Encrypt and decrypt operations cannot be performed from the web interface.
We want to make accessing Cloud KMS a joy from every language and platform, and work on that will be ongoing. If we're falling short in any way, let us know.
How clients access the API may vary a bit depending on the platform on which the code is running, particularly with respect to authentication. Google Application Default Credentials abstract away many of the differences, but there are still some things to keep in mind.
Google Compute Engine
Software running on Google Compute Engine typically authenticates using
credentials automatically provisioned into the environment using the default
service account. The same is true for
Cloud KMS. Just make sure that when you create an instance, you
give it access to the
because it supports the principle of least privilege) or
https://www.googleapis.com/auth/cloud-platform OAuth scope.
gcloud compute instances create instance-1 --zone us-east1-b --scopes=https://www.googleapis.com/auth/cloudkms
See the Google Compute Engine documentation for more information.
Google App Engine
App Engine is easy. Simply use the Application Default
Credentials, and specify the scope
https://www.googleapis.com/auth/cloudkms (preferred because it supports the
principle of least privilege) or
https://www.googleapis.com/auth/cloud-platform. Remember that you'll need to
give your App Engine service account
PROJECT_NAME@appspot.gserviceaccount.com) IAM permissions
to manage and/or use your keys.
gcloud auth application-default login
Non-Google production environment
For a non-Google-managed environment, you'll need to:
- Create a service account.
- Download a JSON key file for that service account.
- Somehow provision that key file into your production environment.
- Load the credentials from the key file in your code.
This process is described in detail in the Google Identity documentation.