Accessing the API

We recommend that you access Cloud Key Management Service via our high performance Google API Client Libraries. These libraries, which connect to the Cloud KMS gRPC API, are provided in several popular programming languages.

You may also access Cloud KMS via our REST API. Thus, any language that supports sending HTTP requests can access the API. However, most users will prefer a more idiomatic client library.

There is also a web-based interface for Cloud KMS on the Google Cloud console, which allows for key management operations. Encrypt and decrypt operations cannot be performed from the web interface.

We want to make accessing Cloud KMS a joy from every language and platform, and work on that will be ongoing. If we're falling short in any way, let us know.

Platforms

How clients access the API may vary a bit depending on the platform on which the code is running, particularly with respect to authentication. Google Application Default Credentials abstract away many of the differences, but there are still some things to keep in mind. For more information about authentication, see the authentication overview.

Compute Engine and Google Kubernetes Engine

Software running on Compute Engine, including Google Kubernetes Engine nodes, typically authenticates using credentials automatically provisioned into the environment using the attached service account. The same is true for Cloud KMS. Ensure that when you create an instance, you give it access to the https://www.googleapis.com/auth/cloudkms (preferred because it supports the principle of least privilege) or https://www.googleapis.com/auth/cloud-platform OAuth scope.

For example:

gcloud compute instances create "instance-1" \
    --zone "us-east1-b" \
    --scopes "https://www.googleapis.com/auth/cloudkms"

For more information, refer to the Compute Engine documentation or the GKE documentation.

App Engine

To use Cloud KMS with App Engine:

  1. Give your App Engine service account (PROJECT_ID@appspot.gserviceaccount.com) Identity and Access Management permissions to manage and/or use your keys.
  2. Use the Application Default Credentials, and specify the scope https://www.googleapis.com/auth/cloudkms. You can also specify the scope https://www.googleapis.com/auth/cloud-platform, but it includes broader scopes than just Cloud KMS.

For more information, refer to Accessing the API and Controlling access in the App Engine documentation.

Client authentication

If your application needs to authenticate your users directly, you can obtain and use credentials on their behalf. To learn more, see User accounts.