Accessing the API

Clients can access the Key Management Service via our REST API. Thus, any language that supports sending HTTP requests can access the API. However, many users will prefer a more idiomatic client library.

In the long run, we'll want clients to use gRPC for the substantial performance improvements. However, some developers may be more familiar with the existing Google API Client Libraries. So, we currently recommend using the libraries built on our REST API.

There is also a web-based interface for KMS on the Google Cloud Console, which allows for key management operations. Encrypt and decrypt operations cannot be performed from the web interface.

We want to make accessing KMS a joy from every language and platform, and work on that will be ongoing. If we're falling short in any way, let us know.

Platforms

How clients access the API may vary a bit depending on the platform on which the code is running, particularly with respect to authentication. Google Application Default Credentials abstract away many of the differences, but there are still some things to keep in mind.

Compute Engine

Software running on Compute Engine typically authenticates using credentials automatically provisioned into the environment using the default service account. The same is true for KMS. Just make sure that when you create an instance, you give it access to the https://www.googleapis.com/auth/cloudkms (preferred because it supports the principle of least privilege) or https://www.googleapis.com/auth/cloud-platform OAuth scope.

For example:

Command-line

gcloud compute instances create instance-1 --zone us-east1-b --scopes=https://www.googleapis.com/auth/cloudkms

See the Compute Engine documentation for more information.

App Engine

App Engine is easy. Simply use the Application Default Credentials, and specify the scope https://www.googleapis.com/auth/cloudkms (preferred because it supports the principle of least privilege) or https://www.googleapis.com/auth/cloud-platform. Remember that you'll need to give your App Engine service account (PROJECT_NAME@appspot.gserviceaccount.com) Cloud Identity and Access Management permissions to manage and/or use your keys.

On-premises production environment

For your on-premises production environment, the recommended way to authenticate to a Google Cloud API, including KMS, is to use a service account. To learn how to use a service account, see Getting Started with Authentication.

Client authentication

If your application needs to authenticate your users directly, you can obtain and use credentials on their behalf. To learn more, see Authenticating as an End User.

Developer workstation

Authenticating by using a service account is also recommended for your developer workstation. For information on how to use a service account, see Getting Started with Authentication.

Production environment not managed by Google

For an environment not managed by Google, you'll need to:

  1. Create a service account.
  2. Download a JSON key file for that service account.
  3. Somehow provision that key file into your production environment.
  4. Load the credentials from the key file in your code.

This process is described in detail in the Cloud Identity documentation.

Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Cloud KMS Documentation