Cloud Key Management Service provides the option to add labels to your Cloud KMS keys. Labels are key-value pairs that you can use to group related Cloud KMS keys and store metadata about a Cloud KMS key.
Labels are included in your bill, so you can see the distribution of costs across your labels.
You can add, update, and remove key labels using the Google Cloud CLI and the Cloud KMS REST API.
You can use labels with other Google Cloud resources, such as virtual machine resources and storage buckets. For more information about using labels in Google Cloud, see Creating and Managing Labels.
What are labels?
A label is a key-value pair that you can assign to Google Cloud Cloud KMS keys. They help you organize these resources and manage your costs at scale, with the granularity you need. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system that allows you to break down your billed charges by label. With built-in billing reports, you can filter and group costs by resource labels. You can also use labels to query billing data exports.
Requirements for labels
The labels applied to a resource must meet the following requirements:
- Each resource can have up to 64 labels.
- Each label must be a key-value pair.
- Keys have a minimum length of 1 character and a maximum length of 63 characters, and cannot be empty. Values can be empty, and have a maximum length of 63 characters.
- Keys and values can contain only lowercase letters, numeric characters, underscores, and dashes. All characters must use UTF-8 encoding, and international characters are allowed. Keys must start with a lowercase letter or international character.
- The key portion of a label must be unique within a single resource. However, you can use the same key with multiple resources.
These limits apply to the key and value for each label, and to the individual Google Cloud resources that have labels. There is no limit on how many labels you can apply across all resources within a project.
Common uses of labels
Here are some common use cases for labels:
Team or cost center labels: Add labels based on team or cost center to distinguish Cloud KMS keys owned by different teams (for example,
team:research
andteam:analytics
). You can use this type of label for cost accounting or budgeting.Component labels: For example,
component:redis
,component:frontend
,component:ingest
, andcomponent:dashboard
.Environment or stage labels: For example,
environment:production
andenvironment:test
.State labels: For example,
state:active
,state:readytodelete
, andstate:archive
.Ownership labels: Used to identify the teams that are responsible for operations, for example:
team:shopping-cart
.
We do not recommend creating large numbers of unique labels, such as for timestamps or individual values for every API call. The problem with this approach is that when the values change frequently or with keys that clutter the catalog, this makes it difficult to effectively filter and report on resources.
Labels and tags
Labels can be used as queryable annotations for resources, but can't be used to set conditions on policies. Tags provide a way to conditionally allow or deny policies based on whether a resource has a specific tag, by providing fine-grained control over policies. For more information, see the Tags overview.
Creating a key with labels
When creating a key, you can add labels by providing one or more key value pairs as labels when you create your key.
Console
Go to the Key Management page in the Google Cloud console.
Click the name of the key ring for which you will create a key.
Click Create key.
In the What type of key do you want to create?, choose Generated key.
In the Key name field, enter the name for your key.
Click the Protection level dropdown and select HSM.
Click the Purpose dropdown and select Symmetric encrypt/decrypt.
Accept the default values for Rotation period and Starting on.
Click the Add labels button.
Add a label with the key
team
and the valuealpha
.Click Create.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
This example shows how to create a new key and assign labels to the key. You can also add labels to an existing key.
gcloud kms keys create key \ --keyring key-ring \ --location location \ --purpose purpose \ --labels "team=alpha,cost_center=cc1234"
Replace key with a name for the key. Replace key-ring with the name of the key ring where the key will be located. Replace location with the Cloud KMS location for the key ring. Replace purpose with a valid purpose for the key. Supply a quoted, comma-separated list of labels and values. If a label is specified multiple times with different values, each new value overwrites the previous value.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
Add labels when you create a new key by using the CryptoKeys.create
method, and include the labels
property in your request body. For example:
{
"purpose": "ENCRYPT_DECRYPT",
"labels": [
{
"key": "team",
"value": "alpha"
},
{
"key": "cost_center",
"value": "cc1234"
}
]
}
If you provide the same label key twice, the last specified value overrides
earlier values. In this example team
is set to beta
.
{
"labels": [
{
"key": "team",
"value": "alpha"
},
{
"key": "team",
"value": "beta"
}
]
}
Viewing labels on a key
Console
Go to the Key Management page in the Google Cloud console.
Click the name of the key ring for the key you want to inspect.
In the header, click Show info panel.
In the panel, choose the Labels tab.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms keys describe key \ --keyring key-ring \ --location location
Replace key with the name of the key. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location for the key ring.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
To see the labels applied to the key, use the CryptoKeys.get
method:
curl "https://cloudkms.googleapis.com/v1/projects/project-id/locations/location/keyRings/key-ring-name/cryptoKeys/key-name" \ --request "GET" \ --header "authorization: Bearer token" \ --header "content-type: application/json" \ --header "x-goog-user-project: project-id"
Adding or updating labels
Console
Go to the Key Management page in the Google Cloud console.
Click the name of the key ring for the key you want to inspect.
In the header, click Show info panel.
In the panel, choose the Labels tab.
Edit the value of a label directly in the corresponding text field.
Edit the key of a label by adding a new label with the desired key name and delete the old label by clicking the Delete
next to the label you want to delete.Click Save.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms keys update key \ --keyring key-ring \ --location location \ --update-labels "cost_center=cc5678"
Replace key with the name of the key. Replace key-ring with
the name of the key ring where the key is located. Replace location
with the Cloud KMS location for the key ring. For --update-labels
,
supply a quoted, comma-separated list of labels and their values to update. If
you omit a label's new value, an occurs.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
Add or update labels to an existing key by using the CryptoKeys.patch
method, and include the labels
property in your request body. For example:
{
"labels": [
{
"key": "team",
"value": "alpha"
},
{
"key": "cost_center",
"value": "cc5678"
}
]
}
Removing labels
Console
Go to the Key Management page in the Google Cloud console.
Click the name of the key ring for the key you want to inspect.
In the header, click Show info panel.
In the panel, choose the Labels tab.
Click the Delete
icon next to the labels you want to delete.Click Save.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms keys update key \ --keyring key-ring \ --location location \ --remove-labels "team,cost_center"
Replace key with the name of the key. Replace key-ring with
the name of the key ring where the key is located. Replace location
with the Cloud KMS location for the key ring. For --remove-labels
,
supply a quoted, comma-separated list of labels to remove. Do not supply values
for the labels.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
Remove labels from an existing key by using the CryptoKeys.patch
method, and include the labels
property as an empty array in your request
body. For example:
{
"labels": []
}
Audit logging
Cloud Audit Logs for Cloud KMS can be used to log label information when keys are created or updated. Key creation and updates are both admin activities, and changes to labels are noted in the admin activity log.