Key rings and keys are resources in Google Cloud, and can have Cloud Identity and Access Management policies set on them like any other resource. Cloud IAM policies cannot be set on individual key versions. Key Management Service actions have a corresponding permission to determine who has access. See Permissions and Roles for a complete list of actions and permissions.
Modifying Cloud IAM permissions
Changing Cloud IAM permissions requires a user to have the permission to set Cloud IAM
policy. As per the chart in
Permissions and Roles, currently that is only
possible for users or service accounts with the owner
or cloudkms.admin
role.
Command-line
Add a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
.
gcloud projects add-iam-policy-binding PROJECT_NAME \
--member user:USER_EMAIL --role roles/ROLE_NAME
Windows cmd.exe
Add a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
.
gcloud projects add-iam-policy-binding PROJECT_NAME ^
--member user:USER_EMAIL --role roles/ROLE_NAME
PowerShell
Add a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
gcloud projects add-iam-policy-binding PROJECT_NAME ` --member user:USER_EMAIL --role roles/ROLE_NAME
Command-line
Remove a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
gcloud projects remove-iam-policy-binding PROJECT_NAME \
--member user:USER_EMAIL --role roles/ROLE_NAME
Windows cmd.exe
Remove a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
gcloud projects remove-iam-policy-binding PROJECT_NAME ^
--member user:USER_EMAIL --role roles/ROLE_NAME
PowerShell
Remove a userUSER_EMAIL
to the role ROLE_NAME
for the project PROJECT_NAME
gcloud projects remove-iam-policy-binding PROJECT_NAME ` --member user:USER_EMAIL --role roles/ROLE_NAME
Further instructions on using the gcloud
command-line tool for Cloud IAM policies is
available in the Cloud IAM documentation.
Hierarchy and inheritance
Policy bindings can be specified at the project level, as demonstrated above,
but they can also be specified on key rings and keys. Members follow the
format user:USER_EMAIL
for users and serviceAccount:SERVICE_ACCOUNT_EMAIL
for service accounts. Roles follow the format roles/ROLE_NAME
. The following
example adds a member to a key for a given role:
Command-line
gcloud kms keys add-iam-policy-binding [KEY] --location [LOCATION] \
--keyring [KEYRING] --member user:USER_EMAIL --role roles/ROLE_NAME
C#
Go
Java
Node.js
PHP
Python
Ruby
To add a policy binding at the key ring level:
Command-line
gcloud kms keyrings add-iam-policy-binding [KEYRING] --location [LOCATION] \
--member user:USER_EMAIL --role roles/ROLE_NAME
C#
Go
Java
Node.js
PHP
Ruby
Since keys belong to key rings, and key rings belong to Projects, a user
with a specific role or permission at a higher level in that hierarchy inherits
the same permissions on the child resources. That is, a user who has the role
of owner
on a Project is also an owner
on all the key rings and keys
in that project. Similarly, if a user is granted the cloudkms.admin
role on a
key ring, they have the associated permissions on the keys in that key ring.
The inverse is not true - that is, a user with a permission on a key who is not also granted a permission on the parent key ring has no permissions on that key ring.
If necessary, a member and role can be removed from a key ring or key policy:
Command-line
gcloud kms keys remove-iam-policy-binding [KEY] --location [LOCATION] \
--keyring [KEYRING] --member user:USER_EMAIL --role roles/ROLE_NAME
C#
Go
Java
Node.js
PHP
Ruby
Granting permissions to use keys
To allow a user or service account to use a key to encrypt or decrypt using a
particular key,
they must have the cloudkms.cryptoKeyEncrypterDecrypter
,
cloudkms.cryptoKeyEncrypter
, cloudkms.cryptoKeyDecrypter
, or owner
role,
as per the chart in Permissions and Roles.
With KMS, you'll likely mostly be using service accounts to perform key operations such as encrypt and decrypt. Usually, the service account's email is derived from the service account name, in the format:
SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
Command-line
For example, if you are accessing KMS from a Google Cloud instance and created a service accountmy-service-account@my-project.iam.gserviceaccount.com
, you can use the gcloud
command-line tool to grant that service account permission to use the key
golden-egg
in the key ring golden-goose
from the global
location:
gcloud kms keys add-iam-policy-binding \
golden-egg --location global --keyring golden-goose \
--member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
Windows cmd.exe
For example, if you are accessing KMS from a Google Cloud instance and created a service accountmy-service-account@my-project.iam.gserviceaccount.com
, you can use the gcloud
command-line tool to grant that service account permission to use the key
golden-egg
in the key ring golden-goose
from the global
location:
gcloud kms keys add-iam-policy-binding ^
golden-egg --location global --keyring golden-goose ^
--member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com ^
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
PowerShell
For example, if you are accessing KMS from a Google Cloud instance and created a service accountmy-service-account@my-project.iam.gserviceaccount.com
, you can use the gcloud
command-line tool to grant that service account permission to use the key
golden-egg
in the key ring golden-goose
from the global
location:
gcloud kms keys add-iam-policy-binding ` golden-egg --location global --keyring golden-goose ` --member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com ` --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Users can be granted permissions to use a key. In this case, the
member is user:USER_EMAIL
instead of serviceAccount:SERVICE_ACCOUNT_EMAIL
:
Command-line
gcloud kms keys add-iam-policy-binding \
golden-egg --location global --keyring golden-goose \
--member user:sillygoose@gmail.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
Windows cmd.exe
gcloud kms keys add-iam-policy-binding ^
golden-egg --location global --keyring golden-goose ^
--member user:sillygoose@gmail.com ^
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
PowerShell
gcloud kms keys add-iam-policy-binding ` golden-egg --location global --keyring golden-goose ` --member user:sillygoose@gmail.com ` --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Granting permissions to manage keys
To allow a user or service account to create or update existing keys,
they need at least the
editor
role, as per the chart above. The cloudkms.admin
role also allows
them to destroy keys and set Cloud IAM policies. The owner
role can do all
this, and further encrypt or decrypt using a key.
Command-line
The following example gives a usersillygoose@gmail.com
the cloudkms.admin
role for the key golden-egg
in the key ring golden-goose
:
gcloud kms keys add-iam-policy-binding \
golden-egg --location global --keyring golden-goose \
--member user:sillygoose@gmail.com \
--role roles/cloudkms.admin
Windows cmd.exe
The following example gives a usersillygoose@gmail.com
the cloudkms.admin
role for the key golden-egg
in the key ring golden-goose
:
gcloud kms keys add-iam-policy-binding ^
golden-egg --location global --keyring golden-goose ^
--member user:sillygoose@gmail.com ^
--role roles/cloudkms.admin
PowerShell
The following example gives a usersillygoose@gmail.com
the cloudkms.admin
role for the key golden-egg
in the key ring golden-goose
:
gcloud kms keys add-iam-policy-binding ` golden-egg --location global --keyring golden-goose ` --member user:sillygoose@gmail.com ` --role roles/cloudkms.admin
Getting existing permissions
A user with viewer
,editor
, cloudkms.admin
or owner
roles can view the Cloud IAM
policy on a key.
Command-line
For example, to get the Cloud IAM policy for keybird
in key ring hand
:
gcloud kms keys get-iam-policy bird --location global \
--keyring hand
C#
Go
Java
Node.js
PHP
Python
Ruby