Using the key tracking dashboard

Stay organized with collections Save and categorize content based on your preferences.

The Cloud KMS key tracking dashboard shows you the Cloud resources in your organization that are dependent on and protected by your KMS keys. The key tracking dashboard displays which of your keys are being used by other Google Cloud resources and services.

Configure the key tracking dashboard

Follow these steps to enable the key tracking dashboard.

  1. Go to the Key Management page in the Google Cloud console.

    Go to the Key Management page

  2. Click Key Rings or Key Inventory to access a key.

  3. Click on the key name to go the details page for the selected key. You will see a tab called Usage Tracking.

  4. Click the Usage Tracking tab. The key tracking dashboard opens for that key. You will see an error stating that the service account must be permissioned before the dashboard can be used. Note that only users with the resourcemanager.organizations.setIamPolicy permission on your organization can enable the key tracking dashboard. The organization administrator (roles/resourcemanager.organizationAdmin) and security administrator (roles/iam.securityAdmin) roles have this permission.

  5. To enable the dashboard and access key usage tracking, the organization administrator or security administrator provisions the Cloud KMS service account with the Cloud KMS service agent (cloudkms.orgServiceAgent) role. To do this, they can use the following Google Cloud CLI command:


gcloud organizations add-iam-policy-binding ORG_NUMBER \
      --member="serviceAccount:service-org-ORG_NUMBER@gcp-sa-cloudkms.iam.gserviceaccount.com" \
        --role='roles/cloudkms.orgServiceAgent'
        

Replace ORG_NUMBER with the organization number, that is the numerical ID of your organization.

Visibility levels

The key tracking dashboard has two levels of visibility.

  • View key summary - Any user with cloudkms.cryptoKeys.get permission on a key can view a summary of the key's protected resources in the dashboard. This includes the number of protected resources, how many projects use this key, and how many unique Cloud products use this key. This is the first level of visibility.

  • View key details - The second level of visibility is a detailed view of the keys, which must also be granted by the organization administrator. Grant a user detailed protected resource access using the following gcloud CLI command:


gcloud organizations add-iam-policy-binding ORG_NUMBER  \
      --member="user:USER_EMAIL " \
        --role='roles/cloudkms.protectedResourcesViewer'
        

Access the dashboard

Use the Google Cloud console to view the keys and access the key tracking dashboard.

Console

  1. Go to the Key Management page in the Google Cloud console.

    Go to the Key Management page

  2. Click the name of the key ring that contains the key you'd like to view.

  3. Click the name of the key.

  4. Click the Usage Tracking tab.

View key attributes

The key tracking dashboard provides comprehensive information about the resources protected by your cryptographic keys.

Key attributes include the following:

  • Resource name: Name of the Google Cloud resource on which a key is being used.
  • Project name: Name of the project with which a key is being used.
  • Key version: The specific key version being used with a particular resource.
  • Cloud product: The Google Cloud product that a key is being used to encrypt (Compute Engine, Cloud SQL, Cloud Storage, and so on).
  • Resource type: The type of resource that a key is being used to encrypt (such as Bucket [Cloud Storage], Disk [Compute Engine], and so on).
  • Creation date: Time at which the resource was created.
  • Labels: A set of key-value pairs to help organize your resources.

Sort and filter keys

You can sort and filter keys based on a number of attributes.

Console

  1. Go to the Key Management page in the Google Cloud console.

    Go to the Key Management page

  2. Click the name of the key ring that contains the key you'd like to view.

  3. Click the name of the key.

  4. Click the Usage Tracking tab.

  5. Click Filter, above the Name attribute.

  6. Select the attribute to use for filtering keys.

Limitations

When using the key tracking dashboard, note the following:

  • Delayed support for Google Cloud Storage: The key tracking dashboard includes limited support for keys used with Google Cloud Storage. This means only keys configured on a bucket are reflected in the dashboard.
  • For informational purposes only: Details shown in the key tracking dashboard are for informational purposes only. You should conduct your own due diligence separately from what appears in the dashboard before making decisions that could result in loss of data, particularly decisions about scheduling keys for destruction.

In preview, supported resource types include and are limited to the following:

  • artifactregistry.googleapis.com/Repository
  • bigquery.googleapis.com/Dataset
  • bigquery.googleapis.com/Table
  • bigtableadmin.googleapis.com/Backup
  • bigtableadmin.googleapis.com/Cluster
  • cloudfunctions.googleapis.com/CloudFunction
  • composer.googleapis.com/Environment
  • compute.googleapis.com/Disk
  • compute.googleapis.com/Image
  • compute.googleapis.com/Snapshot
  • dataproc.googleapis.com/Cluster
  • documentai.googleapis.com/Processor
  • pubsub.googleapis.com/Topic
  • spanner.googleapis.com/Database
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket*

* Only displays key, not key version

If a key is used with a resource type that does not appear in the above list, its usage on the resource type is not reflected within the key tracking dashboard.