Permissions and Roles

KeyRings and CryptoKeys are resources in Google Cloud Platform, and can have IAM policies set on them like any other resource. IAM policies cannot be set on individual CryptoKeyVersions. For examples on setting up policies, see Using IAM with Cloud KMS.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
locations.list None.
locations.get None.
locations.keyRings.list cloudkms.keyRings.list on the containing Cloud project.
locations.keyRings.get cloudkms.keyRings.get on the requested KeyRing.
locations.keyRings.create cloudkms.keyRings.create on the containing Cloud project.
locations.keyRings.getIamPolicy cloudkms.keyRings.getIamPolicy on the requested KeyRing.
locations.keyRings.setIamPolicy cloudkms.keyRings.setIamPolicy on the requested KeyRing.
locations.keyRings.testIamPermissions None.
locations.keyRings.cryptoKeys.list cloudkms.cryptoKeys.list on the requested KeyRing.
locations.keyRings.cryptoKeys.get cloudkms.cryptoKeys.get on the requested CryptoKey.
locations.keyRings.cryptoKeys.create cloudkms.cryptoKeys.create on the containing KeyRing.
locations.keyRings.cryptoKeys.encrypt cloudkms.cryptoKeyVersions.useToEncrypt on the requested CryptoKey.
locations.keyRings.cryptoKeys.decrypt cloudkms.cryptoKeyVersions.useToDecrypt on the requested CryptoKey.
locations.keyRings.cryptoKeys.patch cloudkms.cryptoKeys.update on the requested CryptoKey.
locations.keyRings.cryptoKeys.updatePrimaryVersion cloudkms.cryptoKeys.update on the requested CryptoKey.
locations.keyRings.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.getIamPolicy on the requested CryptoKey.
locations.keyRings.cryptoKeys.setIamPolicy cloudkms.cryptoKeys.setIamPolicy on the requested CryptoKey.
locations.keyRings.cryptoKeys.testIamPermissions None.
locations.keyRings.cryptoKeys.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.list on the requested CryptoKey.
locations.keyRings.cryptoKeys.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.get on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.create on the containing CryptoKey.
locations.keyRings.cryptoKeys.cryptoKeyVersions.patch cloudkms.cryptoKeyVersions.update on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.destroy on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.restore on the requested CryptoKeyVersion.

Predefined Roles

The following table lists the predefined Google Cloud Key Management Service IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Primitive roles of Owner, Editor and Viewer are available for use on keys, in addition to predefined roles of Admin, Encrypter/Decrypter, Encrypter and Decrypter specific to Cloud KMS.

The predefined roles allow for a separation of duties, where it is needed. The Admin role is meant for users to manage keys but not use them, and the Encrypter or Decrypter roles are meant for services who can use a key to encrypt and decrypt data, but not manage them.

Role Includes permission(s): For resource type:
roles/cloudkms.admin
cloudkms.keyRings.setIamPolicy KeyRing
cloudkms.cryptoKeys.setIamPolicy CryptoKey
cloudkms.keyRings.create KeyRing
cloudkms.cryptoKeys.create CryptoKey
cloudkms.cryptoKeyVersions.create CryptoKeyVersion
cloudkms.cryptoKeys.update CryptoKey
cloudkms.cryptoKeyVersions.update CryptoKeyVersion
cloudkms.cryptoKeyVersions.destroy CryptoKeyVersion
cloudkms.cryptoKeyVersions.restore CryptoKeyVersion
cloudkms.keyRings.list KeyRing
cloudkms.cryptoKeys.list CryptoKey
cloudkms.cryptoKeyVersions.list CryptoKeyVersion
cloudkms.keyRings.get KeyRing
cloudkms.cryptoKeys.get CryptoKey
cloudkms.cryptoKeys.cryptoKeyVersions.get CryptoKeyVersion
cloudkms.keyRings.getIamPolicy KeyRing
cloudkms.cryptoKeys.getIamPolicy CryptoKey
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
roles/cloudkms.cryptoKeyEncrypter cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
roles/cloudkms.cryptoKeyDecrypter cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
roles/viewer
cloudkms.keyRings.list KeyRing
cloudkms.cryptoKeys.list CryptoKey
cloudkms.cryptoKeyVersions.list CryptoKeyVersion
cloudkms.keyRings.get KeyRing
cloudkms.cryptoKeys.get CryptoKey
cloudkms.cryptoKeyVersions.get CryptoKeyVersion
cloudkms.keyRings.getIamPolicy KeyRing
cloudkms.cryptoKeys.getIamPolicy CryptoKey
roles/editor
All of the roles/viewer permissions, as well as:
cloudkms.keyRings.create KeyRing
cloudkms.cryptoKeys.create CryptoKey
cloudkms.cryptoKeyVersions.create CryptoKeyVersion
cloudkms.cryptoKeys.update CryptoKey
cloudkms.cryptoKeyVersions.update CryptoKeyVersion
roles/owner
All of the roles/editor permissions, as well as:
cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
cloudkms.keyRings.setIamPolicy KeyRing
cloudkms.cryptoKeys.setIamPolicy CryptoKey
cloudkms.cryptoKeyVersions.destroy CryptoKeyVersion
cloudkms.cryptoKeyVersions.restore CryptoKeyVersion

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well.

Custom Roles

Cloud IAM also provides the ability to create custom roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and Managing Custom Roles.

To help you define custom roles, the following lists common user flows and the required permissions for performing Cloud KMS operations. This list is not considered exhaustive.

User flow Required permission(s)
when using the API:
Required permission(s)
when using the Cloud Platform Console
(see footnote 1):
Create a KeyRing cloudkms.keyRings.create on the containing project Same as the required API permissions
Create a CryptoKey cloudkms.cryptoKeys.create on the containing KeyRing The required API permissions, as well as:

cloudkms.keyRings.list on the containing project

Create a CryptoKeyVersion cloudkms.cryptoKeyVersions.create on the containing CryptoKey The required API permissions, as well as:

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Enable a CryptoKeyVersion cloudkms.cryptoKeyVersions.update on the requested CryptoKeyVersion The required API permissions, as well as:

cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Disable a CryptoKeyVersion cloudkms.cryptoKeyVersions.update on the requested CryptoKeyVersion The required API permissions, as well as:

cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Destroy a CryptoKeyVersion cloudkms.cryptoKeyVersions.destroy on the requested CryptoKeyVersion The required API permissions, as well as:

cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Restore a CryptoKeyVersion cloudkms.cryptoKeyVersions.restore on the requested CryptoKeyVersion The required API permissions, as well as:

cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Rotate a CryptoKey manually cloudkms.cryptoKeyVersions.create and cloudkms.cryptoKeys.update on the requested CryptoKey The required API permissions, as well as:

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Set the rotation period on a CryptoKey cloudkms.cryptoKeys.update on the requested CryptoKey The required API permissions, as well as:

cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.list on the containing project

Encrypt data using a CryptoKey cloudkms.cryptoKeyVersions.usetoEncrypt on the requested CryptoKey Not supported in the Cloud Platform Console.
Decrypt data using a CryptoKey cloudkms.cryptoKeyVersions.usetoDecrypt on the requested CryptoKey Not supported in the Cloud Platform Console.
Set permissions on a KeyRing cloudkms.keyRings.setIamPolicy on the requested KeyRing. The required API permissions, as well as:

cloudkms.keyRings.getIamPolicy on the requested KeyRing

Set permissions on a CryptoKey cloudkms.cryptoKeys.setIamPolicy on the requested CryptoKey The required API permissions, as well as:

cloudkms.cryptoKeys.getIamPolicy on the requested CryptoKey

View KeyRings in a project using the Cloud Platform Console N/A cloudkms.keyRings.list on the containing project
View CryptoKeys in a KeyRing and the KeyRing’s metadata using the Cloud Platform Console N/A cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.get on the requested KeyRing

cloudkms.keyRings.list on the containing project

View CryptoKeyVersions in a CryptoKey, and the CryptoKey’s metadata using the Cloud Platform Console N/A cloudkms.cryptoKeyVersions.list on the requested CryptoKey

cloudkms.cryptoKeys.get on the requested CryptoKey

cloudkms.cryptoKeys.list on the requested KeyRing

cloudkms.keyRings.get on the requested KeyRing

cloudkms.keyRings.list on the containing project

1 These permissions are required to navigate through the UI to a resource page. A user can also link directly to the page of a specific resource such as a KeyRing or CryptoKey if the user has sufficient permissions for that resource.

Checking permissions

cloudkms.keyRings.testIamPermissions and cloudkms.cryptoKeys.testIamPermissions can be run by any identity, to test their permissions on any Cloud KMS KeyRing and CryptoKey.

Send feedback about...

Cloud KMS Documentation