Permissions and Roles

KeyRings and CryptoKeys are resources in Google Cloud Platform, and can have IAM policies set on them like any other resource. IAM policies cannot be set on individual CryptoKeyVersions. For examples on setting up policies, see Using IAM.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
locations.list None.
locations.get None.
locations.keyRings.list cloudkms.keyRings.list on the containing Cloud project.
locations.keyRings.get cloudkms.keyRings.get on the requested KeyRing.
locations.keyRings.create cloudkms.keyRings.create on the containing Cloud project.
locations.keyRings.getIamPolicy cloudkms.keyRings.getIamPolicy on the requested KeyRing.
locations.keyRings.setIamPolicy cloudkms.keyRings.setIamPolicy on the requested KeyRing.
locations.keyRings.testIamPermissions None.
locations.keyRings.cryptoKeys.list cloudkms.cryptoKeys.list on the requested KeyRing.
locations.keyRings.cryptoKeys.get cloudkms.cryptoKeys.get on the requested CryptoKey.
locations.keyRings.cryptoKeys.create cloudkms.cryptoKeys.create on the containing KeyRing.
locations.keyRings.cryptoKeys.encrypt cloudkms.cryptoKeyVersions.useToEncrypt on the requested CryptoKey.
locations.keyRings.cryptoKeys.decrypt cloudkms.cryptoKeyVersions.useToDecrypt on the requested CryptoKey.
locations.keyRings.cryptoKeys.patch cloudkms.cryptoKeys.update on the requested CryptoKey.
locations.keyRings.cryptoKeys.updatePrimaryVersion cloudkms.cryptoKeys.update on the requested CryptoKey.
locations.keyRings.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.getIamPolicy on the requested CryptoKey.
locations.keyRings.cryptoKeys.setIamPolicy cloudkms.cryptoKeys.setIamPolicy on the requested CryptoKey.
locations.keyRings.cryptoKeys.testIamPermissions None.
locations.keyRings.cryptoKeys.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.list on the requested CryptoKey.
locations.keyRings.cryptoKeys.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.get on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.create on the containing CryptoKey.
locations.keyRings.cryptoKeys.cryptoKeyVersions.patch cloudkms.cryptoKeyVersions.update on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.destroy on the requested CryptoKeyVersion.
locations.keyRings.cryptoKeys.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.restore on the requested CryptoKeyVersion.

Roles

The following table lists the Google Cloud KMS IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Primitive roles of Owner, Editor and Viewer are available for use on keys, in addition to predefined roles of Admin, Encrypter/Decrypter, Encrypter and Decrypter specific to Cloud KMS.

The predefined roles allow for a separation of duties, where it is needed. The Admin role is meant for users to manage keys but not use them, and the Encrypter or Decrypter roles are meant for services who can use a key to encrypt and decrypt data, but not manage them.

Role includes permission(s): for resource type:
roles/cloudkms.admin
cloudkms.keyRings.setIamPolicy KeyRing
cloudkms.cryptoKeys.setIamPolicy CryptoKey
cloudkms.keyRings.create KeyRing
cloudkms.cryptoKeys.create CryptoKey
cloudkms.cryptoKeyVersions.create CryptoKeyVersion
cloudkms.cryptoKeys.update CryptoKey
cloudkms.cryptoKeyVersions.update CryptoKeyVersion
cloudkms.cryptoKeyVersions.destroy CryptoKeyVersion
cloudkms.cryptoKeyVersions.restore CryptoKeyVersion
cloudkms.keyRings.list KeyRing
cloudkms.cryptoKeys.list CryptoKey
cloudkms.cryptoKeyVersions.list CryptoKeyVersion
cloudkms.keyRings.get KeyRing
cloudkms.cryptoKeys.get CryptoKey
cloudkms.cryptoKeys.cryptoKeyVersions.get CryptoKeyVersion
cloudkms.keyRings.getIamPolicy KeyRing
cloudkms.cryptoKeys.getIamPolicy CryptoKey
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
roles/cloudkms.cryptoKeyEncrypter cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
roles/cloudkms.cryptoKeyDecrypter cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
roles/viewer
cloudkms.keyRings.list KeyRing
cloudkms.cryptoKeys.list CryptoKey
cloudkms.cryptoKeyVersions.list CryptoKeyVersion
cloudkms.keyRings.get KeyRing
cloudkms.cryptoKeys.get CryptoKey
cloudkms.cryptoKeyVersions.get CryptoKeyVersion
cloudkms.keyRings.getIamPolicy KeyRing
cloudkms.cryptoKeys.getIamPolicy CryptoKey
roles/editor
All of the above, as well as:
cloudkms.keyRings.create KeyRing
cloudkms.cryptoKeys.create CryptoKey
cloudkms.cryptoKeyVersions.create CryptoKeyVersion
cloudkms.cryptoKeys.update CryptoKey
cloudkms.cryptoKeyVersions.update CryptoKeyVersion
roles/owner
All of the above, as well as:
cloudkms.cryptoKeyVersions.useToEncrypt CryptoKeyVersion
cloudkms.cryptoKeyVersions.useToDecrypt CryptoKeyVersion
cloudkms.keyRings.setIamPolicy KeyRing
cloudkms.cryptoKeys.setIamPolicy CryptoKey
cloudkms.cryptoKeyVersions.destroy CryptoKeyVersion
cloudkms.cryptoKeyVersions.restore CryptoKeyVersion

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well.

cloudkms.keyRings.testIamPermissions and cloudkms.cryptoKeys.testIamPermissions can be run by any identity, to test their permissions on any Cloud KMS resource.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud KMS Documentation