To enable CMEK for the Logs Router, set this field to a valid kmsKeyName for which the associated service account has the required roles/cloudkms.cryptoKeyEncrypterDecrypter role assigned for the key.
The Cloud KMS key used by the Log Router can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
To disable CMEK for the Logs Router, set this field to an empty string.
Output only. The service account that will be used by the Logs Router to access your Cloud KMS key.
Before enabling CMEK for Logs Router, you must first assign the role roles/cloudkms.cryptoKeyEncrypterDecrypter to the service account that the Logs Router will use to access your Cloud KMS key. Use v2.getCmekSettings to obtain the service account ID.