CmekSettings

Describes the customer-managed encryption key (CMEK) settings associated with a project, folder, organization, billing account, or flexible resource.

Note: CMEK for the Logs Router can currently only be configured for GCP organizations. Once configured, it applies to all projects and folders in the GCP organization.

See Enabling CMEK for Logs Router for more information.

JSON representation
{
  "name": string,
  "kmsKeyName": string,
  "serviceAccountId": string
}
Fields
name

string

Output only. The resource name of the CMEK settings.

kmsKeyName

string

The resource name for the configured Cloud KMS key.

KMS key name format: "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"

For example: "projects/my-project-id/locations/my-region/keyRings/key-ring-name/cryptoKeys/key-name"

To enable CMEK for the Logs Router, set this field to a valid kmsKeyName for which the associated service account has the required roles/cloudkms.cryptoKeyEncrypterDecrypter role assigned for the key.

The Cloud KMS key used by the Log Router can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.

To disable CMEK for the Logs Router, set this field to an empty string.

See Enabling CMEK for Logs Router for more information.

serviceAccountId

string

Output only. The service account that will be used by the Logs Router to access your Cloud KMS key.

Before enabling CMEK for Logs Router, you must first assign the role roles/cloudkms.cryptoKeyEncrypterDecrypter to the service account that the Logs Router will use to access your Cloud KMS key. Use v2.getCmekSettings to obtain the service account ID.

See Enabling CMEK for Logs Router for more information.