This page provides instructions for creating a Memorystore for Redis instance that uses customer-managed encryption keys. It also provides instructions for managing instances that use CMEK. For more information about customer-managed encryption keys for Memorystore, see Customer-managed encryption keys.
Before you begin
Workflow for creating an instance instance that uses CMEK
Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the ID (KMS_KEYRING_ID) for the keyring. You need this information when granting the service account access to the key.
Go to a project and create a Memorystore for Redis instance with CMEK enabled in the same region as the keyring and key.
Your Memorystore for Redis instance is now enabled with CMEK.
Creating a key and keyring
Follow instructions to create a keyring and create a key. Both must be in the same region as your Redis instance. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithn.
Granting the service account access to the key
In order to create a Redis instance that uses CMEK first you must grant a specific Memorystore service account access to the key. Grant access to the Memorystore service account that uses the following format:
When using the console, you grant the service account access to the key as part of the steps for creating a redis instance that uses CMEK.
To grant the service account access to the key, run the following command replacing VARIABLES with appropriate values:
gcloud kms keys add-iam-policy-binding [KMS_KEY_ID] \ --location=[REGION_ID] \ --keyring=[KMS_KEYRING_ID] \ --member=serviceAccount:service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Creating a Memorystore for Redis instance that uses CMEK
To create an instance with customer-managed encryption keys:
Begin by having a keyring and key in the same region where you want to create your Memorystore instance.
Follow the instructions at Creating a Redis instance until you reach the step for enabling a customer-managed encryption key, then return to these instructions.
Select Use a customer-managed encryption key (CMEK).
Use the dropdown menu to select your key.
If the Memorystore service account has not been granted the permissions it needs, a text box appears saying:
The service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key.
- Click the Grant button to grant the role permission to the Memorystore service account.
Finish selecting your desired configurations for your instance, and click the Create button to create your CMEK enabled Memorystore for Redis instance.
To create an instance that uses customer-managed encryption keys enter the following command, replacing VARIABLES with appropriate values:
gcloud beta redis instances create [INSTANCE_ID] --size=[SIZE] \ --region=[REGION_ID] \ --customer-managed-key=projects/[PROJECT_NAME]/locations/[REGION_ID]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME]
Viewing key information for a CMEK-enabled instance
Follow these instructions to see if CMEK is enabled for your instance, and to view the active key.
In the Google Cloud Console, go to the Memorystore for Redis Instances page.
View the Instance details page for your instance by clicking your Instance ID.
Click the Security tab.
The Encryption with a customer managed key section contains a link to the active key, and shows the key reference path. If this section does not appear, CMEK is not enabled for your instance.
To verify if CMEK is enabled, and to see the key reference, view the
customerManagedKey field by running the following command:
gcloud beta redis instances describe INSTANCE_ID --project=PROJECT --region=REGION
Disabling and re-enabling key versions
For information about what happens when you disable, enable, destroy, or re-enable a key version, see Behavior of destroying/disabling a CMEK key version.
For instructions on how to disable and re-enable key versions, see Enabling and disabling key versions.
For instructions on how to disable and re-enable key versions, see Destroying and restoring key versions.