Create a CMEK policy

This page provides instructions for how to create a customer-managed encryption key (CMEK) policy.

Create a CMEK policy

Use the following instructions to create a CMEK policy using the Google Cloud console or Google Cloud CLI:

Console

  1. Go to the NetApp Volumes page in the Google Cloud console.

    Go to NetApp Volumes

  2. Select CMEK policies.

  3. Under Create a CMEK policy, click Create.

  4. Enter a unique name in the name field for the CMEK policy.

  5. Optional: Add a description in the description field.

  6. Select a region from the region field for the policy.

  7. Select a Cloud KMS key from the following options:

    • Choose from the Cloud KMS keys from your project that appear in the drop-down menu.

    • Select Switch project if you want to look for a Cloud KMS key in a different project. You need roles/cloudkms.viewer in the selected project to be able to browse keys.

    • Select Enter key manually if you want to enter a key manually. This is helpful if you don't have permissions to look up the key you intend to use.

  8. Optional: Add a label in the labels field.

  9. Click Create.

Your CMEK policy appears on the CMEK policies page. The status of the policy has an exclamation exclamation mark. The exclamation mark indicates that this policy needs verification before it's usable. For more information, see Verify key access.

gcloud

Use the following instructions to create a CMEK policy using the Google Cloud CLI.

  1. Run the kms-configs command with the following parameters:

    gcloud netapp kms-configs create CONFIG_NAME \
     --project=PROJECT_ID \
     --location=LOCATION \
     --kms-project=KEY_RING_PROJECT \
     --kms-location=KEY_RING_LOCATION \
     --kms-keyring=KEY_RING \
     --kms-key=KEY_NAME

Replace the following information:

  • CONFIG_NAME: the name of the config to be created. This name must be unique per region.

  • PROJECT_ID: the name of the project you want to create the CMEK policy in.

  • LOCATION: the region of the config to be created in. Google Cloud NetApp Volumes only supports one config per region.

  • KEY_RING_PROJECT: the project ID of the project hosting the KMS key ring.

  • KEY_RING_LOCATION: the location of the KMS key ring.

  • KEY_RING: the name of the KMS key ring.

  • KEY_NAME: the name of the KMS key.

For more options, see Google Cloud SDK documentation for Cloud Key Management Service.

What's next

Verify key access.