This page provides instructions for how to create a customer-managed encryption key (CMEK) policy.
Create a CMEK policy
Use the following instructions to create a CMEK policy using the Google Cloud console or Google Cloud CLI:
Console
Go to the NetApp Volumes page in the Google Cloud console.
Select CMEK policies.
Under Create a CMEK policy, click Create.
Enter a unique name in the name field for the CMEK policy.
Optional: Add a description in the description field.
Select a region from the region field for the policy.
Select a Cloud KMS key from the following options:
Choose from the Cloud KMS keys from your project that appear in the drop-down menu.
Select Switch project if you want to look for a Cloud KMS key in a different project. You need
roles/cloudkms.viewer
in the selected project to be able to browse keys.Select Enter key manually if you want to enter a key manually. This is helpful if you don't have permissions to look up the key you intend to use.
Optional: Add a label in the labels field.
Click Create.
Your CMEK policy appears on the CMEK policies page. The status of the policy has an exclamation exclamation mark. The exclamation mark indicates that this policy needs verification before it's usable. For more information, see Verify key access.
gcloud
Use the following instructions to create a CMEK policy using the Google Cloud CLI.
Run the
kms-configs
command with the following parameters:gcloud netapp kms-configs create CONFIG_NAME \ --project=PROJECT_ID \ --location=LOCATION \ --kms-project=KEY_RING_PROJECT \ --kms-location=KEY_RING_LOCATION \ --kms-keyring=KEY_RING \ --kms-key=KEY_NAME
Replace the following information:
CONFIG_NAME
: the name of the config to be created. This name must be unique per region.PROJECT_ID
: the name of the project you want to create the CMEK policy in.LOCATION
: the region of the config to be created in. Google Cloud NetApp Volumes only supports one config per region.KEY_RING_PROJECT
: the project ID of the project hosting the KMS key ring.KEY_RING_LOCATION
: the location of the KMS key ring.KEY_RING
: the name of the KMS key ring.KEY_NAME
: the name of the KMS key.
For more options, see Google Cloud SDK documentation for Cloud Key Management Service.