Encrypt Speech-to-Text resources

This page demonstrates how to set an encryption key in Speech-to-Text to encrypt Speech-to-Text resources.

Speech-to-Text lets you provide Cloud Key Management Service encryption keys and encrypts data with the provided key. To learn more about encryption, see the encryption page.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Speech-to-Text APIs.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the project.
In the Principal column, find the row that has your email address.

If your email address isn't in that column, then you do not have any roles.
In the Role column for the row with your email address, check whether the list of roles includes the required roles.

Grant the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the project.
Click Grant access.
In the New principals field, enter your email address.
In the Select a role list, select a role.
To grant additional roles, click Add another role and add each additional role.
Click Save.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Speech-to-Text APIs.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the project.
In the Principal column, find the row that has your email address.

If your email address isn't in that column, then you do not have any roles.
In the Role column for the row with your email address, check whether the list of roles includes the required roles.

Grant the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the project.
Click Grant access.
In the New principals field, enter your email address.
In the Select a role list, select a role.
To grant additional roles, click Add another role and add each additional role.
Click Save.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, see Authenticate for using client libraries.

Create local authentication credentials for your Google Account:
```
gcloud auth application-default login
```

Also ensure you have installed the client library.

Enable access to Cloud Key Management Service keys

Speech-to-Text uses a service account to access your Cloud KMS keys. By default, the service account has no access to Cloud KMS keys.

The service account email address is the following:

service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

To encrypt Speech-to-Text resources using Cloud KMS keys, you can give this service account the roles/cloudkms.cryptoKeyEncrypterDecrypter role:

gcloud projects add-iam-policy-binding PROJECT_NUMBER \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

More information about project IAM policy is available at Manage access to projects, folders, and organizations.

More information about managing access to Cloud Storage is available at Create and Manage access control lists in the Cloud Storage documentation.

Specify an encryption key

Here is an example of providing an encryption key to Speech-to-Text using the Config resource:

Python

from google.cloud.speech_v2 import SpeechClient
from google.cloud.speech_v2.types import cloud_speech


def enable_cmek(
    project_id: str,
    kms_key_name: str,
) -> cloud_speech.RecognizeResponse:
    """Enable CMEK in a project and region."""
    # Instantiates a client
    client = SpeechClient()

    request = cloud_speech.UpdateConfigRequest(
        config=cloud_speech.Config(
            name=f"projects/{project_id}/locations/global/config",
            kms_key_name=kms_key_name,
        ),
        update_mask={"paths": ["kms_key_name"]},
    )

    # Updates the KMS key for the project and region.
    response = client.update_config(request=request)

    print(f"Updated KMS key: {response.kms_key_name}")

    return response

When an encryption key is specified in the [Config] resource of your project, any new resources created in the corresponding location are encrypted using this key. See the encryption page for more information on what is encrypted and when.

Encrypted resources have the kms_key_name and kms_key_version_name fields populated in Speech-to-Text API responses.

Remove encryption

To prevent future resources from being encrypted with an encryption key, use the code above and provide the empty string ("") as the key in the request. This ensures that new resources aren't encrypted. This command doesn't decrypt existing resources.

Key rotation and deletion

On key rotation, resources that are encrypted with a previous version of the Cloud KMS key remain encrypted with that version. Any resources created after the key rotation are encrypted with the new default version of the key. Any resources updated (using Update* methods) after the key rotation are reencrypted with the new default version of the key.

On key deletion, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the deleted key. Likewise, when you revoke Speech-to-Text permission for a key, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the Speech-to-Text permission-revoked key.

Reencrypt data

To reencrypt your resources, you can call the corresponding Update* method for each resource after updating the key specification in the Config resource.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Optional: Revoke the authentication credentials that you created, and delete the local credential file.
```
gcloud auth application-default revoke
```
Optional: Revoke credentials from the gcloud CLI.
```
gcloud auth revoke
```

Console

In the Google Cloud console, go to the Manage resources page.

Go to Manage resources

In the project list, select the project that you want to delete, and then click Delete.

In the dialog, type the project ID, and then click Shut down to delete the project.

gcloud

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

What's next

Learn more about what is encrypted when specifying encryption keys in Speech-to-Text.
Learn how to transcribe streaming audio.
Learn how to transcribe long audio files.
Practice transcribing short audio files.
For best performance, accuracy, and other tips, see the best practices documentation.