加密 Speech-to-Text 资源

本页面演示如何在 Speech-to-Text 中设置加密密钥以加密 Speech-to-Text 资源。

Speech-to-Text 允许您提供 Cloud Key Management Service 加密密钥,并使用提供的密钥加密数据。如需详细了解加密,请参阅加密页面。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Speech-to-Text APIs.

    Enable the APIs

  5. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      进入 IAM
    2. 选择项目。
    3. 点击 授予访问权限
    4. 新的主账号字段中,输入您的用户标识符。 这通常是 Google 账号的电子邮件地址。

    5. 选择角色列表中,选择一个角色。
    6. 如需授予其他角色,请点击 添加其他角色,然后添加其他各个角色。
    7. 点击 Save(保存)。
    8. Install the Google Cloud CLI.
    9. To initialize the gcloud CLI, run the following command:

      gcloud init
    10. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Go to project selector

    11. Make sure that billing is enabled for your Google Cloud project.

    12. Enable the Speech-to-Text APIs.

      Enable the APIs

    13. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

      Check for the roles

      1. In the Google Cloud console, go to the IAM page.

        Go to IAM
      2. Select the project.
      3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

      4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

      Grant the roles

      1. In the Google Cloud console, go to the IAM page.

        进入 IAM
      2. 选择项目。
      3. 点击 授予访问权限
      4. 新的主账号字段中,输入您的用户标识符。 这通常是 Google 账号的电子邮件地址。

      5. 选择角色列表中,选择一个角色。
      6. 如需授予其他角色,请点击 添加其他角色,然后添加其他各个角色。
      7. 点击 Save(保存)。
      8. Install the Google Cloud CLI.
      9. To initialize the gcloud CLI, run the following command:

        gcloud init
      10. 客户端库可以使用应用默认凭据轻松进行 Google API 身份验证,并向这些 API 发送请求。借助应用默认凭据,您可以在本地测试应用并部署它,无需更改底层代码。如需了解详情,请参阅 使用客户端库时进行身份验证

      11. If you're using a local shell, then create local authentication credentials for your user account:

        gcloud auth application-default login

        You don't need to do this if you're using Cloud Shell.

      此外,请确保您已安装客户端库

      启用对 Cloud Key Management Service 密钥的访问权限

      Speech-to-Text 使用服务账号访问您的 Cloud KMS 密钥。默认情况下,服务账号无权访问 Cloud KMS 密钥。

      服务账号电子邮件地址如下所示:

      service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com
      

      若要使用 Cloud KMS 密钥加密 Speech-to-Text 资源,您可以向此服务账号授予 roles/cloudkms.cryptoKeyEncrypterDecrypter 角色:

      gcloud projects add-iam-policy-binding PROJECT_NUMBER \
          --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
          --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

      如需详细了解项目 IAM 政策,请参阅管理对项目、文件夹和组织的访问权限

      如需详细了解如何管理对 Cloud Storage 的访问权限,请参阅 Cloud Storage 文档中的创建和管理访问控制列表

      指定加密密钥

      下面的示例展示了如何使用 Config 资源向 Speech-to-Text 提供加密密钥:

      Python

      import os
      
      from google.cloud.speech_v2 import SpeechClient
      from google.cloud.speech_v2.types import cloud_speech
      
      PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT")
      
      
      def enable_cmek(
          kms_key_name: str,
      ) -> cloud_speech.Config:
          """Enable Customer-Managed Encryption Keys (CMEK) in a project and region.
          Args:
              kms_key_name (str): The full resource name of the KMS key to be used for encryption.
                  E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}
          Returns:
              cloud_speech.Config: The response from the update configuration request,
              containing the updated configuration details.
          """
          # Instantiates a client
          client = SpeechClient()
      
          request = cloud_speech.UpdateConfigRequest(
              config=cloud_speech.Config(
                  name=f"projects/{PROJECT_ID}/locations/global/config",
                  kms_key_name=kms_key_name,
              ),
              update_mask={"paths": ["kms_key_name"]},
          )
      
          # Updates the KMS key for the project and region.
          response = client.update_config(request=request)
      
          print(f"Updated KMS key: {response.kms_key_name}")
          return response
      
      

      在项目的 [Config] 资源中指定加密密钥时,系统会使用此密钥对在相应位置创建的所有新资源进行加密。如需详细了解加密的内容和时间,请参阅加密页面。

      加密资源在 Speech-to-Text API 响应中填充 kms_key_namekms_key_version_name 字段。

      移除加密

      为了防止使用加密密钥队将来的资源进行加密,请使用上面的代码并在请求中提供空字符串 ("") 作为密钥。这样可以确保新资源不会被加密。此命令不会解密现有资源。

      密钥轮替和删除

      轮替密钥时,使用先前版本的 Cloud KMS 密钥加密的资源仍使用该版本进行加密。密钥轮替后创建的任何资源都会使用密钥的新默认版本进行加密。密钥轮替后(使用 Update* 方法)更新的任何资源都会使用新的密钥版本进行重新加密。

      删除密钥时,Speech-to-Text 无法解密您的数据,也无法创建资源或访问使用删除的密钥加密的资源。同样,撤消密钥的 Speech-to-Text 权限时,Speech-to-Text 无法解密您的数据,也无法创建资源或访问使用撤销了 Speech-to-Text 权限的密钥加密的资源。

      重新加密数据

      若要重新加密资源,您可以在更新 Config 资源中的密钥规范后为每个资源调用相应的 Update* 方法。

      清理

      为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。

      1. Optional: Revoke the authentication credentials that you created, and delete the local credential file.

        gcloud auth application-default revoke
      2. Optional: Revoke credentials from the gcloud CLI.

        gcloud auth revoke

      控制台

    14. In the Google Cloud console, go to the Manage resources page.

      Go to Manage resources

    15. In the project list, select the project that you want to delete, and then click Delete.
    16. In the dialog, type the project ID, and then click Shut down to delete the project.
    17. gcloud

      Delete a Google Cloud project:

      gcloud projects delete PROJECT_ID

      后续步骤