Encrypt Speech-to-Text resources

This page demonstrates how to set an encryption key in Speech-to-Text to encrypt Speech-to-Text resources.

Speech-to-Text lets you provide Cloud Key Management Service encryption keys and encrypts data with the provided key. To learn more about encryption, see the encryption page.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Speech-to-Text APIs.

    Enable the APIs

  5. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.
  6. Install the Google Cloud CLI.

  7. To initialize the gcloud CLI, run the following command: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  9. Make sure that billing is enabled for your Google Cloud project.

  10. Enable the Speech-to-Text APIs.

    Enable the APIs

  11. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.
  12. Install the Google Cloud CLI.

  13. To initialize the gcloud CLI, run the following command: 

    gcloud init

    14. Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, see Authenticate for using client libraries.

  14. If you're using a local shell, then create local authentication credentials for your user account: 

    gcloud auth application-default login

    You don't need to do this if you're using Cloud Shell.

Also ensure you have installed the client library.

Enable access to Cloud Key Management Service keys

Speech-to-Text uses a service account to access your Cloud KMS keys. By default, the service account has no access to Cloud KMS keys.

The service account email address is the following:

service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

To encrypt Speech-to-Text resources using Cloud KMS keys, you can give this service account the roles/cloudkms.cryptoKeyEncrypterDecrypter role:

gcloud projects add-iam-policy-binding PROJECT_NUMBER \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

More information about project IAM policy is available at Manage access to projects, folders, and organizations.

More information about managing access to Cloud Storage is available at Create and Manage access control lists in the Cloud Storage documentation.

Specify an encryption key

Here is an example of providing an encryption key to Speech-to-Text using the Config resource:

Python

import os

from google.cloud.speech_v2 import SpeechClient
from google.cloud.speech_v2.types import cloud_speech

PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT")


def enable_cmek(
    kms_key_name: str,
) -> cloud_speech.Config:
    """Enable Customer-Managed Encryption Keys (CMEK) in a project and region.
    Args:
        kms_key_name (str): The full resource name of the KMS key to be used for encryption.
            E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}
    Returns:
        cloud_speech.Config: The response from the update configuration request,
        containing the updated configuration details.
    """
    # Instantiates a client
    client = SpeechClient()

    request = cloud_speech.UpdateConfigRequest(
        config=cloud_speech.Config(
            name=f"projects/{PROJECT_ID}/locations/global/config",
            kms_key_name=kms_key_name,
        ),
        update_mask={"paths": ["kms_key_name"]},
    )

    # Updates the KMS key for the project and region.
    response = client.update_config(request=request)

    print(f"Updated KMS key: {response.kms_key_name}")
    return response

When an encryption key is specified in the [Config] resource of your project, any new resources created in the corresponding location are encrypted using this key. See the encryption page for more information on what is encrypted and when.

Encrypted resources have the kms_key_name and kms_key_version_name fields populated in Speech-to-Text API responses.

Remove encryption

To prevent future resources from being encrypted with an encryption key, use the code above and provide the empty string ("") as the key in the request. This ensures that new resources aren't encrypted. This command doesn't decrypt existing resources.

Key rotation and deletion

On key rotation, resources that are encrypted with a previous version of the Cloud KMS key remain encrypted with that version. Any resources created after the key rotation are encrypted with the new default version of the key. Any resources updated (using Update* methods) after the key rotation are reencrypted with the new default version of the key.

On key deletion, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the deleted key. Likewise, when you revoke Speech-to-Text permission for a key, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the Speech-to-Text permission-revoked key.

Reencrypt data

To reencrypt your resources, you can call the corresponding Update* method for each resource after updating the key specification in the Config resource.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. Optional: Revoke the authentication credentials that you created, and delete the local credential file. 

    gcloud auth application-default revoke

  2. Optional: Revoke credentials from the gcloud CLI. 

    gcloud auth revoke

Console

  • In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  • In the project list, select the project that you want to delete, and then click Delete.
  • In the dialog, type the project ID, and then click Shut down to delete the project.

    • gcloud

    Delete a Google Cloud project:

    gcloud projects delete PROJECT_ID

    What's next