This page demonstrates how to set an encryption key in Speech-to-Text to encrypt Speech-to-Text resources.
Speech-to-Text lets you provide Cloud Key Management Service encryption keys and encrypts data with the provided key. To learn more about encryption, see the encryption page.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Speech-to-Text APIs.
-
Make sure that you have the following role or roles on the project: Cloud Speech Administrator
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Speech-to-Text APIs.
-
Make sure that you have the following role or roles on the project: Cloud Speech Administrator
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, see Authenticate for using client libraries.
Also ensure you have installed the client library.
Enable access to Cloud Key Management Service keys
Speech-to-Text uses a service account to access your Cloud KMS keys. By default, the service account has no access to Cloud KMS keys.
The service account email address is the following:
service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com
To encrypt Speech-to-Text resources using Cloud KMS
keys, you can give this service account the
roles/cloudkms.cryptoKeyEncrypterDecrypter
role:
gcloud projects add-iam-policy-binding PROJECT_NUMBER \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter
More information about project IAM policy is available at Manage access to projects, folders, and organizations.
More information about managing access to Cloud Storage is available at Create and Manage access control lists in the Cloud Storage documentation.
Specify an encryption key
Here is an example of providing an encryption key to Speech-to-Text using the
Config
resource:
Python
When an encryption key is specified in the [Config
] resource of your project,
any new resources created in the corresponding location are encrypted using
this key. See the encryption page for more information on what
is encrypted and when.
Encrypted resources have the kms_key_name
and kms_key_version_name
fields populated in Speech-to-Text API responses.
Remove encryption
To prevent future resources from being encrypted with an encryption key, use the
code above and provide the empty string (""
) as the key in the request. This
ensures that new resources aren't encrypted. This command doesn't decrypt
existing resources.
Key rotation and deletion
On key rotation, resources that are encrypted with a previous version of
the Cloud KMS key remain encrypted with that version. Any
resources created after the key rotation are encrypted with the new default
version of the key. Any resources updated (using Update*
methods) after the
key rotation are reencrypted with the new default version of the key.
On key deletion, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the deleted key. Likewise, when you revoke Speech-to-Text permission for a key, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the Speech-to-Text permission-revoked key.
Reencrypt data
To reencrypt your resources, you can call the corresponding Update*
method
for each resource after updating the key specification in the Config
resource.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
-
Optional: Revoke the authentication credentials that you created, and delete the local credential file.
gcloud auth application-default revoke
-
Optional: Revoke credentials from the gcloud CLI.
gcloud auth revoke
Console
gcloud
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
What's next
- Learn more about what is encrypted when specifying encryption keys in Speech-to-Text.
- Learn how to transcribe streaming audio.
- Learn how to transcribe long audio files.
- Practice transcribing short audio files.
- For best performance, accuracy, and other tips, see the best practices documentation.