kms - Configure Cloud KMS encryption

kms - Configure Cloud KMS encryption

Synopsis

gsutil kms authorize [-p proj_id] -k kms_key
gsutil kms encryption [(-d|[-k kms_key])] bucket_url...
gsutil kms serviceaccount [-p proj_id]

Description

The kms command is used to configure Cloud Storage and KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.

The kms command has several sub-commands that deal with configuring Cloud Storage's integration with Cloud KMS:

Authorize

The authorize sub-command checks that the default (or supplied) project has a Cloud Storage-owned service account created for it, and if not, it creates one. It then adds appropriate encrypt/decrypt permissions to Cloud KMS resources such that the Cloud Storage service account can write and read Cloud KMS-encrypted objects in buckets associated with the specified project.

Authorize Examples

Authorize your default project to use a Cloud KMS key:

gsutil kms authorize \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key

Authorize "my-project" to use a Cloud KMS key:

gsutil kms authorize -p my-project \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key

Encryption

The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.

Encryption Examples

Set the default KMS key for my-bucket:

gsutil kms encryption \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key \
    gs://my-bucket

Show the default KMS key for my-bucket, if one is set:

gsutil kms encryption gs://my-bucket

Clear the default KMS key so newly-written objects will not be encrypted:

gsutil kms encryption -d gs://my-bucket

Serviceaccount

The serviceaccount sub-command displays the Cloud Storage-owned service account that is used to perform Cloud KMS operations against your default project (or a supplied project).

Serviceaccount Examples

Show the service account for your default project:

gsutil kms serviceaccount

Show the service account for my-project:

gsutil kms serviceaccount -p my-project
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.