kms - Configure Cloud KMS encryption
Synopsis
gsutil kms authorize [-p <proj_id>] -k <kms_key>
gsutil kms encryption [(-d|[-k <kms_key>])] [-w] gs://<bucket_name>...
gsutil kms serviceaccount [-p <proj_id>]
Description
The kms command is used to configure Cloud Storage and Cloud KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.
The kms command has three sub-commands that deal with configuring Cloud Storage
's integration with Cloud KMS: authorize, encryption,
and serviceaccount.
Authorize
The authorize sub-command checks that the default (or supplied) project has a Cloud Storage-owned service account created for it, and if not, it creates one. It then adds appropriate encrypt/decrypt permissions to Cloud KMS resources such that the Cloud Storage service account can write and read Cloud KMS-encrypted objects in buckets associated with the specified project.
Authorize Examples
Authorize your default project to use a Cloud KMS key:
gsutil kms authorize \
-k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key
Authorize "my-project" to use a Cloud KMS key:
gsutil kms authorize -p my-project \
-k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key
Encryption
The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.
Encryption Examples
Set the default KMS key for my-bucket:
gsutil kms encryption \
-k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key \
gs://my-bucket
Set the default KMS key for my-bucket, but display a warning rather than failing if gsutil is unable to verify that the specified key contains the correct IAM bindings for encryption/decryption. This is useful for users that do not have getIamPolicy permission but know that the key has the correct IAM policy for encryption in the user's project:
gsutil kms encryption \
-k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key \
-w gs://my-bucket
Show the default KMS key for my-bucket, if one is set:
gsutil kms encryption gs://my-bucket
Clear the default KMS key so newly-written objects will not be encrypted:
gsutil kms encryption -d gs://my-bucket
Options
| -k <key> | Set the default KMS key for my-bucket using the
full path to the key
projects/[project-id]/locations/[location]/keyRings/[key-ring]/cryptoKeys/[my-key] |
| -w | (used with -k key) Display a warning rather than failing if gsutil is unable to verify that the specified key contains the correct IAM bindings for encryption/decryption. This is useful for users that do not have getIamPolicy permission but know that the key has the correct IAM policy for encryption in the user's project. |
| -d | Clear the default KMS key. |
Serviceaccount
The serviceaccount sub-command displays the Cloud Storage-owned service account that is used to perform Cloud KMS operations against your default project (or a supplied project).
Serviceaccount Examples
Show the service account for your default project:
gsutil kms serviceaccount
Show the service account for my-project:
gsutil kms serviceaccount -p my-project