kms - Configure Cloud KMS encryption

Synopsis

gsutil kms authorize [-p <proj_id>] -k <kms_key>
gsutil kms encryption [(-d|[-k <kms_key>])] [-w] gs://<bucket_name>...
gsutil kms serviceaccount [-p <proj_id>]

Description

The kms command is used to configure Cloud Storage and Cloud KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.

The kms command has several sub-commands that deal with configuring Cloud Storage's integration with Cloud KMS:

Authorize

The authorize sub-command checks that the default (or supplied) project has a Cloud Storage-owned service account created for it, and if not, it creates one. It then adds appropriate encrypt/decrypt permissions to Cloud KMS resources such that the Cloud Storage service account can write and read Cloud KMS-encrypted objects in buckets associated with the specified project.

Authorize Examples

Authorize your default project to use a Cloud KMS key:

gsutil kms authorize \
    -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key

Authorize "my-project" to use a Cloud KMS key:

gsutil kms authorize -p my-project \
    -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key

Encryption

The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.

Encryption Examples

Set the default KMS key for my-bucket:

gsutil kms encryption \
    -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key \
    gs://my-bucket

Set the default KMS key for my-bucket, but display a warning rather than failing if gsutil is unable to verify that the specified key contains the correct IAM bindings for encryption/decryption. This is useful for users that do not have getIamPolicy permission but know that the key has the correct IAM policy for encryption in the user's project.

gsutil kms encryption

-k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key -w gs://my-bucket

Show the default KMS key for my-bucket, if one is set:

gsutil kms encryption gs://my-bucket

Clear the default KMS key so newly-written objects will not be encrypted:

gsutil kms encryption -d gs://my-bucket

Serviceaccount

The serviceaccount sub-command displays the Cloud Storage-owned service account that is used to perform Cloud KMS operations against your default project (or a supplied project).

Serviceaccount Examples

Show the service account for your default project:

gsutil kms serviceaccount

Show the service account for my-project:

gsutil kms serviceaccount -p my-project