Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
KMS Common Commands

Create Key Ring

gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION] --project [PROJECT_ID]

Create Crypto Key

gcloud kms keys create [KEY_NAME] 
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --purpose encryption \
  --project [PROJECT_ID]

KMS IAM Roles

  • cloudkms.cryptoKeyEncrypterDecrypter can able to encrypt / decrypt
  • cloudkms.cryptoKeyEncrypter can able to encrypt
  • cloudkms.cryptoKeyDecrypter can able to decrypt

Granting Role to a Service Account

gcloud kms keys add-iam-policy-binding [CRYPTO_KEY] \
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --member serviceAccount:[SERVICE_NAME]@[PROJECT_ID].iam.gserviceaccount.com] \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter
  --project [PROJECT_ID]

Granting Role to an User

gcloud kms keys add-iam-policy-binding [CRYPTO_KEY] \
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --member user:[USER_EMAIL] \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter
  --project [PROJECT_ID]

Encrypting a file

gcloud kms encrypt \
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --key [CRYPTO_KEY] \
  --plaintext-file mysecret.txt \
  --ciphertext-file mysecret.txt.encrypted
  --project [PROJECT_ID]

Decrypting a file

gcloud kms decrypt \
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --key [CRYPTO_KEY] \
  --ciphertext-file mysecret.txt.encrypted
  --plaintext-file mysecret.txt \
  --project [PROJECT_ID]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.