Stack Overflow
Stack Overflow

Questions tagged [google-cloud-kms]

This tag is for questions about Google Cloud KMS, a Google Cloud Platform service which allows developers to store and make use of encryption keys to secure data.

Google Cloud KMS home page

230 questions
38
votes
2 answers

What are the difference between the KMS and secret manager in GCP?

I am wondering if you please help me out with the following question. What are the differences between the KMS and the secret manager in GCP? Thank you in advance. https://cloud.google.com/secret-manager/docs/ HB
H.Bustam
  • 515
  • 1
  • 4
  • 6
31
votes
5 answers

How to handle secrets in Google App Engine?

My application needs a bunch of secrets to run: database credentials, API credentials, etc. It's running in Google App Engine Standard Java 11. I need these secrets as environment variables or as arguments to my application, so that my framework can…
Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622
11
votes
3 answers

Editing or deleting a key ring from the console

This a newbie security/console question...I created a key ring in my project in a specific (wrong) location, Europe. I can't see any way in the console to edit or even delete a key ring. The key ring is completely empty...no keys in it. How can I…
D.Baillie
  • 113
  • 1
  • 4
8
votes
3 answers

Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml

I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments…
keesvanbemmel
  • 181
  • 3
  • 8
7
votes
2 answers

Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource ...key

I am building an http endpoint with Google Cloud Functions. I have an encrypted secret stored as a file that is loaded and decrypted in the function as a way to prevent my secret from being stored in the code. Usually I dynamically load something…
tristansokol
  • 4,054
  • 2
  • 17
  • 32
7
votes
1 answer

Can you share Google Cloud KMS keys across projects with service roles?

This GCP article suggests using two separate projects: one for key management, another for encryption/decryption. This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs…
Venantius
  • 2,471
  • 2
  • 28
  • 36
7
votes
1 answer

Google cloud KMS: encryption works but decryption fails

I am trying to decrypt a token using the google KMS tool. Running it locally, for some reason, encryption seems to work but not decryption. I am running the following code: import base64 import googleapiclient.discovery kms_client =…
Pascal Delange
  • 417
  • 5
  • 17
6
votes
3 answers

How should I store access tokens generated by another application using Google Cloud KMS?

I am building a Node.js application that receives a long term access token from another application that I need to access. I don't want to store these access tokens directly in the database since anyone who has access to these tokens can basically…
JackH
  • 4,613
  • 4
  • 36
  • 61
6
votes
4 answers

Google Cloud Function : support for Google Cloud KMS

I am using a Google Cloud Function (GCF) with a Pubsub trigger which sends a HTTP request to a third party API. The GCF receives notifications from a Pubsub topic used by a service which should not be aware of the third party API. The third party…
JackTheRipper
  • 61
  • 1
  • 5
5
votes
2 answers

Is there a way to store secrets in GCP, similar to Azure vault?

I have been trying to find a way to store secrets in GCP. I have explored Google Cloud KMS. It seems to be only for creating encryption keys, that can be used to encrypt say GCP storage elements. Or, maybe I missed something. I have also seen, there…
Shikhar Ambashta
  • 195
  • 3
  • 10
5
votes
1 answer

Access environment variables stored in Google Secret Manager from Google Cloud Build

How can I access the variables I define in Google Secret Manager from my Google Cloud Build Pipeline ?
martinkaburu
  • 487
  • 6
  • 18
5
votes
1 answer

Can't update cryptokey in us-central1

For some reason I can't seem to be able to update keys in the us-central1 region. My IAM have both the update and list roles and I use this code: import google.cloud.kms as kms self.client = kms.KeyManagementServiceClient() name =…
Charles Smith
  • 85
  • 4
5
votes
2 answers

Attempting to convert some code to Go CDK when using KMS

I have some code to upload and download files from Google Cloud Storage. Below is an abbreviated example: import ( "context" "io" "cloud.google.com/go/storage" ) func upload(bucket, keyName, path string, reader io.Reader) error { …
Mylan Connolly
  • 494
  • 1
  • 5
  • 15
5
votes
1 answer

Using Google Cloud Key Management Service to sign JSON Web Tokens

Edit: I found the answer. Scroll to the bottom of this question. I am working on a NodeJS authentication server and I would like to sign JSON Web Tokens (JWT) using google signatures. I am using Google Cloud Key Management Service (KMS) and I…
Jim van Lienden
  • 59
  • 1
  • 7
5
votes
1 answer

Get the version of Google KMS key used when decrypting ciphertext

When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version: Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a…
Daniel Compton
  • 13,878
  • 4
  • 40
  • 60
1
2 3
15 16