Quickstart¶
- We create a different key for every single secret. While this might be a bit more than we really need, it does allow for clear auditing of every single access.
Steps¶
- Create project (you may want to put the storage buckets in a different proejct).
- Create users
- User 1: Manager
roles/cloudkms.admin
- User 2: Consumer -
roles/cloudkms.cryptoKeyEncrypterDecrypter
, or if you want them to have even more limited access:roles/cloudkms.cryptKeyDecrypter
.
Create CloudStorage bucket - Create a bucket:
gsutil mb -p [PROJECT_NAME] -c [STORAGE_CLASS] -l [BUCKET_LOCATION] gs://[BUCKET_NAME]/
By default you probably wantmulti_regional
for your bucket. In that case you will want to set the bucket location tous
,asia
, oreu
so it’s closest to most of your infrastructure. - Grant User 1roles/storage.objectAdmin
- Grant User 2roles/storage.objectViewer
Create a KeyRing for managing all the secret keys:
gcloud kms keyrings create aletheia --location global
Finally, we need to create a key for the project. It should share the name of your project for ease of discovery:
gcloud kms keys create project-1234 --location global --keyring aletheia --purpose encryption