GCPcloud~5 mins

Cloud KMS for key management in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managing secret keys safely is important to protect your data. Cloud KMS helps you create, store, and control encryption keys in a secure way so only authorized users and services can use them.

When you want to encrypt sensitive data like passwords or API keys before storing them.

When you need to control who can use or manage encryption keys in your cloud projects.

When you want to rotate encryption keys regularly without downtime.

When you want to audit key usage to see who accessed or used your keys.

When you want to integrate encryption keys with other Google Cloud services securely.

Config File - main.tf

main.tf

provider "google" {
  project = "example-project"
  region  = "us-east1"
}

resource "google_kms_key_ring" "my_key_ring" {
  name     = "my-key-ring"
  location = "us-east1"
}

resource "google_kms_crypto_key" "my_crypto_key" {
  name            = "my-crypto-key"
  key_ring        = google_kms_key_ring.my_key_ring.id
  rotation_period = "2592000s" # 30 days
  lifecycle {
    prevent_destroy = true
  }
}

This Terraform file creates a key ring named my-key-ring in the us-east1 region.

It then creates a crypto key named my-crypto-key inside that key ring.

The key is set to rotate every 30 days automatically.

The prevent_destroy setting stops accidental deletion of the key.

Commands

This command creates a new key ring named 'my-key-ring' in the 'us-east1' region. Key rings group your keys and help organize them.

Terminal

gcloud kms keyrings create my-key-ring --location us-east1

Expected OutputExpected

Created keyring [my-key-ring].

→

--location - Specifies the region where the key ring is created.

This command creates a new crypto key named 'my-crypto-key' inside the 'my-key-ring' key ring. It is used for encryption and set to rotate every 30 days (2592000 seconds).

Terminal

gcloud kms keys create my-crypto-key --location us-east1 --keyring my-key-ring --purpose encryption --rotation-period 2592000s

Expected OutputExpected

Created key [my-crypto-key].

→

--purpose - Defines the key's use, here for encryption.

→

--rotation-period - Sets how often the key rotates automatically.

This command lists all crypto keys inside the 'my-key-ring' key ring to verify the key was created.

Terminal

gcloud kms keys list --location us-east1 --keyring my-key-ring

Expected OutputExpected

NAME PURPOSE PRIMARY_VERSION_STATE my-crypto-key ENCRYPT_DECRYPT ENABLED

→

--location - Specifies the region of the key ring.

→

--keyring - Specifies the key ring to list keys from.

This command shows the access policy for the 'my-crypto-key' key. It helps you see who can use or manage the key.

Terminal

gcloud kms keys get-iam-policy my-crypto-key --location us-east1 --keyring my-key-ring

Expected OutputExpected

bindings: - members: - user:example-user@gmail.com role: roles/cloudkms.cryptoKeyEncrypterDecrypter etag: BwW8xYzXxXk= version: 1

→

--location - Specifies the region of the key ring.

→

--keyring - Specifies the key ring containing the key.

Key Concept

If you remember nothing else from this pattern, remember: Cloud KMS lets you safely create and control encryption keys so your data stays protected and access is controlled.

Common Mistakes

Trying to create a crypto key without first creating a key ring.

Keys must belong to a key ring; without it, the command fails.

Always create the key ring first using 'gcloud kms keyrings create' before creating keys inside it.

Not specifying the correct location flag when creating or listing keys.

Keys and key rings are regional; missing or wrong location causes errors or empty results.

Always include the '--location' flag with the correct region for all key-related commands.

Not setting a rotation period for keys that need regular rotation.

Without rotation, keys stay the same and increase risk if compromised.

Use the '--rotation-period' flag to set automatic key rotation for better security.

Summary

Create a key ring to organize your encryption keys.

Create a crypto key inside the key ring with a purpose and optional rotation.

List keys to verify creation and check access policies to control usage.