Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Google Cloud External Key Manager Resources

Managing Google EKM Endpoint Policies

search

Please Note:

Managing Google EKM Endpoint Policies

When you create a Google External Key Manager (EKM) or EKM Ubiquitous Data Encryption (EKM UDE) endpoint, policies are associated with it to control which requests are processed. Users in the 'CCKM Admins' group can edit the EKM or EKM UDE endpoint policies. While the CipherTrust Manager web console and the REST API provide a basic format for editing policies, the Raw editing options requires understanding of the Open Policy Agent (OPA) policy engine.

If you wish to edit the Key Access Justification Reasons, this feature is described in detail in Google Cloud Platform documentation.

Edit the Policies for EKM and EKM UDE Endpoints

To edit the policies, you can also patch the /v1/cckm/ekm/endpoints/{id}/policiesREST API endpoint, or use ksctl cckm ekm endpoints policy update --id <policy-id> --ekm-endpoint-update-policy-file <filename> to pass in a new policy file.

In the GUI:

  1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

  2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

  3. Find the endpoint in the list, and click the ellipsis icon(...) at the far right for options.

  4. Click View/Edit.

    The policy options are visible in the Endpoint Policy section. The Basic View is selected by default.

  5. Skip to step 6 for editing in Raw View. In Basic View, you can edit the following policies:

    • Clients allowed to use the endpoint, specified as a list separated by commas. Google service accounts are in the format of an email address, <service-account-name>@<project-id>.iam.gserviceaccount.com.

    • Whether Key Access Justifications are required or not.

    • If Key Access Justifications are required, which justification reasons are accepted.

    • EKM UDE endpoints have additional fields for Zones, Project IDs, and Instance Names. These settings constrain which workloads can use the EKM UDE Endpoint, and are enforced whenever a Confidential VM originates a request.

  6. In Raw View, you can edit the following parameters:

    • package controls the rego policy package name.

    • default allow is a mandatory line to declare whether the rego policy is enforced. Setting this to false enables the policy and setting it to true disables the policy.

    • input.clients controls which clients are allowed to access the endpoint. This should match the clients on Google Cloud Service Accounts that are allowed to perform wrap or unwrap operations.

    • default allowedJustification controls whether Key Access Justifications are required or not.

    • input.justificationReason controls what justification reason needs to be provided for Google Cloud EKM to initiate a wrap or unwrap operation. You can remove this line, or comment it out with # at the start of the line if you do not require the feature.

    • EKM UDE endpoints have additional lines to set Zones, Project IDs, and Instance Names, which are input.attestationZones, input.attestationProjectIDs, and input.instanceNames respectively. These settings constrain which workloads can use the EKM UDE Endpoint, and are enforced whenever a Confidential VM originates a request.

  7. Click Update.

Key Access Justifications

Justification reasons are used by the Key Access Justifications feature in Google Cloud. This feature is optional for EKM and EKM UDE. When justification reasons are set, they need to be provided for Google Cloud EKM to initiate a wrap or unwrap operation.

The supported justification reasons are:

  • REASON_UNSPECIFIED

  • CUSTOMER_INITIATED_SUPPORT

  • GOOGLE_INITIATED_SERVICE

  • THIRD_PARTY_DATA_REQUEST

  • GOOGLE_INITIATED_REVIEW

  • CUSTOMER_INITIATED_ACCESS

  • GOOGLE_INITIATED_SYSTEM_OPERATION

  • REASON_NOT_EXPECTED

  • MODIFIED_CUSTOMER_INITIATED_ACCESS

  • GOOGLE_RESPONSE_TO_PRODUCTION_ALERT

  • MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION

  • CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING

Note

These justification reasons appear with spaces instead of underscores and with lowercase letters in the CipherTrust Manager GUI Basic View. For example, GOOGLE_INITIATED_REVIEW appears as Google Initiated Review in the Basic View.

In OPA format, this is expressed as:

package example
default allow = false
allow {
# Uncomment and add specific clients in below line to allow wrap/unwrap from Google services
# input.clients == {"abc@yahoo.com", "abc@google.com", "abc@msn.com"}[_]
input.justificationReason == {"REASON_UNSPECIFIED","CUSTOMER_INITIATED_SUPPORT","GOOGLE_INITIATED_SERVICE","THIRD_PARTY_DATA_REQUEST",
"GOOGLE_INITIATED_REVIEW","CUSTOMER_INITIATED_ACCESS","GOOGLE_INITIATED_SYSTEM_OPERATION","REASON_NOT_EXPECTED",
"MODIFIED_CUSTOMER_INITIATED_ACCESS"}[_]
}

On this page