Managing Google EKM Endpoint Policies
When you create a Google EKM Endpoint, a set of default policies are associated with it. The policy language and model are derived from the Open Policy Agent (OPA) policy engine. You can edit the EKM endpoint policies with an understanding of OPA and Google Cloud Platform justification reasons.
Default Policies
The default policies on endpoint creation are to allow all clients and all supported justification reasons.
Justification reasons are used by the Key Access Justifications feature in Google Cloud.
The supported justification reasons are:
REASON_UNSPECIFIED,
CUSTOMER_INITIATED_SUPPORT,
GOOGLE_INITIATED_SERVICE,
THIRD_PARTY_DATA_REQUEST,
GOOGLE_INITIATED_REVIEW,
CUSTOMER_INITIATED_ACCESS,
GOOGLE_INITIATED_SYSTEM_OPERATION,
REASON_NOT_EXPECTED,
MODIFIED_CUSTOMER_INITIATED_ACCESS
In OPA format, this is expressed as:
package example
default allow = false
allow {
# Uncomment and add specific clients in below line to allow wrap/unwrap from Google services
# input.clients == {"abc@yahoo.com", "abc@google.com", "abc@msn.com"}[_]
input.justificationReason == {"REASON_UNSPECIFIED","CUSTOMER_INITIATED_SUPPORT","GOOGLE_INITIATED_SERVICE","THIRD_PARTY_DATA_REQUEST",
"GOOGLE_INITIATED_REVIEW","CUSTOMER_INITIATED_ACCESS","GOOGLE_INITIATED_SYSTEM_OPERATION","REASON_NOT_EXPECTED",
"MODIFIED_CUSTOMER_INITIATED_ACCESS"}[_]
}
Edit the Policies
To edit the policies, you can patch the /v1/cckm/ekm/endpoints/{id}/policies
REST API endpoint as described in the API Guide.
In the GUI:
Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM
Find the endpoint in the list, and click the arrow beside the endpoint name to expand the information and view the Policies field.
Edit the text in the field.
package
controls the rego policy package namedefault allow
is a mandatory line to declare whether the rego policy is enforced. Setting this tofalse
enables the policy and setting it totrue
disables the policy.input.clients
controls which clients are allowed to access the endpoint. This should match the clients on Google Cloud Service Accounts that are allowed to perform wrap or unwrap operations.input.justificationReason
controls what justification reason needs to be provided for Google Cloud EKM to initiate a wrap or unwrap operation. The supported values are described above.
Click Apply.