Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Google Cloud External Key Manager Resources

Managing Google EKM Endpoint Policies

search

Please Note:

Managing Google EKM Endpoint Policies

When you create a Google External Key Manager (EKM) Endpoint or EKM Ubiquitous Data Encryption (UDE), a set of default policies are associated with it. The policy language and model are derived from the Open Policy Agent (OPA) policy engine. Users in the 'CCKM Admins' group can edit the EKM or EKM UDE endpoint policies with an understanding of OPA. If you wish to edit the Key Access Justification Reasons, this feature is described in detail in Google Cloud Platform documentation.

Default Policies

The default policies on endpoint creation are to allow all clients and all supported justification reasons.

Justification reasons are used by the Key Access Justifications feature in Google Cloud. This feature is optional for EKM and EKM UDE. When justification reasons are set, they need to be provided for Google Cloud EKM to initiate a wrap or unwrap operation.

The supported justification reasons are:

  • REASON_UNSPECIFIED,

  • CUSTOMER_INITIATED_SUPPORT,

  • GOOGLE_INITIATED_SERVICE,

  • THIRD_PARTY_DATA_REQUEST,

  • GOOGLE_INITIATED_REVIEW,

  • CUSTOMER_INITIATED_ACCESS,

  • GOOGLE_INITIATED_SYSTEM_OPERATION,

  • REASON_NOT_EXPECTED,

  • MODIFIED_CUSTOMER_INITIATED_ACCESS

In OPA format, this is expressed as:

package example
default allow = false
allow {
# Uncomment and add specific clients in below line to allow wrap/unwrap from Google services
# input.clients == {"abc@yahoo.com", "abc@google.com", "abc@msn.com"}[_]
input.justificationReason == {"REASON_UNSPECIFIED","CUSTOMER_INITIATED_SUPPORT","GOOGLE_INITIATED_SERVICE","THIRD_PARTY_DATA_REQUEST",
"GOOGLE_INITIATED_REVIEW","CUSTOMER_INITIATED_ACCESS","GOOGLE_INITIATED_SYSTEM_OPERATION","REASON_NOT_EXPECTED",
"MODIFIED_CUSTOMER_INITIATED_ACCESS"}[_]
}

Edit the Policies for EKM Endpoints

To edit the policies, you can also patch the /v1/cckm/ekm/endpoints/{id}/policiesREST API endpoint, or use ksctl cckm ekm endpoints policy update --id <policy-id> --ekm-endpoint-update-policy-file <filename> to pass in a new policy file. In the GUI:

  1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

  2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

  3. Find the endpoint in the list, and click the arrow beside the endpoint name to expand the information and view the Policies field.

  4. Edit the text in the field.

    • package controls the rego policy package name

    • default allow is a mandatory line to declare whether the rego policy is enforced. Setting this to false enables the policy and setting it to true disables the policy.

    • input.clients controls which clients are allowed to access the endpoint. This should match the clients on Google Cloud Service Accounts that are allowed to perform wrap or unwrap operations.

    • input.justificationReason controls what justification reason needs to be provided for Google Cloud EKM to initiate a wrap or unwrap operation. You can remove this line, or comment it out with # at the start of the line if you do not require the Key Access Justifications feature. The supported values are described above.

  5. Click Apply.

Edit the Policies for EKM UDE Endpoints

This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.

To edit the policies, you can also patch the /v1/cckm/ekm-e2e/endpoints/{id}/policiesREST API endpoint.

In the GUI:

  1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

  2. Navigate to Cloud Key Manager>Services>Google Cloud EKM UDE

  3. Find the endpoint in the list, and click the arrow beside the endpoint name to expand the information and view the Policies field.

  4. Edit the text in the field.

    • package controls the rego policy package name

    • default allow is a mandatory line to declare whether the rego policy is enforced. Setting this to false enables the policy and setting it to true disables the policy.

    • input.clients controls which clients are allowed to access the endpoint. This should match the clients on Google Cloud Service Accounts that are allowed to perform wrap or unwrap operations.

    • input.justificationReason controls what justification reason needs to be provided for Google Cloud EKM to initiate a wrap or unwrap operation. You can remove this line, or comment it out with # at the start of the line if you do not require the Key Access Justifications feature. The supported values are described above.

  5. Click Apply.