Google Cloud Resources
Google Cloud resources include Google Cloud projects, key rings, and keys. Manage Google Cloud keys stored in key rings linked to Google Cloud projects in your Google Cloud service account using CCKM.
The high-level steps are:
Complete the prerequisites.
Fetch the list of Google Cloud projects linked with your account. Note down the project IDs, they are needed when viewing and creating key rings inside projects.
Get the list of available Google Cloud locations (regions). These are required when viewing the key rings linked with a project in a location.
View the list of key rings in a linked Google Cloud project. Specify the connection name, project ID, and project location. You will add desired key rings to the CipherTrust Manager.
Add the desired key rings to the CipherTrust Manager. Specify the connection name, project ID, and key rings (array).
The key rings are displayed on the CipherTrust Manager. You can manage the added key rings and their keys from CCKM.
Manage keys. Add new native Google Cloud keys, create and upload keys based on external key source, manage key versions, and remove keys.
Note
CCKM doesn't support Google BYOK for Google Trusted Partner Clouds (TPC).
Prerequisites
Before you can manage Google Cloud resources on CCKM:
Create a Project Using an Organization
The Organization resource is the root in the Google Cloud Platform (GCP) resource hierarchy. An organization can contain folders which can contain projects which can contain resources such as Google Cloud KMS. Refer to Google Cloud resource hierarchy for details.
To get an organization resource, sign up for Google Workspace or Cloud Identity and verify your domain. One Google Workspace or Cloud Identity account contains exactly one organization resource.
After you have an organization, you can optionally create folders to organize your projects. Finally, create a project. Refer to Creating and Managing Organizations for details.
Create a Project Using GCP User Not Belonging to an Organization
It is recommended to create a project using a GCP user that does not belong to an organization.
An existing GCP user can create projects even if the user does not belong to an organization. The projects and all resources under them are tied to the user account that is an employee in the company. If the employee leaves the company, the project is deleted with the user.
When creating a project with a user account, the default organization is "No Organization".
Enable Billing on the Project
If using an Organization, make sure you have the Billing Account Administrator role before performing the following steps.
Sign in to the Manage billing accounts page in the Google Cloud Console.
Add a billing account. Refer to Create, modify, or close your Cloud Billing account for details.
On the Billing page, click the MY PROJECTS tab to view the list of projects.
Click the menu (three vertical dots) for the project that you want to enable billing for.
Select Change billing.
Select the desired billing account.
Click Set account.
Refer to Enable, disable, or change billing for a project for more details on managing billing for a project.
Enable the Required APIs
Sign in to the Google Cloud Console.
In the search bar Search products and resources, search for:
Cloud Key Management Service (KMS) API and enable the API.
Cloud Resource Manager API and enable the API.
Create a Key Ring
Sign in to the Google Cloud Console.
Go to the left navigation menu.
Click Security > Key Management.
Create a key ring.
Create a Service Account
Sign in to the Google Cloud Console.
Go to the left navigation menu.
Click IAM & Admin > Service Accounts.
Create a service account.
Grant the Service Account Access to Resources
IAM permissions are grouped into roles. Roles are assigned to members on resources. GCP provides predefined roles, but you can create your own custom roles, if required.
To manage Google Cloud keys in the key ring you created above using CCKM, assign the following roles to the service account:
The Project Browser role on the project that contains the key ring
The Cloud KMS Admin role on the key ring you created
The Logs Viewer role on the key ring you created
Note
You can also assign the service account the role of Resource Manager Organization Viewer. Assigning this role allows CCKM users to see the display name of the organization resource, instead of seeing only its ID.
Permissions are inherited down the GCP resource hierarchy. Therefore, you can also grant the service account the previous roles at the organization level, folder level, or project level.
To create custom roles for your service account, refer to the following mapping of CCKM actions to IAM KMS permissions.
CCKM Action | Cloud IAM KMS Permissions |
---|---|
Synchronize | cloudkms.keyRings.list cloudkms.keyRings.getIamPolicy cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeyVersions.list |
Create key | cloudkms.cryptoKeys.create |
Upload key | cloudkms.cryptoKeys.create cloudkms.importJobs.create cloudkms.importJobs.setIamPolicy cloudkms.importJobs.get cloudkms.importJobs.useToImport cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeys.update |
Add key version/Rotate native | cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeys.update |
Add key version/ Rotate BYOK | cloudkms.importJobs.create cloudkms.importJobs.setIamPolicy cloudkms.importJobs.get cloudkms.importJobs.useToImport cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeys.update |
Update key | cloudkms.cryptoKeys.update |
Update key version | cloudkms.cryptoKeys.update cloudkms.cryptoKeyVersions.update |
Update key policy | cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.setIamPolicy cloudkms.cryptoKeys.update |
Schedule delete key material | cloudkms.cryptoKeyVersions.destroy |
Cancel schedule delete key material | cloudkms.cryptoKeyVersions.restore |
Get the public key of an asymmetric key | cloudkms.cryptoKeyVersions.viewPublicKey |
Add Google Connection on CipherTrust Manager
Before you can add a Google Cloud key ring to the CCKM, a connection to your Google Cloud service account must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
When configuring the connection, the CipherTrust Manager Administrator requires a key file (a JSON file). This file can be generated on your Google Cloud Console. Refer to the Google Cloud documentation for details.
Warning
Thales strongly discourages creating a Google connection using a service account key file that grants permission to root of trust keys.
After the connection is configured, you can view the linked Google Cloud projects and manage the key rings in those projects. You can manage Google Cloud key rings and keys on the CipherTrust Manager.
Refer to the following sections: