Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CCKM API

Google Cloud APIs

search

Please Note:

Google Cloud APIs

Google Cloud resources include Google Cloud projects, key rings, and keys. Manage Google Cloud keys stored in key rings linked to Google Cloud projects in your Google Cloud service account using CCKM.

The high-level steps are:

  1. Complete the prerequisites.

  2. Fetch the list of Google Cloud projects linked with your account. Note down the project IDs, they are needed when viewing and creating key rings inside projects.

  3. Get the list of available Google Cloud locations (regions). These are required when viewing the key rings linked with a project in a location.

  4. View the list of key rings in a linked Google Cloud project. Specify the connection name, project ID, and project location. You will add desired key rings to the CipherTrust Manager.

  5. Add the desired key rings to the CipherTrust Manager. Specify the connection name, project ID, and key rings (array).

    The key rings are displayed on the CipherTrust Manager. You can manage the added key rings and their keys from CCKM.

  6. Manage keys. Add new native Google Cloud keys, create and upload keys based on external key source, manage key versions, and remove keys.

Prerequisites

Before you can manage Google Cloud resources on CCKM:

  1. Create a Project Using an Organization

  2. Create a Project Using GCP User Not Belonging to an Organization

  3. Enable Billing on the Project

  4. Enable the Required APIs

  5. Create a Key Ring

  6. Create a Service Account

  7. Grant the Service Account Access to Resources

  8. Add Google Connection on CipherTrust Manager

Create a Project Using an Organization

The Organization resource is the root in the Google Cloud Platform (GCP) resource hierarchy. An organization can contain folders which can contain projects which can contain resources such as Google Cloud KMS. Refer to Google Cloud resource hierarchy for details.

To get an organization resource, either sign up for Google Workspace or Cloud Identity. One Google Workspace or Cloud Identity account contains exactly one organization resource.

After you have an organization, you can optionally create folders to organize your projects. Finally, create a project. Refer to Creating and Managing Organizations for details.

Create a Project Using GCP User Not Belonging to an Organization

It is recommended to create a project using a GCP user that does not belong to an organization.

An existing GCP user can create projects even if the user does not belong to an organization. The projects and all resources under them are tied to the user account that is an employee in the company. If the employee leaves the company, the project is deleted with the user.

When creating a project with a user account, the default organization is "No Organization".

Enable Billing on the Project

If using an Organization, make sure you have the Billing Account Administrator role before performing the following steps.

  1. Sign in to the Manage billing accounts page in the Google Cloud Console.

  2. Add a billing account. Refer to Create, modify, or close your Cloud Billing account for details.

  3. On the Billing page, click the MY PROJECTS tab to view the list of projects.

  4. Click the menu (three vertical dots) for the project that you want to enable billing for.

  5. Select Change billing.

  6. Select the desired billing account.

  7. Click Set account.

Refer to Enable, disable, or change billing for a project for more details on managing billing for a project.

Enable the Required APIs

  1. Sign in to the Google Cloud Console.

  2. In the search bar Search products and resources, search for:

    • Cloud Key Management Service (KMS) API and enable the API.

    • Cloud Resource Manager API and enable the API.

Create a Key Ring

  1. Sign in to the Google Cloud Console.

  2. Go to the left navigation menu.

  3. Click Security > Key Management.

  4. Create a key ring.

Create a Service Account

  1. Sign in to the Google Cloud Console.

  2. Go to the left navigation menu.

  3. Click IAM & Admin > Service Accounts.

  4. Create a service account.

Grant the Service Account Access to Resources

IAM permissions are grouped into roles. Roles are assigned to members on resources. GCP provides predefined roles, but you can create your own custom roles, if required.

To manage Google Cloud keys in the key ring you created above using CCKM, assign the following roles to the service account:

  • The Project Browser role on the project that contains the key ring

  • The Cloud KMS Admin role on the key ring you created

  • The Logs Viewer role on the key ring you created

You can also assign the service account the role of Resource Manager Organization Viewer. Assigning this role allows CCKM users to see the display name of the organization resource, instead of seeing only its ID.

Permissions are inherited down the GCP resource hierarchy. Therefore, you can also grant the service account the previous roles at the organization level, folder level, or project level.

To create custom roles for your service account, refer to the following mapping of CCKM actions to IAM KMS permissions.

CCKM ActionCloud IAM KMS Permissions
Synchronizecloudkms.keyRings.list
cloudkms.keyRings.getIamPolicy
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeyVersions.list
Create keycloudkms.cryptoKeys.create
Upload keycloudkms.cryptoKeys.create
cloudkms.importJobs.create
cloudkms.importJobs.setIamPolicy
cloudkms.importJobs.get
cloudkms.importJobs.useToImport
cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeys.update
Add key version/Rotate nativecloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeys.update
Add key version/ Rotate BYOKcloudkms.importJobs.create
cloudkms.importJobs.setIamPolicy
cloudkms.importJobs.get
cloudkms.importJobs.useToImport
cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeys.update
Update keycloudkms.cryptoKeys.update
Update key versioncloudkms.cryptoKeys.update
cloudkms.cryptoKeyVersions.update
Schedule delete key materialcloudkms.cryptoKeyVersions.destroy
Cancel schedule delete key materialcloudkms.cryptoKeyVersions.restore

Add Google Connection on CipherTrust Manager

Before you can add a Google Cloud key ring to the CCKM, a connection to your Google Cloud service account must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.

When configuring the connection, the CipherTrust Manager Administrator requires a key file (a JSON file). This file can be generated on your Google Cloud Console. Refer to the Google Cloud documentation for details.

After the connection is configured, you can view the linked Google Cloud projects and manage the key rings in those projects. You can manage Google Cloud key rings and keys on the CipherTrust Manager.

Refer to the following sections:

The mandatory API request parameters are written in bold.