Google Cloud Key Rings
This section describes how to manage Google Cloud key rings on CCKM. Before proceeding, a connection to your Google Cloud account must exist on the CipherTrust Manager. Refer to Connection Manager for details.
After the connection is configured, you can add key rings linked with a project on the CipherTrust Manager. Google Cloud key rings can be added, viewed, modified, or deleted on the Key Rings tab of the Google page.
Adding an Existing Google Cloud Key Ring
Adding an existing Google Cloud key ring to CCKM requires selecting a Google Cloud project and location of existing key rings. Based on these, the list of relevant key rings is retrieved from the Google Cloud project.
To add an existing Google Cloud key ring to CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google. The Google page contains two tabs: Key Rings and Projects. Key Rings is the default tab.
-
Click Add Existing Key Ring. The Select Connection Information screen is displayed.
-
Select the Google Connection. The linked Google Cloud projects are auto-populated in the Project ID drop-down list.
-
Select the Project ID where the Google Cloud key ring resides. The project locations are auto-populated in the Location drop-down list.
-
Select the key ring Location.
-
Click Next. The Add Key Rings screen is displayed. The screen shows the available key rings based on the Connection, Project ID, and Location you selected on the previous screen. Only the key rings not already added to CCKM are displayed.
-
Select the desired key rings.
Tip
To select multiple key rings, select the check boxes corresponding to them.
To select all the retrieved key rings, select the check box to the left of the Selected label (over the Name heading). -
Click Save.
The selected key rings are displayed on the Key Rings tab.
Viewing Key Rings
The Key Rings tab of the Google page shows the list of key rings available in the projects added to the CipherTrust Manager. Search for the key rings by Name or Connection.
To view the list of key rings available on CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google. The Google page displays the Google Cloud projects and key rings added to CCKM, not all available on Google Cloud.
The Key Rings tab shows the list of key rings added to CCKM is displayed. The tab displays the following details:
Field Description Name Name of the key ring. Location Location of the project linked with the key ring. Project ID ID of the linked project. Organization Organization of the key ring. Connection Name of the Google Cloud connection with the CipherTrust Manager. Last Refreshed Time when the key ring was refreshed the last. Created Time when the key ring was created.
To view the custom columns, click the Customize View () icon, select the desired option, and click OK to display the column.
Refreshing Key Rings
Refreshing is the process to download keys created in Google Cloud key rings to the CCKM. You can refresh keys from individual or all Google Cloud key rings.
Refreshing Specific Key Rings
To refresh a key ring:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google. The Google page is displayed. The Key Rings tab displays the key rings added to CCKM.
-
Click the overflow icon () corresponding to the desired key ring and click Refresh Now.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Google > Google Keys page. Refer to Viewing Google Cloud Keys for details.
Refreshing All Key Rings
To refresh all key rings:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google. The Google page is displayed. The Key Rings tab displays the key rings added to CCKM.
-
On the Key Rings tab, click Refresh All. The This may take a while... message is displayed.
Note
Refresh all key rings is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
-
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Google > Google Keys page. Refer to Viewing Google Cloud Keys for details.
Viewing Details of a Key Ring
To view the details of a key ring on CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google.
-
On the Key Rings tab, click the Name link of the desired key ring.
Alternatively, click the overflow icon () corresponding to the desired key ring, and click View/Edit Details.
The edit view of the Google Key Rings page shows additional details of the selected key ring including the configured ACCESS CONTROL.
Managing User Permissions on Google Cloud Key Rings
To work with the Google Cloud, users/group must have the minimum set of permissions that allow them to use the Google Cloud resources such as keys and Google Cloud key rings. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on Google Cloud key rings.
Adding Permissions for a User/Group
To add permissions for a user/group:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google.
-
On the Key Rings tab, click the Name link of the desired key ring.
Alternatively, click the overflow icon () corresponding to the desired key ring, and click View/Edit Details.
-
In the ACCESS CONTROL section, click Assign User/Group. The Assign User/Group dialog box is displayed.
-
Select the desired user or group from the User/Group drop-down list.
-
Click Save.
The newly added user/group is displayed under Name in the ACCESS CONTROL section. You can now grant additional permissions to the user/group, as appropriate. Refer to Granting Permission to Perform an Operation for details.
Allowed Operations
CCKM allows the following operations on Google Cloud key rings:
-
View Keys, Add Key, Edit / Disable/ Enable, Synchronize, Upload
-
Schedule Destroy, Cancel Destroy
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
-
In the ACCESS CONTROL section, select the check box under the desired operation corresponding to the desired users or groups.
-
Click Update.
A success message is displayed on the screen.
To revoke permissions from a user/group, refer to Removing a Permission for details.
Removing a Permission
To remove a permission assigned to a user or group:
-
In the ACCESS CONTROL section, clear the check box under the desired operation corresponding to the desired users or groups.
-
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
-
In the ACCESS CONTROL section, under Unassign, click the X button corresponding to the desired user/group.
-
On the Remove User / Remove Group screen, click Remove.
Note
Removing this user/group will remove all permissions currently assigned to the user/group.
-
Click Remove to confirm the action. To cancel the change, click Keep It.
A success message is displayed on the screen.
Removing a Google Cloud Key Ring
Google Cloud key rings can be removed from the Key Rings tab of the Google page. Search for existing key rings using Name or Connection.
Note
When a Google Cloud key ring is removed from CCKM, it is also deleted from Google Cloud.
To remove a key ring from CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Google. The Google page is displayed. The list of key rings added to CCKM is displayed.
-
Click the overflow icon () corresponding to the key ring you want to remove.
-
Click Delete.