
In this blog, we will be learning about KMS keys for encryption in google cloud and how we can provision them with terraform.
What is KMS?
KMS is a key management service in google cloud where we can create key rings and keys for encryption By default every resource in GCP is encrypted with google managed encryption keys but with the help of this KMS, we can create customer-managed encryption keys.
Pre-requisite:
- Make sure the Cloud Key Management Service (KMS) API is enabled
- make sure your service account has proper permission for KMS resources
- terraform installed
- Gcloud cli
Add Provider in terraform
provider "google" {
credentials = file("~/gcp/access-keys.json")
project = var.project_id
region = var.region
}
Creating a Keyring Resource
First of all, let’s understand what is a key ring, A Keyring is a top-level logical grouping of CryptoKeys it organizes keys in a Specific google cloud location and allows us to manage access control on groups of keys.
To Create a Keyring we will use the resource “google_kms_key_ring“
resource "google_kms_key_ring" "default" {
name = var.ring_name
location = var.region
}
Here in this resource, we have defined a key ring resource and under that we have specified two fields i.e name of the key ring and its location.
Creating a Key Resource
Now in order to use the keyring, we have to create a key inside this key ring. So to create a crypto key we will use this resource google_kms_crypto_key
resource "google_kms_crypto_key" "key" {
name = var.key_name
key_ring = google_kms_key_ring.keyring.id
rotation_period = var.rotation_period
version_template {
algorithm = var.algorithm
}
lifecycle {
prevent_destroy = false
}
}
Here as you can see we have defined the following arguments:
- name – The name of the crypto key that will be created inside the key ring. Also remember it is a required field.
- key_ring – It is also required and denotes the keyring that this key will belong to, In our case, we have attached it to the key ring we created earlier.
- rotation_period – (optional) Every time this period passes, a new key is generated with a new crypto key version and it is set as the primary.
- version_template – (optional) a template describing settings for new crypto key versions. in the version template we get a parameter algorithm that is required and this is used to define the algorithm to use when creating a version based on this.
Next after creating this key ring and key, we have to give permissions to a google identity who can use this key or encryption and decryption i.e it will be a service account and you can also choose to give it anyone permission either encrypt or decrypt or maybe both.
Giving permission to Service account to use key
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
]
}
Every resource in GCP has service agent which is usually of this type
service-[PROJECT-NUMBER]@[Service-name].gserviceaccount.com
Firstly with this resource we are binding the key we created with this service account and it will have a role to encrypt and decrypt it. Here we are using a resource google_kms_crypto_key_iam_binding and under that, we have given the crypto id.
Also in the above resource, you might have noticed “${data.google_project.project.number}”, this is being used for getting the project number, so in order to get this make sure you add this data in your main.tf
data “google_project” “project” {}
It will help to read the project number and you can pass the service account.
Creating a Var.tf file
Now create the var.tf and add the variables
variable "key_name" {
description = "Name of the KMS key"
type = string
}
variable "keyring_name" {
description = "Name of the KMS Keyring"
type = string
}
variable "algorithm" {
description = "Algorithm for the KMS key"
type = string
}
variable "region" {
description = "Region for the KMS key"
type = string
}
variable "rotation_period" {
description = "Time in seconds to rotate key"
type = string
}
variable "project_id" {
type = string
}
Creating a Terraform.tfvars file
Now Create a terraform.tfvars file and pass all the variables
project_id = "neon-semiotics-351410"
keyring_name = "knoldus_keyring_east1"
key_name = "crypto-knoldus"
rotation_period = "2592000s" //30 days [its the default]
region = "us-east1"
algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"
Let’s Run and create this resources
terraform init

terraform plan

Indeed the terraform plan is also successful, so you can run apply to create the resources
terraform apply
after running apply you will be prompted to ask if you want to perform the actions, enter yes

Finally you can see it has created the resource and to verify that , you can visit the console

Conclusion:
This was all about how you can create and manage KMS in google cloud. You use it for encrypting and decrypting purposes. If you liked this blog please do like and share and comment. Lastly, If you want to explore more about the resources, You can visit this resource1 resource2
Happy Learning!!