Comment
Author: Admin | 2025-04-27
Key is of the format projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/CRYPTO_KEY.An example is projects/test-project/locations/us-central1/keyRings/test-keyring/cryptoKeys/test-key.PROJECT_NUMBER: The project number of thePub/Sub project.For more information about granting IAM roles, seeGranting roles on a resource.Configure a topic with CMEKYou can configure CMEK for a topic using the Google Cloud console orgcloud CLI. Console To create a topic with CMEK, follow these steps:In the Google Cloud console, go to the Pub/Sub Topics page.Go to TopicsClick Create topic.In the Topic ID field, enter an ID for your topic.For more information about naming topics, see the naming guidelines.For Encryption, click Cloud KMS key.Select the key type. If you don't see the Select a customer-managedkey dropdown, ensure that you have enabled the Cloud KMS API forthe project.Click Create topic. gcloud In the Google Cloud console, activate Cloud Shell. Activate Cloud Shell At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. To create a topic with CMEK, run the gcloud pubsub topics create command: gcloud pubsub topics create TOPIC_ID --topic-encryption-key=ENCRYPTION_KEY Replace the following:TOPIC_ID: The ID or name of the topic.For more information about how to name a topic, see Guidelines to name a topic, subscription, schema, or snapshot.ENCRYPTION_KEY: ID of the CMEK to use for the topic.The format is projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/CRYPTO_KEY. Update CMEK for a topicYou have the flexibility to change the CMEK linked to aPub/Sub topic. You can use gcloud CLI to update the CMEK.However, this change doesn't apply retroactively.Messages published to the topic before the key changes remain encrypted withthe original key. If a topic was created without a CMEK, you can add one later.Existing messages continue to be protected with the defaultGoogle-owned and Google-managed encryption keys. Changing a topic's CMEK does notre-encrypt previously published messages. These messages continue to beprotected with the key that they were originally encrypted with.Pub/Sub has a caching mechanism for keys that lastsapproximately 5 minutes. It may take up to this duration forPub/Sub to recognize and start using the new key version.Audit logsCloud KMS produces audit logs when keysare enabled, disabled, or used by Pub/Sub to encrypt and decryptmessages. This is useful in debugging issues with publish or deliveryavailability.Cloud KMS keys are attached to audit logs forPub/Sub topic resources. Pub/Sub does notinclude any other Cloud KMS-related information.Pricing and costFor the following Pub/Sub requests, the use of CMEK incurscharges for access to the Cloud KMS service based onPub/Sub pricing:For each topic using CMEK, a new DEK is encrypted and stored every six hours.The key is used to decrypt DEKs every six minutes. The decryption happensthree times, once
Add Comment