Stack Overflow
Stack Overflow

Questions tagged [google-cloud-kms]

This tag is for questions about Google Cloud KMS, a Google Cloud Platform service which allows developers to store and make use of encryption keys to secure data.

Google Cloud KMS home page

157 questions
19
votes
2 answers

What are the difference between the KMS and secret manager in GCP?

I am wondering if you please help me out with the following question. What are the differences between the KMS and the secret manager in GCP? Thank you in advance. https://cloud.google.com/secret-manager/docs/ HB
H.Bustam
  • 305
  • 2
  • 5
19
votes
4 answers

How to handle secrets in Google App Engine?

My application needs a bunch of secrets to run: database credentials, API credentials, etc. It's running in Google App Engine Standard Java 11. I need these secrets as environment variables or as arguments to my application, so that my framework can…
pupeno
  • 256,034
  • 114
  • 324
  • 541
8
votes
2 answers

Editing or deleting a key ring from the console

This a newbie security/console question...I created a key ring in my project in a specific (wrong) location, Europe. I can't see any way in the console to edit or even delete a key ring. The key ring is completely empty...no keys in it. How can I…
D.Baillie
  • 83
  • 1
  • 3
6
votes
1 answer

Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource ...key

I am building an http endpoint with Google Cloud Functions. I have an encrypted secret stored as a file that is loaded and decrypted in the function as a way to prevent my secret from being stored in the code. Usually I dynamically load something…
tristansokol
  • 3,836
  • 1
  • 14
  • 30
6
votes
1 answer

Google cloud KMS: encryption works but decryption fails

I am trying to decrypt a token using the google KMS tool. Running it locally, for some reason, encryption seems to work but not decryption. I am running the following code: import base64 import googleapiclient.discovery kms_client =…
Pascal Delange
  • 208
  • 2
  • 16
6
votes
4 answers

Google Cloud Function : support for Google Cloud KMS

I am using a Google Cloud Function (GCF) with a Pubsub trigger which sends a HTTP request to a third party API. The GCF receives notifications from a Pubsub topic used by a service which should not be aware of the third party API. The third party…
JackTheRipper
  • 61
  • 1
  • 5
5
votes
1 answer

Can't update cryptokey in us-central1

For some reason I can't seem to be able to update keys in the us-central1 region. My IAM have both the update and list roles and I use this code: import google.cloud.kms as kms self.client = kms.KeyManagementServiceClient() name =…
Charles Smith
  • 85
  • 4
5
votes
2 answers

Attempting to convert some code to Go CDK when using KMS

I have some code to upload and download files from Google Cloud Storage. Below is an abbreviated example: import ( "context" "io" "cloud.google.com/go/storage" ) func upload(bucket, keyName, path string, reader io.Reader) error { …
Mylan Connolly
  • 384
  • 1
  • 2
  • 14
5
votes
1 answer

Using Google Cloud Key Management Service to sign JSON Web Tokens

Edit: I found the answer. Scroll to the bottom of this question. I am working on a NodeJS authentication server and I would like to sign JSON Web Tokens (JWT) using google signatures. I am using Google Cloud Key Management Service (KMS) and I…
Jim van Lienden
  • 59
  • 7
5
votes
1 answer

Get the version of Google KMS key used when decrypting ciphertext

When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version: Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a…
Daniel Compton
  • 11,420
  • 4
  • 33
  • 55
5
votes
1 answer

Can you share Google Cloud KMS keys across projects with service roles?

This GCP article suggests using two separate projects: one for key management, another for encryption/decryption. This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs…
Venantius
  • 2,274
  • 2
  • 24
  • 34
5
votes
3 answers

How should I store access tokens generated by another application using Google Cloud KMS?

I am building a Node.js application that receives a long term access token from another application that I need to access. I don't want to store these access tokens directly in the database since anyone who has access to these tokens can basically…
JackH
  • 3,665
  • 4
  • 25
  • 51
4
votes
0 answers

Digital signatures in pdf

I'm trying to digitally sign a pdf file using a PKCS#7 formatted signature in NodeJS. The setup: Node-forge does a great job at generating PKCS#7 format. I've already validated that the end output of the library fits my needs. By default pkcs7…
Ivaylo Atanasov
  • 175
  • 4
4
votes
2 answers

Is there a way to store secrets in GCP, similar to Azure vault?

I have been trying to find a way to store secrets in GCP. I have explored Google Cloud KMS. It seems to be only for creating encryption keys, that can be used to encrypt say GCP storage elements. Or, maybe I missed something. I have also seen, there…
Shikhar Ambashta
  • 63
  • 4
4
votes
1 answer

Can't decrypt property from spring cloud config or environment variable

I'm trying to get my KMS library, found here, to decrypt items from my application.yml that come from either the google cloud config server or an environment variable. In playing around I've tried a number of scenarios to get this to work. Ideally…
Puttzy
  • 130
  • 3
  • 12
1
2 3
10 11