Cloud KMS - decrypt task

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

TheCloud KMS - decrypt task lets you decrypt ciphertext or data that was encrypted with a Cloud Key Management Service (Cloud KMS) key. To decrypt the encrypted data, you must use the same key that was used during encryption. The decrypted text that is returned from Cloud KMS is base64-encoded.

Cloud KMS is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.

Before you begin

Ensure that you perform the following tasks in your Google Cloud project before configuring theCloud KMS - decrypt task:

  1. Enable the Cloud Key Management Service (KMS) API (cloudkms.googleapis.com).

    Enable the Cloud Key Management Service (KMS) API

  2. Create anauthentication profile. Application Integration uses an authentication profile to connect to an authentication endpoint for theCloud KMS - decrypt task.Note: If you're creating an authentication profile ofService account type, then ensure that the service account is assigned with the IAM role that contains the following IAM permission(s):
    • cloudkms.cryptoKeyVersions.useToDecrypt

    To know about IAM permissions and the predefined IAM roles that grant them, seeIAM permissions reference.

    For information about granting additional roles or permissions to a service account, seeGranting, changing, and revoking access.

Configure the Cloud KMS - decrypt task

  1. In the Google Cloud console, go to theApplication Integration page.

    Go to Application Integration

  2. In the navigation menu, clickIntegrations.

    TheIntegrations page appears listing all the integrations available in the Google Cloud project.

  3. Select an existing integration or clickCreate integration to create a new one.

    If you are creating a new integration:

    1. Enter a name and description in theCreate Integration pane.
    2. Select a region for the integration.Note: TheRegions dropdown only lists the regions provisioned in your Google Cloud project. To provision a new region, clickEnable Region. SeeEnable new region for more information.
    3. Select a service account for the integration. You can change or update the service account details of an integration any time from theIntegration summary pane in the integration toolbar.Note: The option to select a service account is displayed only if you have enabled integration governance for the selected region.
    4. ClickCreate. The newly created integration opens in theintegration editor.

  4. In theintegration editor navigation bar, clickTasks to view the list of available tasks and connectors.
  5. Click and place theCloud KMS - decrypt element in the integration editor.
  6. Click theCloud KMS - decrypt element on the designer to view theCloud KMS - decrypt task configuration pane.
  7. Go toAuthentication, and select an existing authentication profile that you want to use.

    Optional. If you have not created an authentication profile prior to configuring the task, Click+ New authentication profile and follow the steps as mentioned inCreate a new authentication profile.

  8. Go toTask Input, and configure the displayed inputs fields using the followingTask input parameters table.

    Changes to the inputs fields are saved automatically.

Task input parameters

The following table describes the input parameters of theCloud KMS - decrypt task:

PropertyData typeDescription
RegionStringCloud KMS location for the key ring.
ProjectsIdStringYour Google Cloud project ID.
KeyRingsIdStringName of the key ring where the key will be located.
CryptoKeysIdStringName of the key to use for decryption.
RequestJSONSeerequest JSON structure. Specify the encrypted (cipher) text to be decrypted in theciphertext field of the request body.

Task output

TheCloud KMS - decrypt task returns a response containing the decrypted data in a base64-encoded format. You must decode the base64-encoded value to get the output string.Tip: You can base64-encode or decode data using thebase64 command on Linux or macOS, or theBase64.exe command on Windows. Programming and scripting languages typically include libraries for base64-encoding. For command-line examples, seeDecode base64 in the Cloud Text-to-Speech documentation.

Error handling strategy

An error handling strategy for a task specifies the action to take if the task fails due to atemporary error. For information about how to use an error handling strategy, and to know about the different types of error handling strategies, seeError handling strategies.

What's next

  1. Addedges and edge conditions.
  2. Test and publish your integration.
  3. Configure atrigger.
  4. Add aData Mapping task.
  5. Seeall tasks for Google Cloud services.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.