Create a key ring

This page shows you how to create a key ring in Cloud KMS. A key ringis the root resource for Cloud KMS keys and key versions. Each key ringexists within a given location. For more information about Cloud KMSresources, seeCloud KMS resources.

Before you begin

Before completing the tasks on this page, you need the following:

  • A Google Cloud project resource to contain yourCloud KMS resources. This project is called yourkey project. Werecommend that your key project does not contain any otherGoogle Cloud resources. Enable the Cloud KMS API on your keyproject.

    Enable the API

  • The name of the location where you want to create your key ring. Choose alocation that is near your other resources and that supports your chosenprotection level. To view available locationsand the protection levels they support, seeCloud KMS locations.

Required roles

To get the permissions that you need to create key rings, ask your administrator to grant you theCloud KMS Admin (roles/cloudkms.admin) IAM role on the project or a parent resource. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to create key rings. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to create key rings:

  • cloudkms.keyRings.create
  • cloudkms.keyRings.get
  • cloudkms.keyRings.list
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Caution: TheCloud KMS Admin role contains permissions for key maintenance and key version destruction. To protect your Cloud KMS resources, this role should only be assigned to individuals responsible for key administration.

Create a key ring

Follow these steps to create a key ring for your new key. If you want to use anexisting key ring instead, you cancreate a key.

Note: Key rings with the same name can exist in differentlocations, so you must always specify thelocation.

Console

  1. Go to theKey Management page in the Google Cloud console.

    Go to Key Management

  2. ClickCreate key ring.

  3. ForKey ring name, enter a name for your key ring.

  4. ForKey ring location, select a location like"us-east1".

    Note: Choose a location that is near the resources you want to protect.For CMEK usage, your key ring should be in the same location as the resourcesyou use it with. For Cloud EKM keys, the location must be physicallyclose to your external key manager (EKM) vendor.

  5. ClickCreate.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

  2. In your environment, run thegcloud kms keyrings create command:

    gcloudkmskeyringscreateKEY_RING\--locationLOCATION

    Replace the following:

    • KEY_RING: the name of the key ring that contains the key.
    • LOCATION: the Cloud KMS location of the key ring.

    For information on all flags and possible values, run the command with the--help flag.

C#

To run this code, firstset up a C# development environment andinstall the Cloud KMS C# SDK.

usingGoogle.Api.Gax.ResourceNames;usingGoogle.Cloud.Kms.V1;publicclassCreateKeyRingSample{publicKeyRingCreateKeyRing(stringprojectId="my-project",stringlocationId="us-east1",stringid="my-key-ring"){// Create the client.KeyManagementServiceClientclient=KeyManagementServiceClient.Create();// Build the parent location name.LocationNamelocationName=newLocationName(projectId,locationId);// Build the key ring.KeyRingkeyRing=newKeyRing{};// Call the API.KeyRingresult=client.CreateKeyRing(locationName,id,keyRing);// Return the result.returnresult;}}

Go

To run this code, firstset up a Go development environment andinstall the Cloud KMS Go SDK.

import("context""fmt""io"kms"cloud.google.com/go/kms/apiv1""cloud.google.com/go/kms/apiv1/kmspb")// createKeyRing creates a new ring to store keys on KMS.funccreateKeyRing(wio.Writer,parent,idstring)error{// parent := "projects/PROJECT_ID/locations/global"// id := "my-key-ring"// Create the client.ctx:=context.Background()client,err:=kms.NewKeyManagementClient(ctx)iferr!=nil{returnfmt.Errorf("failed to create kms client: %w",err)}deferclient.Close()// Build the request.req:=&kmspb.CreateKeyRingRequest{Parent:parent,KeyRingId:id,}// Call the API.result,err:=client.CreateKeyRing(ctx,req)iferr!=nil{returnfmt.Errorf("failed to create key ring: %w",err)}fmt.Fprintf(w,"Created key ring: %s\n",result.Name)returnnil}

Java

To run this code, firstset up a Java development environment andinstall the Cloud KMS Java SDK.

importcom.google.cloud.kms.v1.KeyManagementServiceClient;importcom.google.cloud.kms.v1.KeyRing;importcom.google.cloud.kms.v1.LocationName;importjava.io.IOException;publicclassCreateKeyRing{publicvoidcreateKeyRing()throwsIOException{// TODO(developer): Replace these variables before running the sample.StringprojectId="your-project-id";StringlocationId="us-east1";Stringid="my-asymmetric-signing-key";createKeyRing(projectId,locationId,id);}// Create a new key ring.publicvoidcreateKeyRing(StringprojectId,StringlocationId,Stringid)throwsIOException{// Initialize client that will be used to send requests. This client only// needs to be created once, and can be reused for multiple requests. After// completing all of your requests, call the "close" method on the client to// safely clean up any remaining background resources.try(KeyManagementServiceClientclient=KeyManagementServiceClient.create()){// Build the parent name from the project and location.LocationNamelocationName=LocationName.of(projectId,locationId);// Build the key ring to create.KeyRingkeyRing=KeyRing.newBuilder().build();// Create the key ring.KeyRingcreatedKeyRing=client.createKeyRing(locationName,id,keyRing);System.out.printf("Created key ring %s%n",createdKeyRing.getName());}}}

Node.js

To run this code, firstset up a Node.js development environment andinstall the Cloud KMS Node.js SDK.

//// TODO(developer): Uncomment these variables before running the sample.//// const projectId = 'my-project';// const locationId = 'us-east1';// const id = 'my-key-ring';// Imports the Cloud KMS libraryconst{KeyManagementServiceClient}=require('@google-cloud/kms');// Instantiates a clientconstclient=newKeyManagementServiceClient();// Build the parent location nameconstlocationName=client.locationPath(projectId,locationId);asyncfunctioncreateKeyRing(){const[keyRing]=awaitclient.createKeyRing({parent:locationName,keyRingId:id,});console.log(`Created key ring:${keyRing.name}`);returnkeyRing;}returncreateKeyRing();

PHP

To run this code, first learn aboutusing PHP on Google Cloud andinstall the Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;use Google\Cloud\Kms\V1\CreateKeyRingRequest;use Google\Cloud\Kms\V1\KeyRing;function create_key_ring(    string $projectId = 'my-project',    string $locationId = 'us-east1',    string $id = 'my-key-ring'): KeyRing {    // Create the Cloud KMS client.    $client = new KeyManagementServiceClient();    // Build the parent location name.    $locationName = $client->locationName($projectId, $locationId);    // Build the key ring.    $keyRing = new KeyRing();    // Call the API.    $createKeyRingRequest = (new CreateKeyRingRequest())        ->setParent($locationName)        ->setKeyRingId($id)        ->setKeyRing($keyRing);    $createdKeyRing = $client->createKeyRing($createKeyRingRequest);    printf('Created key ring: %s' . PHP_EOL, $createdKeyRing->getName());    return $createdKeyRing;}

Python

To run this code, firstset up a Python development environment andinstall the Cloud KMS Python SDK.

fromgoogle.cloudimportkmsdefcreate_key_ring(project_id:str,location_id:str,key_ring_id:str)->kms.CryptoKey:"""    Creates a new key ring in Cloud KMS    Args:        project_id (string): Google Cloud project ID (e.g. 'my-project').        location_id (string): Cloud KMS location (e.g. 'us-east1').        key_ring_id (string): ID of the key ring to create (e.g. 'my-key-ring').    Returns:        KeyRing: Cloud KMS key ring.    """# Create the client.client=kms.KeyManagementServiceClient()# Build the parent location name.location_name=f"projects/{project_id}/locations/{location_id}"# Build the key ring.key_ring={}# Call the API.created_key_ring=client.create_key_ring(request={"parent":location_name,"key_ring_id":key_ring_id,"key_ring":key_ring,})print(f"Created key ring:{created_key_ring.name}")returncreated_key_ring

Ruby

To run this code, firstset up a Ruby development environment andinstall the Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.# project_id  = "my-project"# location_id = "us-east1"# id = "my-key-ring"# Require the library.require"google/cloud/kms"# Create the client.client=Google::Cloud::Kms.key_management_service# Build the parent location name.location_name=client.location_pathproject:project_id,location:location_id# Build the key ring.key_ring={}# Call the API.created_key_ring=client.create_key_ringparent:location_name,key_ring_id:id,key_ring:key_ringputs"Created key ring:#{created_key_ring.name}"

API

These examples usecurl as an HTTP client to demonstrate using the API. For more information about access control, seeAccessing the Cloud KMS API.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings?key_ring_id=KEY_RING" \    --request "POST" \    --header "authorization: BearerTOKEN"

Replace the following:

  • PROJECT_ID: the ID of the project that contains the key ring.
  • KEY_RING: the name of the key ring that contains the key.
  • LOCATION: the Cloud KMS location of the key ring.

See theKeyRing.create API documentationfor more information.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.