Create protected resources using Cloud KMS Autokey

This page shows you how to create protected resources using keys created byCloud KMS Autokey for encryption. For more information aboutAutokey, seeAutokey overview.

Note:CreateKeyHandle requests can intermittently complete slowly or time outafter 5 minutes. If the request has timed out, retry the operation.

Before you begin

Before you can create protected resources using Autokey, you mustcomplete the following steps to prepare:

  1. If you don't already have a project where Autokey is enabled for either centralized or delegated key management, then you must first complete the setup steps inEnable Cloud KMS Autokey, and then return to this document.
  2. You need permissions to create resources in the chosen project. To find the specific roles required for each resource, see the service-specific documentation. You can find this documentation by locating the service in theCMEK integrations table and visiting the link for the type of resource that you want to create. No additional permissions are required to use Autokey to request keys on demand.

Using Autokey with Compute Engine resources

Autokey creates a new key for each disk, image, and machine image inthe same location as the resource that is being created.

Autokey doesn't create new keys for snapshots. Snapshots should use thesame key used to encrypt the disk. If you create a snapshot using theGoogle Cloud console, the encryption key used by the disk is automaticallyapplied to the snapshot.If you create a snapshot using the gcloud CLI, Terraform, or theCompute Engine API, you must identify the key used to encrypt the disk anduse that key to encrypt the snapshot.

For more information about using CMEK with snapshots, seeCreate a snapshotfrom a disk encrypted with CMEK.

Create a protected Compute Engine resource

Console

To create a disk, complete the following steps:

  1. In the Google Cloud console, go to theDisks page.

    Go to Disks

  2. ClickCreate disk and enter the properties for the new disk.

  3. UnderEncryption, selectCloud KMS key.

  4. ForKey type, selectCloud KMS with Autokey, and then clickRequest a new key. A message indicates when your key has beensuccessfully created and is ready for use.

  5. To finish creating the disk, clickCreate.

You can follow a similar process to create protected VM instance, image,and machine image resources.

Terraform

The following Terraform sample creates akey handle and usesthe returned key to protect a new persistent disk resource:

resource"google_kms_key_handle""my_key_handle"{provider=google-betaproject="RESOURCE_PROJECT_ID"name="KEY_HANDLE"location="LOCATION"resource_type_selector="compute.googleapis.com/Disk"}resource"google_compute_disk""persistent_disk"{project="RESOURCE_PROJECT_ID"name="DISK_NAME"type="pd-ssd"zone="ZONE"size=30physical_block_size_bytes=4096disk_encryption_key{kms_key_self_link=google_kms_key_handle.my_key_handle.kms_key}}

Replace the following:

  • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
  • KEY_HANDLE: an ID to use for the key handle.
  • LOCATION: the location where you want to create the protectedresource.
  • DISK_NAME: the name of the new disk.
  • ZONE: the zone of the protected resource. This mustbe a zone within the location where you are creating the resource. Forexample, if you are creating the resource in the locationus-central1,the zone could beus-central1-a.

Cloud KMS doesn't let you deleteKeyHandle resources. If you're using a create-and-destroy pattern, attemptingto recreate aKeyHandle produces anALREADY_EXISTS error. To avoid thisissue, you can import a previously-createdKeyHandle. For more information,seeCreate and destroy patterns in Terraform on thispage.

API

  1. Request a new Cloud KMS key by creating aKeyHandle:

    curl-H"Content-Type: application/json"\-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XPOSThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles\-d'{"resource_type_selector": "RESOURCE_TYPE"}'

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • RESOURCE_TYPE: the type of resource that you want tocreate—for example,compute.googleapis.com/Disk.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"}}

    Make note of theOPERATION_ID from the output. You need thisvalue to get the resource ID of the created key.

  2. Find the Cloud KMS key associated with the key handle:

    curl-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XGEThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • OPERATION_ID: The identifier of the key handle requestoperation from the output of the previous step.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","done":true,"response":{"@type":"type.googleapis.com/google.cloud.kms.v1.KeyHandle","name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE","kmsKey":"projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME","resourceTypeSelector":"RESOURCE_TYPE"}}

    The value of thekmsKey element in the output is the full resource IDof the key created by Autokey for this resource. You can usethis resource ID the same way that you use the resource ID for anyother Cloud KMS resource.

  3. Create an encrypted disk by using thegcloud compute disks createcommand, with the--kms-key flag:

    gcloudcomputediskscreateDISK_NAME\--kms-keyprojects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME

    Replace the following:

    • DISK_NAME: the name of the new disk.
    • KEY_PROJECT_ID: the project ID of theproject where the key was created.
    • LOCATION: the location where you want to create theresource.
    • KEY_NAME: the name of the key returned in the output fromthe previous step.

Using Autokey with Cloud Storage resources

Autokey creates a new key in the same location as the bucket. The keycreated by Autokey is assigned as the bucket default key.

Autokey doesn't create keys for objects. By default, objects created ina bucket use the bucket default key. If you want to encrypt an object using akey other than the bucket default key, you can create a CMEK and usethat key when creating the object.

If you want to change the default key assigned to a bucket, you can use anexisting CMEK, including keys created by Autokey.

Create a protected Cloud Storage resource

Console

  1. In the Google Cloud console, go to theCreate a bucket page.

    Go to Create a bucket

  2. Follow the instructions toCreate a new bucketup to the instructionChoose how to protect object data.

  3. UnderChoose how to protect object data, expand theDataencryption section, and then selectCloud KMS key.

  4. ForKey type, selectCloud KMS with Autokey, and then clickRequest a new key. A message indicates when your key has beensuccessfully created and is ready for use.

  5. To finish creating the bucket, clickCreate.

Terraform

The following Terraform sample creates akey handle and usesthe returned key to protect a new storage bucket:

resource"google_kms_key_handle""my_key_handle"{provider=google-betaproject="RESOURCE_PROJECT_ID"name="KEY_HANDLE"location="LOCATION"resource_type_selector="storage.googleapis.com/Bucket"}resource"google_storage_bucket""simple_bucket_name"{name="BUCKET_NAME"location="LOCATION"force_destroy=trueproject="RESOURCE_PROJECT_ID"uniform_bucket_level_access=trueencryption{default_kms_key_name=google_kms_key_handle.my_key_handle.kms_key}}

Replace the following:

  • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
  • KEY_HANDLE: an ID to use for the key handle.
  • LOCATION: the location where you want to create the protectedresource.
  • BUCKET_NAME: the name of the new bucket.

Cloud KMS doesn't let you deleteKeyHandle resources. If you're using a create-and-destroy pattern, attemptingto recreate aKeyHandle produces anALREADY_EXISTS error. To avoid thisissue, you can import a previously-createdKeyHandle. For more information,seeCreate and destroy patterns in Terraform on thispage.

API

  1. Request a new Cloud KMS key by creating aKeyHandle:

    curl-H"Content-Type: application/json"\-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XPOSThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles\-d'{"resource_type_selector": "RESOURCE_TYPE"}'

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • RESOURCE_TYPE: the type of resource that you want tocreate—for example,storage.googleapis.com/Bucket.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"}}

    Make note of theOPERATION_ID from the output. You need thisvalue to get the resource ID of the created key.

  2. Find the Cloud KMS key associated with the key handle:

    curl-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XGEThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • OPERATION_ID: The identifier of the key handle requestoperation from the output of the previous step.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","done":true,"response":{"@type":"type.googleapis.com/google.cloud.kms.v1.KeyHandle","name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE","kmsKey":"projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME","resourceTypeSelector":"RESOURCE_TYPE"}}

    The value of thekmsKey element in the output is the full resource IDof the key created by Autokey for this resource. You can usethis resource ID the same way you would use the resource ID for anyother Cloud KMS resource.

  3. Create an encrypted bucket by using thegcloud storage buckets createcommand, with the--default-encryption-key flag:

    gcloudstoragebucketscreategs://BUCKET_NAME\--location=LOCATION\--default-encryption-key=projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME

    Replace the following:

    • BUCKET_NAME: the name of the new bucket. Thebucket name must follow thebucket naming requirements.
    • LOCATION: the location where you want to create thebucket.
    • KEY_PROJECT_ID: the project ID of theproject where the key was created.
    • LOCATION: the location where you want to create theresource.
    • KEY_NAME: the name of the key returned in the output fromthe previous step.

Using Autokey with BigQuery resources

Cloud KMS is available in several editions of BigQuery. Makesure the edition of BigQuery that you are using is compatible withCloud KMS before you try to use Autokey to protectBigQuery resources. For more information about BigQueryeditions, seeUnderstand BigQuery editions.

For each new dataset, Autokey creates a new key, in the same locationas the resource itself, which becomes the dataset default key.

Autokey doesn't create keys for tables, queries, temporary tables, ormodels. By default, these resources are protected by the dataset default key. Ifyou want to protect a resource in a dataset using a key other than the datasetdefault key, you can manually create a CMEK and use that key when creating theresource.

For queries and temporary tables that are not inside a dataset, use projectdefault keys. Use a different project default key for each location in theproject that contains BigQuery resources. For more information aboutusing project default keys, seeSet a project default key.

For more information about using CMEK with BigQuery, seeCustomer-managed Cloud KMS keys.

Create a protected BigQuery resource

Console

Before attempting to create a BigQuery dataset usingAutokey, make sure you have the required permissions. For moreinformation about creating datasets, seeCreate datasets.

  1. In the Google Cloud console, go to theBigQuery page.

    Go to BigQuery

  2. Follow the instructions toCreate a dataset untilyou get toAdvanced options> Encryption.

  3. UnderEncryption selectCloud KMS key.

  4. ForKey type, selectCloud KMS with Autokey, and then clickRequest a new key. A message indicates when your key has beensuccessfully created and is ready for use.

  5. To finish creating the dataset, clickCreate dataset.

Terraform

The following Terraform sample creates akey handle and usesthe returned key to protect a new dataset:

resource"google_kms_key_handle""my_key_handle"{provider=google-betaproject="RESOURCE_PROJECT_ID"name="test-key-handle"location="LOCATION"resource_type_selector="bigquery.googleapis.com/Dataset"}resource"google_bigquery_dataset""dataset"{project="RESOURCE_PROJECT_ID"dataset_id="DATASET_ID"friendly_name="DATASET_NAME"description="DATASET_DESCRIPTION"location="LOCATION"default_table_expiration_ms=3600000default_encryption_configuration{kms_key_name=google_kms_key_handle.my_key_handle.kms_key}}

Replace the following:

  • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
  • LOCATION: the location where you want to create the protectedresource.
  • DATASET_ID: the ID to use for the new dataset.
  • DATASET_NAME: a human-friendly name for the newdataset.
  • DATASET_DESCRIPTION: a description for the newdataset.

Cloud KMS doesn't let you deleteKeyHandle resources. If you're using a create-and-destroy pattern, attemptingto recreate aKeyHandle produces anALREADY_EXISTS error. To avoid thisissue, you can import a previously-createdKeyHandle. For more information,seeCreate and destroy patterns in Terraform on thispage.

API

  1. Request a new Cloud KMS key by creating aKeyHandle:

    curl-H"Content-Type: application/json"\-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XPOSThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles\-d'{"resource_type_selector": "RESOURCE_TYPE"}'

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • RESOURCE_TYPE: the type of resource that you want tocreate—for example,bigquery.googleapis.com/Dataset.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"}}

    Make note of theOPERATION_ID from the output. You need thisvalue to get the resource ID of the created key.

  2. Find the Cloud KMS key associated with the key handle:

    curl-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XGEThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • OPERATION_ID: The identifier of the key handle requestoperation from the output of the previous step.

    The output is similar to the following:

    {  "name": "projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID",  "done": true,  "response": {    "@type": "type.googleapis.com/google.cloud.kms.v1.KeyHandle",    "name": "projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE",    "kmsKey": "projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME",    "resourceTypeSelector": "RESOURCE_TYPE"  }}

    The value of thekmsKey element in the output is the full resource IDof the key created by Autokey for this resource. You can usethis resource ID the same way you would use the resource ID for anyother Cloud KMS resource.

  3. Create an encrypted dataset by using thebq mkcommand, with the--destination_kms_key flag.

    bq--location=LOCATIONmk\--dataset\--default_kms_key=projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME\--default_table_expiration=TABLE_EXPIRATION\--description="DATASET_DESCRIPTION"\RESOURCE_PROJECT_ID:DATASET_ID

    Replace the following:

    • LOCATION: the location where you want to create thedataset.
    • KEY_PROJECT_ID: the project ID of theproject where the key was created.
    • KEY_NAME: the name of the key returned in the output fromthe previous step.
    • TABLE_EXPIRATION: the default lifetime for newtables in this dataset, in seconds.
    • DATASET_DESCRIPTION: a description for the newdataset.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • DATASET_ID: the ID of the dataset that you'recreating.

    For more information about thebq tool, seeExplore the bqcommand-line tool.

Using Autokey with Secret Manager resources

Autokey creates a single key to protect all secrets in the same projectand location. When the key rotates, new secrets added to the project use the newprimary version of the key.

Secret Manager is only compatible with Cloud KMS Autokey whencreating resources using Terraform or the REST API.

Create a protected Secret Manager resource

Terraform

The following Terraform sample creates akey handle and usesthe returned key to protect a new secret with automatic replication:

resource"google_kms_key_handle""my_key_handle"{provider=google-betaproject="RESOURCE_PROJECT_ID"name="test-key-handle"location="global"resource_type_selector="secretmanager.googleapis.com/Secret"}resource"google_secret_manager_secret""my_secret"{project="RESOURCE_PROJECT_ID"secret_id="SECRET_ID"replication{auto{customer_managed_encryption{kms_key_name=google_kms_key_handle.my_key_handle.kms_key}}}}

Replace the following:

  • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
  • SECRET_ID: the ID to use for the new secret.

If you attempt to create a key handle for a secret in the same project andlocation for which a key handle already exists, an error message returns thedetails of the existing key handle. If this happens, make sure that you onlyhave one block creating the key handle. You can reuse the key handle usingits ID (KEY_HANDLE) to create additional secrets that shouldshare the key.

Cloud KMS doesn't let you deleteKeyHandle resources. If you're using a create-and-destroy pattern, attemptingto recreate aKeyHandle produces anALREADY_EXISTS error. To avoid thisissue, you can import a previously-createdKeyHandle. For more information,seeCreate and destroy patterns in Terraform on thispage.

API

  1. Request a new Cloud KMS key by creating aKeyHandle:

    curl-H"Content-Type: application/json"\-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XPOSThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles\-d'{"resource_type_selector": "RESOURCE_TYPE"}'

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • RESOURCE_TYPE: the type of resource that you want tocreate—for example,secretmanager.googleapis.com/Secret.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"}}

    Make note of theOPERATION_ID from the output. You need thisvalue to get the resource ID of the created key.

    If you attempt to create a key handle for a secret in the same projectand location for which a key handle already exists, an error messagereturns the details of the existing key handle. In this case, skip overthe next step and use the key resource ID in theexistingKmsKey fieldto protect your new secret.

  2. Find the Cloud KMS key associated with the key handle:

    curl-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XGEThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • OPERATION_ID: The identifier of the key handle requestoperation from the output of the previous step.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","done":true,"response":{"@type":"type.googleapis.com/google.cloud.kms.v1.KeyHandle","name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE","kmsKey":"projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME","resourceTypeSelector":"RESOURCE_TYPE"}}

    The value of thekmsKey element in the output is the full resource IDof the key created by Autokey for this resource. You can usethis resource ID the same way you would use the resource ID for anyother Cloud KMS resource.

  3. Create an encrypted secret with automatic replication by using thegcloud secrets create command,with the--kms-key-name flag.

    gcloudsecretscreate"SECRET_ID"\--replication-policy"automatic"\--kms-key-name"projects/KEY_PROJECT_ID/locations/global/keyRings/autokey/cryptoKeys/KEY_NAME"\--project"RESOURCE_PROJECT_ID"

    Replace the following:

    • SECRET_ID: the ID to use for the new secret.
    • KEY_PROJECT_ID: the project ID of theproject where the key was created.
    • KEY_NAME: the name of the key returned in the output fromthe previous step.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.

Using Autokey with Dataflow resources

Autokey can be used to create a single key for each Dataflow job.

API

  1. Request a new Cloud KMS key by creating aKeyHandle:

    curl-H"Content-Type: application/json"\-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XPOSThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles\-d'{"resource_type_selector": "dataflow.googleapis.com/Job"}'

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","metadata":{"@type":"type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"}}

    Make note of theOPERATION_ID from the output. You need this valueto get the resource ID of the created key.

  2. Find the Cloud KMS key associated with the key handle:

    curl-H"X-Goog-User-Project:USER_PROJECT"\-H"Authorization: BearerTOKEN"\-XGEThttps://cloudkms.googleapis.com/v1/projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    Replace the following:

    • USER_PROJECT: the project to be billedfor charges associated with this request.
    • RESOURCE_PROJECT_ID: the projectID of the resource project where Autokey is enabled and where you wantto create a protected resource.
    • LOCATION: the location where you want to create theprotected resource.
    • OPERATION_ID: The identifier of the key handle requestoperation from the output of the previous step.

    The output is similar to the following:

    {"name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/operations/OPERATION_ID","done":true,"response":{"@type":"type.googleapis.com/google.cloud.kms.v1.KeyHandle","name":"projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE","kmsKey":"projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/autokey/cryptoKeys/KEY_NAME","resourceTypeSelector":"RESOURCE_TYPE"}}

    The value of thekmsKey element in the output is the full resource ID ofthe key created by Autokey for this resource. You can use thisresource ID the same way you would use the resource ID for any otherCloud KMS resource.

Create-and-destroy patterns in Terraform

Cloud KMS doesn't let you deleteKeyHandle resources. If you're usingTerraform and a create-and-destroy pattern, attempting to recreate aKeyHandleproduces anALREADY_EXISTS error. You can avoid this issue by using animport block. Insert the following block before theresource block for thegoogle_kms_key_handle resource:

import{to=google_kms_key_handle.KEY_HANDLEid="projects/RESOURCE_PROJECT_ID/locations/LOCATION/keyHandles/KEY_HANDLE"}

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.