This page demonstrates how to set an encryption key in Cloud Speech-to-Text toencrypt Speech-to-Text resources.

Speech-to-Text lets you provideCloud Key Management Serviceencryption keys and encrypts data with the provided key. To learn more aboutencryption, seeIntroduction to encryption.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Speech-to-Text APIs.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

1. In the Google Cloud console, go to theIAM page.

   Go to IAM
2. Select the project.

3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to theIAM page.

   Go to IAM
2. Select the project.
3. Clickperson_addGrant access.

4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

5. In theSelect a role list, select a role.
6. To grant additional roles, clickaddAdd another role and add each additional role.
7. ClickSave.

Install the Google Cloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Speech-to-Text APIs.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

1. In the Google Cloud console, go to theIAM page.

   Go to IAM
2. Select the project.

3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to theIAM page.

   Go to IAM
2. Select the project.
3. Clickperson_addGrant access.

4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

5. In theSelect a role list, select a role.
6. To grant additional roles, clickaddAdd another role and add each additional role.
7. ClickSave.

Install the Google Cloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Client libraries can useApplication Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, see Authenticate for using client libraries.

1. If you're using a local shell, then create local authentication credentials for your user account:

   gcloudauthapplication-defaultlogin

   You don't need to do this if you're using Cloud Shell.

   If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

Also ensure you haveinstalled the client library.

Enable access to Cloud Key Management Service keys

Cloud Speech-to-Text uses a service account to access your Cloud KMS keys.By default, the service account has no access to Cloud KMS keys.

The service account email address is the following:

service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

To encrypt Speech-to-Text resources using Cloud KMSkeys, you can give this service account theroles/cloudkms.cryptoKeyEncrypterDecrypter role:

gcloudprojectsadd-iam-policy-bindingPROJECT_NUMBER\--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com\--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

More information about project Identity and Access Management (IAM) policy is available atManage access to projects, folders, and organizations.

More information about managing access to Cloud Storage is available atCreate and Manage access control lists in theCloud Storage documentation.

Specify an encryption key

Here is an example of providing an encryption key to Cloud Speech-to-Text using theConfig resource:

importosfromgoogle.cloud.speech_v2importSpeechClientfromgoogle.cloud.speech_v2.typesimportcloud_speechPROJECT_ID=os.getenv("GOOGLE_CLOUD_PROJECT")defenable_cmek(kms_key_name:str,)->cloud_speech.Config:"""Enable Customer-Managed Encryption Keys (CMEK) in a project and region.    Args:        kms_key_name (str): The full resource name of the KMS key to be used for encryption.            E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}    Returns:        cloud_speech.Config: The response from the update configuration request,        containing the updated configuration details.    """# Instantiates a clientclient=SpeechClient()request=cloud_speech.UpdateConfigRequest(config=cloud_speech.Config(name=f"projects/{PROJECT_ID}/locations/global/config",kms_key_name=kms_key_name,),update_mask={"paths":["kms_key_name"]},)# Updates the KMS key for the project and region.response=client.update_config(request=request)print(f"Updated KMS key:{response.kms_key_name}")returnresponse

When an encryption key is specified in theConfig resource of your project,any new resources created in the corresponding location are encrypted using thiskey. SeeIntroduction to encryption page for more information on what isencrypted and when.

Encrypted resources have thekms_key_name andkms_key_version_name fieldspopulated in Speech-to-Text API responses.

Remove encryption

To prevent future resources from being encrypted with an encryption key, use thecode above and provide the empty string ("") as the key in the request. Thisensures that new resources aren't encrypted. This command doesn't decryptexisting resources.

Key rotation and deletion

On key rotation, resources that are encrypted with a previous version of theCloud KMS key remain encrypted with that version. Any resources createdafter the key rotation are encrypted with the new default version of the key.Any resources updated (usingUpdate* methods) after the key rotation arere-encrypted with the new default version of the key.

On key deletion, Speech-to-Text can't decrypt your data and can't createresources or access resources encrypted with the deleted key. Likewise, when yourevoke Speech-to-Textpermission for a key, Speech-to-Text can't decrypt your data and can'tcreate resources or access resources encrypted with the Speech-to-Textpermission-revoked key.

Re-encrypt data

To re-encrypt your resources, you can call the correspondingUpdate* methodfor each resource after updating the key specification in theConfig resource.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

1. Optional: Revoke the authentication credentials that you created, and delete the local credential file.

   gcloudauthapplication-defaultrevoke

2. Optional: Revoke credentials from the gcloud CLI.

   gcloudauthrevoke

What's next

• Learn more aboutwhat is encrypted when specifying encryption keys in Speech-to-Text
• Learn how totranscribe streaming audio.
• Learn how totranscribe long audio files.
• Learn how totranscribe short audio files.
• For best performance, accuracy, and other tips, see thebest practices documentation.