Skip to Content

Cloud KMS in action

Let's discover Google Cloud KMS in action to store and share a secret

Posted on 2 mins read

For today’s tip, we’re going to have a look at Google Cloud KMS: the Key Management Service provided by GCP. We’ll introduce our concrete use case, and see how we use KMS to store and share our secret.

Use case

Secrets such as Google service account JSON, AWS key and secret, database ID and password etc. can be easily encrypted and decrypted with Google Cloud KMS. Cloud KMS does not directly store secrets. It can encrypt secrets that you store elsewhere, i.e. the key itself is stored within KMS.

Let’s illustrate with a real world example step by step. We can encrypt and decrypt a service account JSON file for Google Compute Engine instances. These instances are a part of an ElasticSearch cluster. The Google Cloud admin creates the service account. The service account is used by Terraform to provision the compute instances as shown here.

The developers want a copy of the service account’s JSON file so that they can develop & test with the ElasticSearch cluster. The Google Cloud admin creates the plain text service JSON file, where and how to store it safely and securely? Storing on admin’s laptop is not 100% safe and secure. Here are the steps that leverage Cloud KMS instead.

Note: For simplicity, we won’t talk about key rotation here.

Create a keyring

gcloud kms keyrings create dev_keyring --location global

Create a key

gcloud kms keys create sa --location global \
       --keyring dev_keyring --purpose encryption

The above command creates a key sa for encrypting google service account json file.


gcloud kms encrypt --location=global --keyring=dev_keyring --key=sa \
       --plaintext-file=elasticsearch_svc_account.json \

At this point, we can delete the plain text file elasticsearch_svc_account.json from the laptop.


export GOOGLE_PROJECT=$(gcloud config get-value project)
export ENV=dev
gsutil cp elasticsearch_svc_account.json.enc gs://${GOOGLE_PROJECT}-secrets-${ENV}/

Where to store the encrypted secrtes? They can be stored in a GCS bucket or any configuration managed system’s data storage such as a Chef data bag, a Salt pillar, an Ansible vault, or HashiCorp Vault. In our Terraform example, it is stored in a GCS bucket.


export GOOGLE_PROJECT=$(gcloud config get-value project)
export ENV=dev

gcloud kms decrypt --location=global --keyring=dev_keyring \
       --key=sa --plaintext-file=/dev/stdout \
       --ciphertext-file=<(gsutil cat gs://${GOOGLE_PROJECT}-secrets-${ENV}/elasticsearch_svc_account.json.enc)

In our Terraform example, we can use the Terraform external data provider as as in this example to download and decrypt the elasticsearch_svc_account.json.enc onto the console. The Cloud admin can give the service JSON to the developer who needs it via a secure channel.

comments powered by Disqus