Use CMEK with Google Cloud Serverless for Apache Spark
Stay organized with collections
Save and categorize content based on your preferences.
By default, Google Cloud Serverless for Apache Spark encrypts customer content at
rest. Serverless for Apache Spark handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
Serverless for Apache Spark. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you track key usage, view audit logs, and
control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Serverless for Apache Spark resources is similar to using Google default encryption.
For more information about your encryption
options, see Customer-managed encryption keys (CMEK).
Use CMEK
Follow the steps in this section to use CMEK to encrypt data that Google Cloud Serverless for Apache Spark
writes to persistent disk and to the Dataproc staging bucket.
KMS_PROJECT_ID: the ID of your Google Cloud project that
runs Cloud KMS. This project can also be the project that runs Dataproc resources.
PROJECT_NUMBER: the project number (not the project ID) of your Google Cloud project that runs Dataproc resources.
Enable the Cloud KMS API on the project that runs Serverless for Apache Spark resources.
If the Dataproc Service Agent role is not attached to the Dataproc Service Agent service account,
then add the serviceusage.services.use permission to the custom
role attached to the Dataproc Service Agent service account. If the Dataproc Service Agent role is
attached to the Dataproc Service Agent service account, you can skip this step.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-24 UTC."],[],[]]