By default, Eventarc encrypts customer content at rest. Eventarc handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Eventarc. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Eventarc resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Customer-managed encryption keys are stored as software keys, in a Cloud HSM cluster, or externally using Cloud External Key Manager.
Cloud KMS produces audit logs when keys are enabled, disabled, or used by Eventarc Advanced resources to encrypt and decrypt messages. For more information, see the Cloud KMS audit logging information.
What is protected with CMEK
You can configure CMEK for a channel that Eventarc Standard uses and encrypt the events that pass through the channel. Enabling a channel with CMEK protects the data associated with it by using an encryption key that only you can access.
When you enable CMEK for the Google channel in a Google Cloud project, all Eventarc Standard triggers for Google event types in that project and region are fully encrypted with that CMEK key. CMEK keys can't be applied on a per-trigger basis.
Before you begin
Before using this feature in Eventarc, you should:
Console
- 
  
    
    
      
    
  
  
    
  
  
  
  
    
      Enable the Cloud KMS and Eventarc APIs. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- Create a key ring.
- Create a key for a specified key ring.
gcloud
- Update gcloudcomponents.gcloud components update 
- Enable the Cloud KMS and Eventarc APIs for
the project that will store your
encryption keys.
gcloud services enable cloudkms.googleapis.com eventarc.googleapis.com 
- Create a key ring.
- Create a key for a specified key ring.
For information on all flags and possible values, run the command with the
--help flag.
Terraform
- Enable the Cloud KMS and Eventarc APIs for the project that will store your encryption keys by configuring the - google_project_serviceresource:
- Create a key ring and key by configuring the - google_kms_key_ringand- google_kms_crypto_keyresources:
For more information about using Terraform, see the Terraform on Google Cloud documentation.
Note that Cloud KMS and Eventarc are regionalized services. The region for the Cloud KMS key and the protected Eventarc channel must be the same.
Grant the Eventarc service account access to a key
To grant the Eventarc service account access to the Cloud KMS key, add the service account as a principal of the key, and grant the service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
Console
When you enable CMEK for a Google or third-party channel through the console, you are prompted to grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the service account. For more information, in this document, see Enable CMEK for Google event types or Enable CMEK for a third-party event channel.
gcloud
gcloud kms keys add-iam-policy-binding KEY_NAME \ --keyring RING_NAME \ --location LOCATION \ --member serviceAccount:SERVICE_AGENT_EMAIL \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
- KEY_NAME: the name of the key. For example,- my-key.
- RING_NAME: the name of the key ring. For example,- my-keyring.
- LOCATION: the location of the key. For example,- us-central1.
- SERVICE_AGENT_EMAIL: the email address of the service account with the- eventarc.serviceAgentrole.- For example, - service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com. For more information, see Service agents.
Terraform
- Generate the service identity for the Eventarc service by configuring the - google_project_service_identityresource:
- Grant the Cloud KMS role to the Eventarc service account by configuring the - google_kms_crypto_key_iam_memberresource:
Enable CMEK for Google event types
Eventarc triggers that route Google event types publish events to a virtual channel referred to as a Google channel that is project and regional-specific. This virtual channel is available in all Eventarc regions.
When you enable CMEK for the Google channel in a Google Cloud project, all Eventarc triggers for Google event types in that project and region are fully encrypted with that CMEK key. You can add multiple CMEK keys, and associate each with a specific region for the Google channel. CMEK keys can't be applied on a per-trigger basis.
Console
- In the Google Cloud console, go to the Eventarc > Channels page. 
- Click a channel with a Google Provider. 
- In the Edit channel page, select the Use a customer-managed encryption key (CMEK) checkbox. 
- Click Add encryption key. 
- Select a Region and, in the CMEK encryption key list, select a key ring that you have created for the region. Note that you can add only one encryption key per region for a channel. 
- Optional: To manually enter the resource name of the key, in the CMEK encryption key list, click Don't see your key? Enter key resource name, and enter the key name in the specified format. 
- If prompted, grant the - cloudkms.cryptoKeyEncrypterDecrypterrole to the Eventarc service account with the- eventarc.serviceAgentrole.
- Optional: Click Add encryption key to add another key ring that you have created for a different region. 
- Click Save. 
gcloud
gcloud eventarc google-channels update \ --location=LOCATION \ --crypto-key=KEY
Replace the following:
- LOCATION: the region of the Google channel to be protected. It must match the location of the key used. Note that you can add only one encryption key per region for a channel.
- KEY: the fully qualified Cloud KMS key name in the format- projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME.
Terraform
Enable CMEK for the GoogleChannelConfig resource in a given project and
location by configuring the
google_eventarc_google_channel_config
resource:
REST
You can update the GoogleChannelConfig resource using the
projects.locations.updateGoogleChannelConfig
method and specify a CMEK key for a given project and location.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the Google channel to be protected. It must match the location of the key used—for example,- us-central1. Note that you can add only one encryption key per region for a channel.
- KEY_NAME: the name of the key—for example,- my-key.
- RING_NAME: the name of the key ring—for example,- my-keyring.
Request JSON body:
{
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
To send your request, expand one of these options:
  If successful, the response body contains an updated instance of
  GoogleChannelConfig:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig",
  "updateTime": "2025-03-05T17:56:54.106390447Z",
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
If you are creating Pub/Sub triggers using your own existing topics, for comprehensive CMEK protection, we recommend that you also configure the KMS key on the topic. For more information, see Configuring Pub/Sub topics.
Verify Cloud KMS usage
To verify that the channel is now CMEK-compliant:
Console
- In the Google Cloud console, go to the Eventarc > Triggers page. 
- Click a trigger that lists a Google Cloud source as its Event provider and a Region that you have protected using CMEK. 
- On the Trigger details page, the Encryption status displays, the message, - Events encrypted using Customer-managed encryption keys.
gcloud
To confirm the CMEK key, you can use the
google-channels describe
command.
gcloud eventarc google-channels describe \ --location=LOCATION
The output should be similar to the following:
cryptoKeyName: projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME name: projects/PROJECT_ID/locations/LOCATION/googleChannelConfig updateTime: '2022-06-28T17:24:56.365866104Z'
The cryptokeyName value shows the Cloud KMS key used for the
Google channel.
Terraform
To confirm the CMEK key, you can use the Terraform state show command.
terraform state show google_eventarc_google_channel_config.default
The output should be similar to the following:
# google_eventarc_google_channel_config.default: resource "google_eventarc_google_channel_config" "default" { crypto_key_name = "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME" id = "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig" location = "LOCATION" name = "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig" project = "PROJECT_ID" update_time = "2025-03-24T17:15:08.809635011Z" }
REST
To confirm the CMEK key, you can retrieve the GoogleChannelConfig resource
using the
projects.locations.getGoogleChannelConfig
method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected Google channel.
To send your request, expand one of these options:
  If successful, the response body contains an instance of
  GoogleChannelConfig:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig",
  "updateTime": "2025-03-05T17:56:54.106390447Z",
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
Enable CMEK for a third-party channel
An Eventarc channel for third parties is a resource through which non-Google Cloud entities that offer an Eventarc source can interact with destinations. This channel is specific to a region and you can add only one key per third-party channel.
To enable CMEK for a third-party channel:
Console
- In the Google Cloud console, go to the Eventarc > Channels page. 
- Click a channel with a third-party Provider. 
- In the Channel details page, click Edit. 
- In the Edit channel page, for Encryption, select Cloud KMS key. 
- In the Key type list, select a method to manage your keys. - You can manage your keys manually or you can use Autokey which lets you generate key rings and keys on-demand. If the Autokey option is disabled, it isn't yet integrated with the current resource type. 
- In the Select a Cloud KMS key list, select a key. Note that you can add only one encryption key per region for a channel. 
- Optional: To manually enter the resource name of the key, in the Select a Cloud KMS key list, click Enter key manually, and enter the key name in the specified format. 
- If prompted, grant the - cloudkms.cryptoKeyEncrypterDecrypterrole to the Eventarc Service Agent.
- Click Save. 
gcloud
gcloud eventarc channels update CHANNEL_NAME \ --location=LOCATION \ --crypto-key=KEY
Replace the following:
- CHANNEL_NAME: the name of the third-party channel. To create a new third-party channel, see Create a channel.
- LOCATION: the region of the third-party channel to be protected. It must match the location of the key.
- KEY: the fully qualified Cloud KMS key name in the format- projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME.
Terraform
Specify a CMEK key for a third-party channel by configuring the
google_eventarc_channel
resource. For example:
resource "google_eventarc_channel" "default" { location = "us-central1" name = "CHANNEL_NAME" crypto_key_name = google_kms_crypto_key.default.id }
Replace CHANNEL_NAME with the name of the
third-party channel.
REST
You can update a Channel resource using the
projects.locations.channels.patch
method and specify a CMEK key for a given project and location.
Before using any of the request data, make the following replacements:
- CHANNEL_NAME: the channel name.
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the channel to be protected. It must match the location of the key used—for example,- us-central1. Note that you can add only one encryption key per region for a channel.
- KEY_NAME: the name of the key—for example,- my-key.
- RING_NAME: the name of the key ring—for example,- my-keyring.
Request JSON body:
{
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
To send your request, expand one of these options:
  If successful, the response body contains a newly created instance of
  Operation:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_ID",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.eventarc.v1.OperationMetadata",
    "createTime": "2024-01-25T17:17:45.782370139Z",
    "target": "projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_NAME",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1"
  },
  "done": false
}
Verify Cloud KMS usage
To verify that the channel is now CMEK-compliant:
Console
- In the Google Cloud console, go to the Eventarc > Triggers page. 
- Click a trigger with a third-party source as its Event provider and a Region that you have protected using CMEK. 
- In the Trigger details page, the status of Encryption displays the message, - Events encrypted using Customer-managed encryption keys.
gcloud
gcloud eventarc channels describe CHANNEL_NAME \ --location=LOCATION
The output should be similar to the following:
createTime: '2022-06-28T18:05:52.403999904Z' cryptoKeyName: projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME name: projects/PROJECT_ID/locations/LOCATION/googleChannelConfig pubsubTopic: projects/PROJECT_ID/topics/PUBSUB_TOPIC_ID state: ACTIVE uid: 5ea277f9-b4b7-4e7f-a8e0-6ca9d7204fa3 updateTime: '2022-06-28T18:09:18.650727516Z'
The cryptokeyName value shows the Cloud KMS key used for the
third-party channel.
Terraform
To confirm the CMEK key, you can use the Terraform state show command.
terraform state show google_eventarc_channel.default
The output should be similar to the following:
# google_eventarc_channel.default: resource "google_eventarc_channel" "default" { create_time = "2025-03-31T13:07:44.721274062Z" crypto_key_name = "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME" id = "projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_NAME" location = "LOCATION" name = "CHANNEL_NAME" project = "PROJECT_ID" pubsub_topic = "projects/PROJECT_ID/topics/PUBSUB_TOPIC_ID" state = "ACTIVE" uid = "406302e9-1d41-4479-8f4f-2524a803790e" update_time = "2025-03-31T13:07:49.708241490Z" }
REST
To confirm the CMEK key for a channel, you can retrieve a Channel resource
using the
projects.locations.channels.get
method.
Before using any of the request data, make the following replacements:
- CHANNEL_NAME: the channel name.
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected channel.
To send your request, expand one of these options:
  If successful, the response body contains an instance of
  Channel:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_NAME",
  "uid": "12f941a6-196a-457b-bfdb-ca21138859d0",
  "createTime": "2025-01-29T15:05:12.113912689Z",
  "updateTime": "2025-01-29T15:05:17.210986285Z",
  "pubsubTopic": "projects/PROJECT_ID/topics/TOPIC_ID",
  "state": "ACTIVE",
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
Display the key used for a channel
You can describe an Eventarc channel and display the Cloud KMS key being used for the channel.
Console
- In the Google Cloud console, go to the Eventarc > Channels page. 
- Click a channel name. 
- Any CMEK encryption keys being used for the channel are displayed. 
gcloud
Based on the type of channel, run the following command:
Google channel
gcloud eventarc google-channels describe \ --location=LOCATION
Third-party channel
gcloud eventarc channels describe CHANNEL_NAME \ --location=LOCATION
The output should contain a line similar to the following:
cryptoKeyName: projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAMEThe cryptoKeyName value shows the Cloud KMS key being used for the
channel.
Terraform
Based on the type of channel, run the following command:
Google channel
terraform state show google_eventarc_google_channel_config.default
Third-party channel
terraform state show google_eventarc_channel.default
The output should contain a line similar to the following:
crypto_key_name= "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
The crypto_key_name value shows the Cloud KMS key being used for
the channel.
REST
Based on the type of channel, make the following request:
Google channel
To confirm the CMEK key for a given project and location, you can
retrieve the GoogleChannelConfig resource using the
projects.locations.getGoogleChannelConfig
method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected Google channel.
To send your request, expand one of these options:
  If successful, the response body contains an instance of
  GoogleChannelConfig:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig",
  "updateTime": "2025-03-05T17:56:54.106390447Z",
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
Third-party channel
To confirm the CMEK key for a given project and location, you can
retrieve a Channel resource using the
projects.locations.channels.get
method.
Before using any of the request data, make the following replacements:
- CHANNEL_NAME: the channel name.
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected channel.
To send your request, expand one of these options:
  If successful, the response body contains an instance of
  Channel:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_NAME",
  "uid": "12f941a6-196a-457b-bfdb-ca21138859d0",
  "createTime": "2025-01-29T15:05:12.113912689Z",
  "updateTime": "2025-01-29T15:05:17.210986285Z",
  "pubsubTopic": "projects/PROJECT_ID/topics/TOPIC_ID",
  "state": "ACTIVE",
  "cryptoKeyName": "projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME"
}
Disable CMEK
You can disable the CMEK protection associated with a channel. The events that are delivered through such channels are still protected by Google-owned and Google-managed encryption keys. To delete the CMEK protection associated with a channel:
Console
- In the Google Cloud console, go to the Eventarc > Channels page. 
- Based on the type of channel, complete the following steps: - Google channel- Click a channel with a Google Provider.
- On the Edit channel page, hold the pointer over the CMEK encryption key list to see the Delete item button.
- Click Delete item.
- Click Save. - You might need to refresh the page to enable the Use a customer-managed encryption key (CMEK) checkbox. 
 - Third-party channel- Click a channel with a third-party Provider.
- On the Channel details page, click Edit.
- On the Edit channel page, for Encryption, select Google-managed encryption key.
- Click Save.
 
gcloud
Based on the type of channel, run the following command:
Google channel
gcloud eventarc google-channels \ update --clear-crypto-key
Third-party channel
gcloud eventarc channels CHANNEL_NAME \ update --clear-crypto-key
Terraform
Based on the type of channel, clear the crypto_key_name value by not
specifying it when configuring the Terraform resource:
Google channel
resource "google_eventarc_google_channel_config" "default" { location = "us-central1" name = "googleChannelConfig" }
Third-party channel
resource "google_eventarc_channel" "default" { location = "us-central1" name = "CHANNEL_NAME" }
REST
Based on the type of channel, make the following request:
Google channel
To delete the CMEK key, you can update the GoogleChannelConfig
resource for a given project and location using the
projects.locations.updateGoogleChannelConfig
method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected Google channel to be protected.
Request JSON body:
{
  "cryptoKeyName": ""
}
To send your request, expand one of these options:
  If successful, the response body contains an updated instance of
  GoogleChannelConfig:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/googleChannelConfig",
  "updateTime": "2025-03-05T17:56:54.106390447Z"
}
Third-party channel
To delete the CMEK key, you can update a Channel resource for a given
project and location using the
projects.locations.channels.patch
method.
Before using any of the request data, make the following replacements:
- CHANNEL_NAME: the channel name.
- PROJECT_ID: your Google Cloud project ID.
- LOCATION: the region of the protected channel.
Request JSON body:
{
  "cryptoKeyName": ""
}
To send your request, expand one of these options:
  If successful, the response body contains a newly created instance of
  Operation:
{
  "name": "projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_ID",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.eventarc.v1.OperationMetadata",
    "createTime": "2024-01-25T17:17:45.782370139Z",
    "target": "projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_NAME",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1"
  },
  "done": false
}
Apply a CMEK organization policy
Eventarc is integrated with two organization policy constraints to help ensure CMEK usage across an organization:
- constraints/gcp.restrictNonCmekServicesis used to require CMEK protection.
- constraints/gcp.restrictCmekCryptoKeyProjectsis used to limit which Cloud KMS keys are used for CMEK protection.
This integration lets you specify the following encryption compliance requirements for Eventarc resources in your organization:
Considerations when applying organization policies
Before applying any CMEK organization policies, you should be aware of the following.
- Prepare for a propagation delay - After you set or update an organization policy, it can take up to 15 minutes for the new policy to take effect. 
- Consider existing resources - Existing resources are not subject to newly created organization policies. For example, an organization policy does not retroactively apply to existing pipelines. Those resources are still accessible without a CMEK and, if applicable, are still encrypted with existing keys. 
- Verify required permissions to set an organization policy - The permission to set or update the organization policy might be difficult to acquire for testing purposes. You must be granted the Organization Policy Administrator role, which can only be granted at the organization level (rather than the project or folder level). - Although the role must be granted at the organization level, it is still possible to specify a policy that only applies to a specific project or folder. 
Require CMEKs for new Eventarc resources
You can use the constraints/gcp.restrictNonCmekServices constraint to require
that CMEKs be used to protect new Eventarc resources in an
organization.
If set, this organization policy causes all resource creation requests without a specified Cloud KMS key to fail.
After you set this policy, it applies only to new resources in the project. Any existing resources without Cloud KMS keys applied continue to exist and are accessible without issue.
Console
- In the Google Cloud console, go to the Organization policies page. 
- Using the Filter, search for the following constraint: - constraints/gcp.restrictNonCmekServices
- In the Name column, click Restrict which services may create resources without CMEK. 
- Click Manage Policy. 
- On the Edit policy page, under Policy source, select Override parent's policy. 
- Under Rules, click Add a rule. 
- In the Policy values list, select Custom. 
- In the Policy type list, select Deny. 
- In the Custom values field, enter the following: - is:eventarc.googleapis.com
- Click Done, and then click Set policy. 
gcloud
- Create a temporary file - /tmp/policy.yamlto store the policy:- name: projects/PROJECT_ID/policies/gcp.restrictNonCmekServices spec: rules: - values: deniedValues: - is:eventarc.googleapis.com - Replace - PROJECT_IDwith the ID of the project where you are applying this constraint.
- Run the - org-policies set-policycommand:- gcloud org-policies set-policy /tmp/policy.yaml 
To verify that the policy is successfully applied, you can try to create an Eventarc Standard channel in the project. The process fails unless you specify a Cloud KMS key.
Restrict Cloud KMS keys for an Eventarc project
You can use the constraints/gcp.restrictCmekCryptoKeyProjects constraint to
restrict the Cloud KMS keys that you can use to protect a resource in
an Eventarc project.
For example, you can specify a rule similar to the following: "For applicable
Eventarc resources in projects/my-company-data-project,
Cloud KMS keys used in this project must come from
projects/my-company-central-keys OR projects/team-specific-keys."
Console
- In the Google Cloud console, go to the Organization policies page. 
- Using the Filter, search for the following constraint: - constraints/gcp.restrictCmekCryptoKeyProjects
- In the Name column, click Restrict which projects may supply KMS CryptoKeys for CMEK. 
- Click Manage Policy. 
- On the Edit policy page, under Policy source, select Override parent's policy. 
- Under Rules, click Add a rule. 
- In the Policy values list, select Custom. 
- In the Policy type list, select Allow. 
- In the Custom values field, enter the following: - under:projects/KMS_PROJECT_ID- Replace - KMS_PROJECT_IDwith the ID of the project where the Cloud KMS keys you want to use are located.- For example, - under:projects/my-kms-project.
- Click Done, and then click Set policy. 
gcloud
- Create a temporary file - /tmp/policy.yamlto store the policy:- name: projects/PROJECT_ID/policies/gcp.restrictCmekCryptoKeyProjects spec: rules: - values: allowedValues: - under:projects/KMS_PROJECT_ID - Replace the following - PROJECT_ID: the ID of the project where you are applying this constraint.
- KMS_PROJECT_ID: the ID of the project where the Cloud KMS keys you want to use are located.
 
- Run the - org-policies set-policycommand:- gcloud org-policies set-policy /tmp/policy.yaml 
To verify that the policy is successfully applied, you can try to create an Eventarc Standard channel using a Cloud KMS key from a different project. The process will fail.
Disabling and enabling Cloud KMS keys
A key version stores the cryptographic key material that you use to encrypt, decrypt, sign, and verify data. You can disable this key version so that data that was encrypted with the key can't be accessed.
When Eventarc cannot access Cloud KMS keys,
event publishing with channels fails with FAILED_PRECONDITION errors and event
delivery stops. You can enable a key in the Disabled state so that the
encrypted data can be accessed again.
Disable Cloud KMS keys
To prevent Eventarc from using the key to encrypt or decrypt your event data, do any of the following:
- We recommend disabling the key version you have configured for the channel. This affects only the Eventarc channels and triggers that are associated with the specific key.
- Optional: Revoke the cloudkms.cryptoKeyEncrypterDecrypterrole from the Eventarc service account. This affects all the project's Eventarc channels and triggers that support events encrypted using CMEK.
Although neither operation guarantees instantaneous access revocation, Identity and Access Management (IAM) changes generally propagate faster. For more information, see Cloud KMS resource consistency and Access change propagation.
Re-enable Cloud KMS keys
To resume event delivery and publishing, restore access to Cloud KMS.
Pricing
This integration does not incur additional costs beyond the key operations, which are billed to your Google Cloud project. The use of CMEK for a channel incurs charges for access to the Cloud KMS service based on Pub/Sub pricing.
For more information on the most current pricing information, see Cloud KMS Pricing.