This page provides supplemental information about organization policy constraints that let you enforce limitations for Cloud Key Management Service. You can use these constraints to limit resource locations or allowed protection levels for Cloud KMS keys across an entire project or organization.
You can also use CMEK organization policies to enforce the use of CMEK in your organization and use organization policies to control key destruction.
Cloud KMS constraints
The following constraints can be applied to an organization policy and relate to Cloud Key Management Service.
Enforce resource locations
API Name: constraints/gcp.resourceLocations
When you apply the resourceLocations constraint, you specify one or more
locations. Once set, creation of new resources (e.g key rings, keys,
key versions) is limited to the specified locations.
Keys in other locations, created or imported before the constraint was applied, will remain usable. However, key rotation (automated creation of a new primary key version) will fail if the result would be a new key version in a disallowed location.
Allowed protection levels
API Name: constraints/cloudkms.allowedProtectionLevels
When you apply the allowedProtectionLevels constraint, you specify one or
more protection levels. Once set, new keys, key versions, and
import jobs must use one of the specified protection levels.
Keys with other protection levels, created before the constraint was applied, will remain usable. However, key rotation (automated creation of a new primary key version) will fail if the result would be a new key version with a disallowed protection level.
What's next
- Learn about CMEK organization policies and using organization policies to control key destruction.
- Learn about the resource hierarchy that applies to organization policies.
- See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud console.
- See Using constraints for instructions on working with constraints and organization policies in the gcloud CLI.
- See the Resource Manager API reference documentation for relevant API
methods, such as projects.setOrgPolicy.