Verify key access

This page provides instructions on how to verify key access after you create a customer-managed encryption key (CMEK) policy.

Key access verification use cases

At any time, you can rerun key access verification to identify issues with the key:

  • Key disablement: if a key gets disabled, data access to volumes stops.

  • Key destructions: if a key is destroyed, access to data is unrestorable. You can delete volumes to free up capacity. For more information, see Delete a volume.

  • Missing permissions: if permissions are removed, the instructions to grant them appear. See Grant the service permission to read a key.

Grant the service permission to read a key

To use a CMEK key, you must grant the service permission to read the specified key first. NetApp Volumes provides the correct Google Cloud CLI commands. To grant the required Cloud KMS key permissions to the service, you need to create a project-wide custom role with the appropriate permissions, and then a key role binding that binds the custom role to the appropriate service account. You need the Role Administrator (roles/iam.RoleAdmin) permissions on the project within your Google Account to create the custom role and the Cloud KMS Admin (roles/cloudkms.admin) permissions to grant NetApp Volumes access to the key.

Use the following instructions to grant the service permission to read a key using the Google Cloud console or Google Cloud CLI.

Console

  1. Go to the NetApp Volumes page in the Google Cloud console.

    Go to NetApp Volumes

  2. Select CMEK policies.

  3. Find the CMEK policy you want to edit and click the Show more menu.

  4. Select Verify key access.

  5. If you haven't configured key access yet, the verification fails and the UI shows instructions on how to grant key access. After you run the required Google Cloud CLI commands, click Retry to run key verification again.

    If verification is successful, a dialog appears that indicates successful verification. If verification is unsuccessful, click Retry to rerun the key check.

gcloud

Run the following kms-configs verify command:

 gcloud netapp kms-configs verify CONFIG_NAME \
   --project=PROJECT_ID \
   --location=LOCATION

Replace the following information:

  • CONFIG_NAME: the name of the config.

  • PROJECT_ID: the unique project ID you want to grant access for.

  • LOCATION: the region of the config.

If key verification is successful, the command outputs the following message:

healthy: true

If key verification fails, you have to grant access permissions to the key. Run the following command to identify the Google Cloud CLI commands to grant the service key access. You need the cloudkms.admin role to run the following command.

  gcloud netapp kms-configs describe CONFIG_NAME \
   --project=PROJECT_ID \
   --location=LOCATION \
   --format="value(instructions)"

For more information about additional optional flags, see Google Cloud SDK documentation for Cloud Key Management Service.

For more information, see Cloud Key Management Service user documentation.

Configure VPC Service Controls ingress rule for CMEK

If you use VPC Service Controls, you must update your ingress rules to allow traffic for the relevant project, region, and service account.

Use the following template to configure the necessary permissions.

   {
    "ingressFrom": {
      "identities": [
    "serviceAccount:n-cmek-usea4-1234567890@netapp-cmek-prod.iam.gserviceaccount.com"
       ],
       "sources": [
         {
          "resource": "projects/112233445566"
         }
       ]
   },
   "ingressTo": {
     "operations": [
       {
         "methodSelectors": [
           {
             "method": "*"
           }
       ],
       "serviceName": "cloudkms.googleapis.com"
       }
       ],
       "resources": [
         "projects/1234567890"
       ]
   },
   "title": "CMEK for NetApp Volumes"
   }

Update the following fields in the template:

  • ingressFrom.identities: enter a comma-separated list of the service accounts used by NetApp Volumes. The service uses a unique service account for each project and location in the following format:

    serviceAccount:n-cmek-location-short-name-your-project-number@netapp-cmek-prod.iam.gserviceaccount.com

    where location-short-name is the short form of the region, for example, usea4 for us-east4, and your-project-number is the project number.

    You can query this service account name using the following command:

    gcloud netapp kms-configs describe NAME --location LOCATION --format="value(serviceAccount)"

    Replace the following information:

    • NAME: the name of the CMEK policy.
    • LOCATION: the region of the CMEK policy.

    The example in the template shows the service account name for Google project 1234567890 in us-east4 region.

  • ingressTo.resources: enter the project number of the project that contains the volumes. The example in the template uses projects/1234567890.

  • ingressFrom.sources: enter a comma-separated list of the backend projects used by the service. You must add one entry for each Google region where you need to host CMEK volumes. To get the backend project number for your region, contact Google Cloud Customer Care. In the template, projects/112233445566 is a placeholder that you must replace with the backend project number for your region.

You can't specify individual methods for the cloudkms.googleapis.com service; you must use * to allow all methods.

What's next

Manage CMEK policies.