Enable customer-managed encryption keys for Parameter Manager

By default, Parameter Manager encrypts user data at rest. Parameter Manager handles encryption for you without any additional actions. This option is Google default encryption.

You can enforce granular control over your encryption keys by using Customer-Managed Encryption Keys (CMEKs) within Cloud Key Management Service. Services like Parameter Manager integrate seamlessly with CMEKs, letting you manage protection levels, locations, usage, access permissions, and cryptographic boundaries of your keys directly in Cloud KMS. Using Cloud KMS also lets you view audit logs, and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys that protect your data, you control and manage these keys in Cloud KMS.

Accessing your Parameter Manager resources with CMEKs is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEKs).

You can configure a CMEK on the parameter resource. This key is used to protect the parameter version payload. Parameter version payload data is encrypted using envelope encryption upon creation.

How CMEK works in Parameter Manager

Before writing a parameter version to persistent storage in a specific location, Parameter Manager encrypts the data with a unique data encryption key (DEK). This DEK is then encrypted with a replica-specific key encryption key (KEK) owned by the Parameter Manager service.

When you use CMEK for Parameter Manager, the KEK is a symmetric key that you manage in Cloud KMS. The CMEK key must be in the same Google Cloud location as the parameter version replica. You can also use an Cloud EKM key as a CMEK for encryption and decryption.

The expected format for a CMEK is projects/*/locations/*/keyRings/*/cryptoKeys/*.

For more information about CMEK, including when and why to enable it, see the Cloud Key Management Service documentation.

Before you begin

Complete the following prerequisites to set up Parameter Manager and Cloud KMS:

Parameter Manager
- Create or use an existing project to hold your Parameter Manager resources.
- If necessary, complete the steps on the Prepare environment for Parameter Manager page.
Cloud KMS
- Create or use an existing project that holds your Cloud KMS resources.
- If necessary, enable the Cloud KMS API.

Set the following variables to your Parameter Manager and Cloud KMS project IDs.

PM_PROJECT_ID: the Parameter Manager project ID. Used in all commands on this page.
KMS_PROJECT_ID: the Cloud KMS project ID. Used in all commands on this page.

You can store the key ring within the same project as your resources, or in a different project. Using different projects provides more fine-grained control and supports the separation of duties.

Configure CMEK on a parameter

To set up a CMEK to protect a specific parameter, follow these steps:

Create a new symmetric Cloud KMS key or use an existing one. This example demonstrates creating a new key ring and key.
gcloud
```
gcloud kms keyrings create "KEY_RING" \
    --project "KMS_PROJECT_ID" \
    --location "LOCATION"
```
```
gcloud kms keys create "KEY_NAME" \
    --project "KMS_PROJECT_ID" \
    --location "LOCATION" \
    --keyring "parameter-manager-cmek" \
    --purpose "encryption"
```
Replace the following variables:
- KEY_RING: the name of the key ring that contains the key.
- KMS_PROJECT_ID: the Cloud KMS project ID.
- LOCATION: the Cloud KMS location of the key ring. Choose the same location as the parameter resource. Otherwise, the parameter version creation request is rejected.
- KEY_NAME: the name of the key.

Create a parameter. The resource name of the CMEK is stored as metadata on the parameter.

Global parameters

gcloud

Before using any of the command data below, make the following replacements:

PARAMETER_ID: the name of the parameter
PM_PROJECT_ID: the Parameter Manager project ID

Execute the following command:

Linux, macOS, or Cloud Shell

     gcloud parametermanager parameters create "PARAMETER_ID" \
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
         --project "PM_PROJECT_ID"

Windows (PowerShell)

     gcloud parametermanager parameters create "PARAMETER_ID" `
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" `
         --project "PM_PROJECT_ID"

Windows (cmd.exe)

     gcloud parametermanager parameters create "PARAMETER_ID" ^
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" ^
         --project "PM_PROJECT_ID"

REST

Before using any of the request data, make the following replacements:

PARAMETER_ID: the name of the parameter
PM_PROJECT_ID: the Parameter Manager project ID

HTTP method and URL:

POST https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/parameters?parameter_id=PARAMETER_ID

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/parameters?parameter_id=PARAMETER_ID"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/parameters?parameter_id=PARAMETER_ID" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
)

// createParamWithKmsKey creates a parameter with kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// parameterID: The ID of the parameter to be created.
// kmsKey: The ID of the KMS key to be used for encryption.
// (e.g. "projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-encryption-key")
// (For more information, see: https://cloud.google.com/secret-manager/parameter-manager/docs/cmek)
//
// The function returns an error if the parameter creation fails.
func createParamWithKmsKey(w io.Writer, projectID, parameterID, kmsKey string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	client, err := parametermanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	parent := fmt.Sprintf("projects/%s/locations/global", projectID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.CreateParameterRequest{
		Parent:      parent,
		ParameterId: parameterID,
		Parameter: &parametermanagerpb.Parameter{
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
			KmsKey: &kmsKey,
		},
	}
	parameter, err := client.CreateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create parameter: %w", err)
	}

	fmt.Fprintf(w, "Created parameter %s with kms_key %s\n", parameter.Name, *parameter.KmsKey)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.LocationName;
import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import java.io.IOException;

/**
 * Example class to create a new parameter with provided KMS key
 * using the Parameter Manager SDK for GCP.
 */
public class CreateParamWithKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String parameterId = "your-parameter-id";
    String kmsKeyName = "your-kms-key";

    // Call the method to create a parameter with the specified kms key.
    createParameterWithKmsKey(projectId, parameterId, kmsKeyName);
  }

  // This is an example snippet for creating a new parameter with a specific format.
  public static Parameter createParameterWithKmsKey(
      String projectId, String parameterId, String kmsKeyName) throws IOException {
    // Initialize the client that will be used to send requests.
    try (ParameterManagerClient client = ParameterManagerClient.create()) {
      String locationId = "global";

      // Build the parent name from the project.
      LocationName location = LocationName.of(projectId, locationId);

      // Build the parameter to create with the provided format.
      Parameter parameter = Parameter.newBuilder().setKmsKey(kmsKeyName).build();

      // Create the parameter.
      Parameter createdParameter =
          client.createParameter(location.toString(), parameter, parameterId);
      System.out.printf(
          "Created parameter %s with kms key %s\n",
          createdParameter.getName(), createdParameter.getKmsKey());

      return createdParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const kmsKey = 'YOUR_KMS_KEY'

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Instantiates a client
const client = new ParameterManagerClient();

async function createParamWithKmsKey() {
  const parent = client.locationPath(projectId, 'global');
  const request = {
    parent: parent,
    parameterId: parameterId,
    parameter: {
      kmsKey: kmsKey,
    },
  };

  const [parameter] = await client.createParameter(request);
  console.log(
    `Created parameter ${parameter.name} with kms_key ${parameter.kmsKey}`
  );
  return parameter;
}

return await createParamWithKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for creating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\CreateParameterRequest;
use Google\Cloud\ParameterManager\V1\Parameter;

/**
 * Creates a parameter of type "unformatted" with provided KMS key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $kmsKey The KMS key used to encrypt the parameter (e.g. 'projects/my-project/locations/global/keyRings/test/cryptoKeys/test-key')
 */
function create_param_with_kms_key(string $projectId, string $parameterId, string $kmsKey): void
{
    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient();

    // Build the resource name of the parent object.
    $parent = $client->locationName($projectId, 'global');

    // Create a new Parameter object.
    $parameter = (new Parameter())
    ->setKmsKey($kmsKey);

    // Prepare the request with the parent, parameter ID, and the parameter object.
    $request = (new CreateParameterRequest())
        ->setParent($parent)
        ->setParameterId($parameterId)
        ->setParameter($parameter);

    // Crete the parameter.
    $newParameter = $client->createParameter($request);

    // Print the new parameter name
    printf('Created parameter %s with kms key %s' . PHP_EOL, $newParameter->getName(), $newParameter->getKmsKey());

}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def create_param_with_kms_key(
    project_id: str, parameter_id: str, kms_key: str
) -> parametermanager_v1.Parameter:
    """
    Creates a parameter with default format (Unformatted)
    in the global location of the specified
    project and kms key using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where
        the parameter is to be created.
        parameter_id (str): The ID to assign to the new parameter.
        This ID must be unique within the project.
        kms_key (str): The KMS key used to encrypt the parameter.

    Returns:
        parametermanager_v1.Parameter: An object representing
        the newly created parameter.

    Example:
        create_param_with_kms_key(
            "my-project",
            "my-global-parameter",
            "projects/my-project/locations/global/keyRings/test/cryptoKeys/test-key"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1

    # Create the Parameter Manager client.
    client = parametermanager_v1.ParameterManagerClient()

    # Build the resource name of the parent project in the global location.
    parent = client.common_location_path(project_id, "global")

    # Define the parameter creation request.
    request = parametermanager_v1.CreateParameterRequest(
        parent=parent,
        parameter_id=parameter_id,
        parameter=parametermanager_v1.Parameter(kms_key=kms_key),
    )

    # Create the parameter.
    response = client.create_parameter(request=request)

    # Print the newly created parameter name.
    print(f"Created parameter {response.name} with kms key {kms_key}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Create a parameter with a KMS key
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param kms_key [String] The KMS key name
# (e.g. "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")
#
def create_param_with_kms_key project_id:, parameter_id:, kms_key:
  # Create a Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager

  # Build the resource name of the parent project.
  parent = client.location_path project: project_id, location: "global"

  parameter = {
    kms_key: kms_key
  }

  # Create the parameter.
  param = client.create_parameter parent: parent, parameter_id: parameter_id, parameter: parameter

  # Print the new parameter name.
  puts "Created parameter #{param.name} with kms_key #{param.kms_key}"
end

Regional parameters

gcloud

Before using any of the command data below, make the following replacements:

LOCATION: the Google Cloud location of the parameter
PARAMETER_ID: the name of the parameter
PM_PROJECT_ID: the Parameter Manager project ID

Execute the following command:

Linux, macOS, or Cloud Shell

     gcloud parametermanager parameters create "PARAMETER_ID" \
         --location "LOCATION" \
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
         --project "PM_PROJECT_ID"

Windows (PowerShell)

     gcloud parametermanager parameters create "PARAMETER_ID" `
         --location "LOCATION" `
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" `
         --project "PM_PROJECT_ID"

Windows (cmd.exe)

     gcloud parametermanager parameters create "PARAMETER_ID" ^
         --location "LOCATION" ^
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" ^
         --project "PM_PROJECT_ID"

REST

Before using any of the request data, make the following replacements:

LOCATION: the Google Cloud location of the parameter
PARAMETER_ID: the name of the parameter
PM_PROJECT_ID: the Parameter Manager project ID

HTTP method and URL:

POST https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters?parameter_id=PARAMETER_ID

To send your request, choose one of these options:

curl

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters?parameter_id=PARAMETER_ID"

PowerShell

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters?parameter_id=PARAMETER_ID" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/api/option"
)

// createRegionalParamWithKmsKey creates a regional parameter with kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// locationID: The ID of the location where the parameter is located.
// parameterID: The ID of the parameter to be created.
// kmsKey: The ID of the KMS key to be used for encryption.
// (e.g. "projects/my-project/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-encryption-key")
// (For more information, see: https://cloud.google.com/secret-manager/parameter-manager/docs/cmek)
//
// The function returns an error if the parameter creation fails.
func createRegionalParamWithKmsKey(w io.Writer, projectID, locationID, parameterID, kmsKey string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	endpoint := fmt.Sprintf("parametermanager.%s.rep.googleapis.com:443", locationID)
	client, err := parametermanager.NewClient(ctx, option.WithEndpoint(endpoint))
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	parent := fmt.Sprintf("projects/%s/locations/%s", projectID, locationID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.CreateParameterRequest{
		Parent:      parent,
		ParameterId: parameterID,
		Parameter: &parametermanagerpb.Parameter{
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
			KmsKey: &kmsKey,
		},
	}
	parameter, err := client.CreateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create parameter: %w", err)
	}

	fmt.Fprintf(w, "Created regional parameter %s with kms_key %s\n", parameter.Name, *parameter.KmsKey)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.LocationName;
import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import java.io.IOException;

/**
 * Example class to create a new regional parameter with provided KMS 
 * key using the Parameter Manager SDK for GCP.
 */
public class CreateRegionalParamWithKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "your-location-id";
    String parameterId = "your-parameter-id";
    String kmsKeyName = "your-kms-key";

    // Call the method to create a regional parameter with the specified kms key.
    createRegionalParameterWithKmsKey(projectId, locationId, parameterId, kmsKeyName);
  }

  // This is an example snippet for creating a new parameter with a specific format.
  public static Parameter createRegionalParameterWithKmsKey(
      String projectId, String locationId, String parameterId, String kmsKeyName)
      throws IOException {

    // Endpoint to call the regional parameter manager server
    String apiEndpoint = String.format("parametermanager.%s.rep.googleapis.com:443", locationId);
    ParameterManagerSettings parameterManagerSettings =
        ParameterManagerSettings.newBuilder().setEndpoint(apiEndpoint).build();

    // Initialize the client that will be used to send requests. This client only needs to be
    // created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create(parameterManagerSettings)) {

      // Build the parent name from the project.
      LocationName location = LocationName.of(projectId, locationId);

      // Build the parameter to create with the provided format.
      Parameter parameter = Parameter.newBuilder().setKmsKey(kmsKeyName).build();

      // Create the parameter.
      Parameter createdParameter =
          client.createParameter(location.toString(), parameter, parameterId);
      System.out.printf(
          "Created regional parameter %s with kms key %s\n",
          createdParameter.getName(), createdParameter.getKmsKey());

      return createdParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const locationId = 'YOUR_LOCATION_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const kmsKey = 'YOUR_KMS_KEY'

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Adding the endpoint to call the regional parameter manager server
const options = {
  apiEndpoint: `parametermanager.${locationId}.rep.googleapis.com`,
};

// Instantiates a client with regional endpoint
const client = new ParameterManagerClient(options);

async function createRegionalParamWithKmsKey() {
  const parent = client.locationPath(projectId, locationId);
  const request = {
    parent: parent,
    parameterId: parameterId,
    parameter: {
      kmsKey: kmsKey,
    },
  };

  const [parameter] = await client.createParameter(request);
  console.log(
    `Created regional parameter ${parameter.name} with kms_key ${parameter.kmsKey}`
  );
  return parameter;
}

return await createRegionalParamWithKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for creating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\CreateParameterRequest;
use Google\Cloud\ParameterManager\V1\Parameter;

/**
 * Creates a regional parameter of type "unformatted" with provided KMS key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $locationId The Parameter Location (e.g. 'us-central1')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $kmsKey The KMS key used to encrypt the parameter (e.g. 'projects/my-project/locations/us-central1/keyRings/test/cryptoKeys/test-key')
 */
function create_regional_param_with_kms_key(string $projectId, string $locationId, string $parameterId, string $kmsKey): void
{
    // Specify regional endpoint.
    $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"];

    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient($options);

    // Build the resource name of the parent object.
    $parent = $client->locationName($projectId, $locationId);

    // Create a new Parameter object.
    $parameter = (new Parameter())
    ->setKmsKey($kmsKey);

    // Prepare the request with the parent, parameter ID, and the parameter object.
    $request = (new CreateParameterRequest())
        ->setParent($parent)
        ->setParameterId($parameterId)
        ->setParameter($parameter);

    // Crete the parameter.
    $newParameter = $client->createParameter($request);

    // Print the new parameter name
    printf('Created regional parameter %s with kms key %s' . PHP_EOL, $newParameter->getName(), $newParameter->getKmsKey());

}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def create_regional_param_with_kms_key(
    project_id: str, location_id: str, parameter_id: str, kms_key: str
) -> parametermanager_v1.Parameter:
    """
    Creates a regional parameter with default format (Unformatted)
    in the specified location, project and with kms key
    using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where
        the regional parameter is to be created.
        location_id (str): The region where the parameter is to be created.
        parameter_id (str): The ID to assign to the new parameter.
        This ID must be unique within the project.
        kms_key (str): The KMS key used to encrypt the parameter.

    Returns:
        parametermanager_v1.Parameter: An object representing
        the newly created regional parameter.

    Example:
        create_regional_param_with_kms_key(
            "my-project",
            "us-central1",
            "my-regional-parameter",
            "projects/my-project/locations/us-central1/keyRings/test/cryptoKeys/test-key"
        )
    """

    # Import the Parameter Manager client library.
    from google.cloud import parametermanager_v1

    api_endpoint = f"parametermanager.{location_id}.rep.googleapis.com"
    # Create the Parameter Manager client for the specified region.
    client = parametermanager_v1.ParameterManagerClient(
        client_options={"api_endpoint": api_endpoint}
    )

    # Build the resource name of the parent project for the specified region.
    parent = client.common_location_path(project_id, location_id)

    # Define the parameter creation request.
    request = parametermanager_v1.CreateParameterRequest(
        parent=parent,
        parameter_id=parameter_id,
        parameter=parametermanager_v1.Parameter(kms_key=kms_key),
    )

    # Create the parameter.
    response = client.create_parameter(request=request)

    # Print the newly created parameter name.
    print(f"Created regional parameter {response.name} with kms key {kms_key}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Create a regional parameter with a KMS key
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param location_id [String] The location name (e.g. "us-central1")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param kms_key [String] The KMS key name
# (e.g. "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key")
#
def create_regional_param_with_kms_key project_id:, location_id:, parameter_id:, kms_key:
  # Endpoint for the regional parameter manager service.
  api_endpoint = "parametermanager.#{location_id}.rep.googleapis.com"

  # Create the Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager do |config|
    config.endpoint = api_endpoint
  end

  # Build the resource name of the parent project.
  parent = client.location_path project: project_id, location: location_id

  parameter = {
    kms_key: kms_key
  }

  # Create the parameter.
  param = client.create_parameter parent: parent, parameter_id: parameter_id, parameter: parameter

  # Print the new parameter name.
  puts "Created regional parameter #{param.name} with kms_key #{param.kms_key}"
end

Grant the Parameter Manager service identity, which is specific to your project, the permission to use your encryption key. This lets Parameter Manager encrypt and decrypt data as needed, using your chosen key. To do this, assign the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the service identity. Note that the service identity is automatically created when you create the first parameter in your project.
gcloud
```
gcloud kms keys add-iam-policy-binding "my-cmek-key" \
    --project "KMS_PROJECT_ID" \
    --location "LOCATION" \
    --keyring "parameter-manager-cmek" \
    --member "service-PROJECT_NUMBER@gcp-sa-pm.iam.gserviceaccount.com" \
    --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
```
Replace PROJECT_NUMBER with the project number of the Google Cloud project where the parameter is stored.

When the service creates a parameter version, it automatically encrypts the parameter version's payload with the key before writing it to persistent storage, if the service identity can access the customer-managed encryption key (CMEK). If the service identity can't access the key, attempts to create or access parameter versions return an error.
Create a new parameter version. Notice that if you don't specify the Cloud KMS key's resource name, it is read from the parameter's metadata.
gcloud
```
gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION --payload-data="PARAMETER_PAYLOAD"
```
Replace the following variables:
- PARAMETER_VERSION_ID: the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
- PARAMETER_PAYLOAD: the data, in plaintext, that you want to store within the parameter.
The parameter version is created, even if the caller doesn't have direct access to use the CMEK key. The service identity for Parameter Manager, rather than the caller, is responsible for encrypting and decrypting parameters when reading or writing them.

Similarly, you don't need direct access to the CMEK key in order to access the parameter. The service identity accesses the key and encrypts or decrypts the parameter on your behalf.

View the parameter version you just created:

gcloud

gcloud parametermanager parameters versions describe PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

Update CMEK configuration

To change the encryption key used to protect your data, follow these steps:

Create a new symmetric KMS key in the selected Cloud KMS location.

gcloud

gcloud kms keys create "my-other-key" \
    --project "KMS_PROJECT_ID" \
    --location "LOCATION" \
    --keyring "parameter-manager-cmek" \
    --purpose "encryption"

Assign the Parameter Manager service identity the necessary permissions to use your encryption key.

gcloud

gcloud kms keys add-iam-policy-binding "my-other-key" \
    --project "KMS_PROJECT_ID" \
    --location "LOCATION" \
    --keyring "parameter-manager-cmek" \
    --member "service-PROJECT_NUMBER@gcp-sa-pm.iam.gserviceaccount.com" \
    --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"

Modify the CMEK configuration on a parameter by updating the parameter to use the new Cloud KMS key resource names.

Global parameters

gcloud

Execute the following command:

Linux, macOS, or Cloud Shell

     gcloud parametermanager parameters update "PARAMETER_ID" --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

Windows (PowerShell)

     gcloud parametermanager parameters update "PARAMETER_ID" --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

Windows (cmd.exe)

     gcloud parametermanager parameters update "PARAMETER_ID" --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

REST

HTTP method and URL:

PATCH https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey

Request JSON body:

{
  "payload": {
    "kmsKey": "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/genproto/protobuf/field_mask"
)

// updateParamKmsKey updates a parameter kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// parameterID: The ID of the parameter to be updated.
// kmsKey: The ID of the KMS key to be used for encryption.
// (e.g. "projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-encryption-key")
// (For more information, see: https://cloud.google.com/secret-manager/parameter-manager/docs/cmek)
//
// The function returns an error if the parameter creation fails.
func updateParamKmsKey(w io.Writer, projectID, parameterID, kmsKey string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	client, err := parametermanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	name := fmt.Sprintf("projects/%s/locations/global/parameters/%s", projectID, parameterID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.UpdateParameterRequest{
		Parameter: &parametermanagerpb.Parameter{
			Name:   name,
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
			KmsKey: &kmsKey,
		},
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"kms_key"},
		},
	}
	parameter, err := client.UpdateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to update parameter: %w", err)
	}

	fmt.Fprintf(w, "Updated parameter %s with kms_key %s\n", parameter.Name, *parameter.KmsKey)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.protobuf.FieldMask;
import com.google.protobuf.util.FieldMaskUtil;
import java.io.IOException;

/**
 * This class demonstrates how to change the kms key of a parameter
 * using theParameter Manager SDK for GCP.
 */
public class UpdateParamKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String parameterId = "your-parameter-id";
    String kmsKeyName = "your-kms-key";

    // Call the method to update kms key of a parameter.
    updateParamKmsKey(projectId, parameterId, kmsKeyName);
  }

  // This is an example snippet for updating the kms key of a parameter.
  public static Parameter updateParamKmsKey(
      String projectId, String parameterId, String kmsKeyName) throws IOException {
    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create()) {
      String locationId = "global";

      // Build the parameter name.
      ParameterName name = ParameterName.of(projectId, locationId, parameterId);

      // Set the parameter kms key to update.
      Parameter parameter = Parameter.newBuilder()
          .setName(name.toString())
          .setKmsKey(kmsKeyName)
          .build();

      // Build the field mask for the kms_key field.
      FieldMask fieldMask = FieldMaskUtil.fromString("kms_key");

      // Update the parameter kms key.
      Parameter updatedParameter = client.updateParameter(parameter, fieldMask);
      System.out.printf(
          "Updated parameter %s with kms key %s\n",
          updatedParameter.getName(), updatedParameter.getKmsKey());

      return updatedParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const kmsKey = 'YOUR_KMS_KEY'

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Instantiates a client
const client = new ParameterManagerClient();

async function updateParamKmsKey() {
  const name = client.parameterPath(projectId, 'global', parameterId);
  const request = {
    parameter: {
      name: name,
      kmsKey: kmsKey,
    },
    updateMask: {
      paths: ['kms_key'],
    },
  };

  const [parameter] = await client.updateParameter(request);
  console.log(
    `Updated parameter ${parameter.name} with kms_key ${parameter.kmsKey}`
  );
  return parameter;
}

return await updateParamKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for updating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\GetParameterRequest;
use Google\Cloud\ParameterManager\V1\UpdateParameterRequest;
use Google\Protobuf\FieldMask;

/**
 * Update a parameter with kms key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $kmsKey The KMS key used to encrypt the parameter (e.g. 'projects/my-project/locations/global/keyRings/test/cryptoKeys/test-key')
 */
function update_param_kms_key(string $projectId, string $parameterId, string $kmsKey): void
{
    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient();

    // Build the resource name of the parameter.
    $parameterName = $client->parameterName($projectId, 'global', $parameterId);

    // Prepare the request to get the parameter.
    $request = (new GetParameterRequest())
        ->setName($parameterName);

    // Retrieve the parameter using the client.
    $parameter = $client->getParameter($request);

    $parameter->setKmsKey($kmsKey);

    $updateMask = (new FieldMask())
        ->setPaths(['kms_key']);

    // Prepare the request to update the parameter.
    $request = (new UpdateParameterRequest())
        ->setUpdateMask($updateMask)
        ->setParameter($parameter);

    // Update the parameter using the client.
    $updatedParameter = $client->updateParameter($request);

    // Print the parameter details.
    printf('Updated parameter %s with kms key %s' . PHP_EOL, $updatedParameter->getName(), $updatedParameter->getKmsKey());
}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def update_param_kms_key(
    project_id: str, parameter_id: str, kms_key: str
) -> parametermanager_v1.Parameter:
    """
    Update the kms key of a specified global parameter
    in the specified project using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which kms key is to be updated.
        kms_key (str): The kms_key to be updated for the parameter.

    Returns:
        parametermanager_v1.Parameter: An object representing the
        updated parameter.

    Example:
        update_param_kms_key(
            "my-project",
            "my-global-parameter",
            "projects/my-project/locations/global/keyRings/test/cryptoKeys/updated-test-key"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    from google.protobuf import field_mask_pb2

    # Create the Parameter Manager client.
    client = parametermanager_v1.ParameterManagerClient()

    # Build the resource name of the parameter.
    name = client.parameter_path(project_id, "global", parameter_id)

    # Get the current parameter details.
    parameter = client.get_parameter(name=name)

    # Set the kms key field of the parameter.
    parameter.kms_key = kms_key

    # Define the update mask for the kms_key field.
    update_mask = field_mask_pb2.FieldMask(paths=["kms_key"])

    # Define the request to update the parameter.
    request = parametermanager_v1.UpdateParameterRequest(
        parameter=parameter, update_mask=update_mask
    )

    # Call the API to update (kms_key) the parameter.
    response = client.update_parameter(request=request)

    # Print the parameter ID that was updated.
    print(f"Updated parameter {parameter_id} with kms key {response.kms_key}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Update the KMS key of a parameter
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param kms_key [String] The KMS key name
# (e.g. "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")
#
def update_param_kms_key project_id:, parameter_id:, kms_key:
  # Create a Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager

  # Build the resource name of the parent project.
  name = client.parameter_path project: project_id, location: "global", parameter: parameter_id

  parameter = {
    name: name,
    kms_key: kms_key
  }

  update_mask = {
    paths: ["kms_key"]
  }

  # Update the parameter.
  param = client.update_parameter parameter: parameter, update_mask: update_mask

  # Print the parameter name.
  puts "Updated parameter #{param.name} with kms_key #{param.kms_key}"
end

Regional parameters

gcloud

Execute the following command:

Linux, macOS, or Cloud Shell

     gcloud parametermanager parameters update "PARAMETER_ID" \
         --location "LOCATION" \
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

Windows (PowerShell)

     gcloud parametermanager parameters update "PARAMETER_ID" `
         --location "LOCATION" `
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

Windows (cmd.exe)

     gcloud parametermanager parameters update "PARAMETER_ID" ^
         --location "LOCATION" ^
         --kms-key "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"

REST

HTTP method and URL:

PATCH https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey

Request JSON body:

{
  "payload": {
    "kmsKey": "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-other-key"
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/api/option"
	"google.golang.org/genproto/protobuf/field_mask"
)

// updateRegionalParamKmsKey updates a regional parameter kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// locationID: The ID of the location where the parameter is located.
// parameterID: The ID of the parameter to be updated.
// kmsKey: The ID of the KMS key to be used for encryption.
// (e.g. "projects/my-project/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-encryption-key")
// (For more information, see: https://cloud.google.com/secret-manager/parameter-manager/docs/cmek)
//
// The function returns an error if the parameter creation fails.
func updateRegionalParamKmsKey(w io.Writer, projectID, locationID, parameterID, kmsKey string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	endpoint := fmt.Sprintf("parametermanager.%s.rep.googleapis.com:443", locationID)
	client, err := parametermanager.NewClient(ctx, option.WithEndpoint(endpoint))
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	name := fmt.Sprintf("projects/%s/locations/%s/parameters/%s", projectID, locationID, parameterID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.UpdateParameterRequest{
		Parameter: &parametermanagerpb.Parameter{
			Name:   name,
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
			KmsKey: &kmsKey,
		},
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"kms_key"},
		},
	}
	parameter, err := client.UpdateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to update parameter: %w", err)
	}

	fmt.Fprintf(w, "Updated regional parameter %s with kms_key %s\n", parameter.Name, *parameter.KmsKey)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.protobuf.FieldMask;
import com.google.protobuf.util.FieldMaskUtil;
import java.io.IOException;

/**
 * This class demonstrates how to change the kms key of a regional 
 * parameter using the Parameter Manager SDK for GCP.
 */
public class UpdateRegionalParamKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "your-location-id";
    String parameterId = "your-parameter-id";
    String kmsKeyName = "your-kms-key";

    // Call the method to update kms key of a parameter.
    updateRegionalParamKmsKey(projectId, locationId, parameterId, kmsKeyName);
  }

  // This is an example snippet for updating the kms key of a parameter.
  public static Parameter updateRegionalParamKmsKey(
      String projectId, String locationId, String parameterId, String kmsKeyName)
      throws IOException {

    // Endpoint to call the regional parameter manager server
    String apiEndpoint = String.format("parametermanager.%s.rep.googleapis.com:443", locationId);
    ParameterManagerSettings parameterManagerSettings =
        ParameterManagerSettings.newBuilder().setEndpoint(apiEndpoint).build();

    // Initialize the client that will be used to send requests. This client only needs to be
    // created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create(parameterManagerSettings)) {

      // Build the parameter name.
      ParameterName name = ParameterName.of(projectId, locationId, parameterId);

      // Set the parameter kms key to update.
      Parameter parameter = Parameter.newBuilder()
          .setName(name.toString())
          .setKmsKey(kmsKeyName)
          .build();

      // Build the field mask for the kms_key field.
      FieldMask fieldMask = FieldMaskUtil.fromString("kms_key");

      // Update the parameter kms key.
      Parameter updatedParameter = client.updateParameter(parameter, fieldMask);
      System.out.printf(
          "Updated regional parameter %s with kms key %s\n",
          updatedParameter.getName(), updatedParameter.getKmsKey());

      return updatedParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const locationId = 'YOUR_LOCATION_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const kmsKey = 'YOUR_KMS_KEY'

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Adding the endpoint to call the regional parameter manager server
const options = {
  apiEndpoint: `parametermanager.${locationId}.rep.googleapis.com`,
};

// Instantiates a client with regional endpoint
const client = new ParameterManagerClient(options);

async function updateRegionalParamKmsKey() {
  const name = client.parameterPath(projectId, locationId, parameterId);
  const request = {
    parameter: {
      name: name,
      kmsKey: kmsKey,
    },
    updateMask: {
      paths: ['kms_key'],
    },
  };

  const [parameter] = await client.updateParameter(request);
  console.log(
    `Updated regional parameter ${parameter.name} with kms_key ${parameter.kmsKey}`
  );
  return parameter;
}

return await updateRegionalParamKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for updating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\GetParameterRequest;
use Google\Cloud\ParameterManager\V1\UpdateParameterRequest;
use Google\Protobuf\FieldMask;

/**
 * Update a parameter with kms key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $locationId The Parameter Location (e.g. 'us-central1')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $kmsKey The KMS key used to encrypt the parameter (e.g. 'projects/my-project/locations/global/keyRings/test/cryptoKeys/test-key')
 */
function update_regional_param_kms_key(string $projectId, string $locationId, string $parameterId, string $kmsKey): void
{
    // Specify regional endpoint.
    $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"];

    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient($options);

    // Build the resource name of the parameter.
    $parameterName = $client->parameterName($projectId, $locationId, $parameterId);

    // Prepare the request to get the parameter.
    $request = (new GetParameterRequest())
        ->setName($parameterName);

    // Retrieve the parameter using the client.
    $parameter = $client->getParameter($request);

    $parameter->setKmsKey($kmsKey);

    $updateMask = (new FieldMask())
        ->setPaths(['kms_key']);

    // Prepare the request to update the parameter.
    $request = (new UpdateParameterRequest())
        ->setUpdateMask($updateMask)
        ->setParameter($parameter);

    // Update the parameter using the client.
    $updatedParameter = $client->updateParameter($request);

    // Print the parameter details.
    printf('Updated regional parameter %s with kms key %s' . PHP_EOL, $updatedParameter->getName(), $updatedParameter->getKmsKey());
}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def update_regional_param_kms_key(
    project_id: str, location_id: str, parameter_id: str, kms_key: str
) -> parametermanager_v1.Parameter:
    """
    Update the kms key of a specified regional parameter
    in the specified project using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is to be created.
        location_id (str): The region where the parameter is to be created.
        parameter_id (str): The ID of the regional parameter for
        which kms key is to be updated.
        kms_key (str): The kms_key to be updated for the parameter.

    Returns:
        parametermanager_v1.Parameter: An object representing the
        updated regional parameter.

    Example:
        update_regional_param_kms_key(
            "my-project",
            "us-central1",
            "my-regional-parameter",
            "projects/my-project/locations/us-central1/keyRings/test/cryptoKeys/updated-test-key"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    from google.protobuf import field_mask_pb2

    # Create the Parameter Manager client.
    api_endpoint = f"parametermanager.{location_id}.rep.googleapis.com"
    # Create the Parameter Manager client for the specified region.
    client = parametermanager_v1.ParameterManagerClient(
        client_options={"api_endpoint": api_endpoint}
    )

    # Build the resource name of the regional parameter.
    name = client.parameter_path(project_id, location_id, parameter_id)

    # Get the current regional parameter details.
    parameter = client.get_parameter(name=name)

    # Set the kms key field of the regional parameter.
    parameter.kms_key = kms_key

    # Define the update mask for the kms_key field.
    update_mask = field_mask_pb2.FieldMask(paths=["kms_key"])

    # Define the request to update the parameter.
    request = parametermanager_v1.UpdateParameterRequest(
        parameter=parameter, update_mask=update_mask
    )

    # Call the API to update (kms_key) the parameter.
    response = client.update_parameter(request=request)

    # Print the parameter ID that was updated.
    print(f"Updated regional parameter {parameter_id} with kms key {response.kms_key}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Update the KMS key of a regional parameter
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param location_id [String] The location name (e.g. "us-central1")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param kms_key [String] The KMS key name
# (e.g. "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key")
#
def update_regional_param_kms_key project_id:, location_id:, parameter_id:, kms_key:
  # Endpoint for the regional parameter manager service.
  api_endpoint = "parametermanager.#{location_id}.rep.googleapis.com"

  # Create the Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager do |config|
    config.endpoint = api_endpoint
  end

  # Build the resource name of the parent project.
  name = client.parameter_path project: project_id, location: location_id, parameter: parameter_id

  parameter = {
    name: name,
    kms_key: kms_key
  }

  update_mask = {
    paths: ["kms_key"]
  }

  # Update the parameter.
  param = client.update_parameter parameter: parameter, update_mask: update_mask

  # Print the parameter name.
  puts "Updated regional parameter #{param.name} with kms_key #{param.kms_key}"
end

View parameter version CMEK configuration

To inspect the metadata of a parameter version, including whether the parameter version is CMEK-enabled and the resource name of the CMEK key version, run the command to view its metadata.

gcloud

gcloud parametermanager parameters versions describe "PARAMETER_VERSION_ID" \
    --parameter= "PARAMETER_ID" \
    --location= "LOCATION"
    --project "PM_PROJECT_ID"

API

curl "https://parametermanager.<var>LOCATION</var>.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID?view=FULL" \
    --request "GET" \
    --header "Authorization: Bearer ACCESS_TOKEN" \
    --header "Content-Type: application/json"

This returns the full Cloud KMS resource name of the key version used to encrypt the parameter version. The output is similar to the following:

   {
      "name": "projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID",
      "createTime": "2024-10-30T05:27:51.206825427Z",
      "updateTime": "2024-10-30T05:27:51.442194863Z",
      "payload": {
        "data": "YTogYgo="
      }
   "kmsKeyVersion": "projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/parameter-manager-cmek/cryptoKeys/my-cmek-key/cryptoKeyVersions/1"
   }

Add a Cloud EKM key to a CMEK policy

This section explains how to incorporate an Cloud EKM key into a CMEK policy for parameter encryption and decryption. As Cloud EKM doesn't support the global multi-region, these keys are limited to regional parameters.

To add a Cloud EKM key to a CMEK policy, follow these steps:

Create a manually managed Cloud EKM key.
Configure a CMEK enabled parameter that uses this Cloud EKM key.

Disable CMEK

To remove CMEK configuration from a parameter, use the following command:

Global parameters

gcloud

Execute the following command:

Linux, macOS, or Cloud Shell

      gcloud parametermanager parameters update "PARAMETER_ID" --clear-kms-key

Windows (PowerShell)

      gcloud parametermanager parameters update "PARAMETER_ID" --clear-kms-key

Windows (cmd.exe)

      gcloud parametermanager parameters update "PARAMETER_ID" --clear-kms-key

REST

HTTP method and URL:

PATCH https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/parameters/PARAMETER_ID?update_mask=kmsKey

To send your request, choose one of these options:

curl

Execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/parameters/PARAMETER_ID?update_mask=kmsKey"

PowerShell

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -Uri "https://parametermanager.googleapis.com/v1/projects/PM_PROJECT_ID/locations/parameters/PARAMETER_ID?update_mask=kmsKey" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/genproto/protobuf/field_mask"
)

// removeParamKmsKey removes a parameter kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// parameterID: The ID of the parameter to be updated.
//
// The function returns an error if the parameter creation fails.
func removeParamKmsKey(w io.Writer, projectID, parameterID string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	client, err := parametermanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	name := fmt.Sprintf("projects/%s/locations/global/parameters/%s", projectID, parameterID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.UpdateParameterRequest{
		Parameter: &parametermanagerpb.Parameter{
			Name:   name,
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
		},
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"kms_key"},
		},
	}
	parameter, err := client.UpdateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to update parameter: %w", err)
	}

	fmt.Fprintf(w, "Removed kms_key for parameter %s\n", parameter.Name)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.protobuf.FieldMask;
import com.google.protobuf.util.FieldMaskUtil;
import java.io.IOException;

/**
 * This class demonstrates how to change the kms key of a parameter
 * using the Parameter Manager SDK for GCP.
 */
public class RemoveParamKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String parameterId = "your-parameter-id";

    // Call the method to remove kms key of a parameter.
    removeParamKmsKey(projectId, parameterId);
  }

  // This is an example snippet for updating the kms key of a parameter.
  public static Parameter removeParamKmsKey(
      String projectId, String parameterId) throws IOException {
    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create()) {
      String locationId = "global";

      // Build the parameter name.
      ParameterName name = ParameterName.of(projectId, locationId, parameterId);

      // Remove kms key of a parameter  .
      Parameter parameter = Parameter.newBuilder()
          .setName(name.toString())
          .clearKmsKey()
          .build();

      // Build the field mask for the kms_key field.
      FieldMask fieldMask = FieldMaskUtil.fromString("kms_key");

      // Update the parameter kms key.
      Parameter updatedParameter = client.updateParameter(parameter, fieldMask);
      System.out.printf(
          "Removed kms key for parameter %s\n",
          updatedParameter.getName());

      return updatedParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const parameterId = 'YOUR_PARAMETER_ID';

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Instantiates a client
const client = new ParameterManagerClient();

async function removeParamKmsKey() {
  const name = client.parameterPath(projectId, 'global', parameterId);
  const request = {
    parameter: {
      name: name,
    },
    updateMask: {
      paths: ['kms_key'],
    },
  };

  const [parameter] = await client.updateParameter(request);
  console.log(`Removed kms_key for parameter ${parameter.name}`);
  return parameter;
}

return await removeParamKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for updating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\GetParameterRequest;
use Google\Cloud\ParameterManager\V1\UpdateParameterRequest;
use Google\Protobuf\FieldMask;

/**
 * Update a parameter by removing kms key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 */
function remove_param_kms_key(string $projectId, string $parameterId): void
{
    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient();

    // Build the resource name of the parameter.
    $parameterName = $client->parameterName($projectId, 'global', $parameterId);

    // Prepare the request to get the parameter.
    $request = (new GetParameterRequest())
        ->setName($parameterName);

    // Retrieve the parameter using the client.
    $parameter = $client->getParameter($request);

    $parameter->clearKmsKey();

    $updateMask = (new FieldMask())
        ->setPaths(['kms_key']);

    // Prepare the request to update the parameter.
    $request = (new UpdateParameterRequest())
        ->setUpdateMask($updateMask)
        ->setParameter($parameter);

    // Update the parameter using the client.
    $updatedParameter = $client->updateParameter($request);

    // Print the parameter details.
    printf('Removed kms key for parameter %s' . PHP_EOL, $updatedParameter->getName());
}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def remove_param_kms_key(
    project_id: str, parameter_id: str
) -> parametermanager_v1.Parameter:
    """
    Remove a kms key of a specified global parameter
    in the specified project using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which kms key is to be removed.

    Returns:
        parametermanager_v1.Parameter: An object representing the
        updated parameter.

    Example:
        remove_param_kms_key(
            "my-project",
            "my-global-parameter"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    from google.protobuf import field_mask_pb2

    # Create the Parameter Manager client.
    client = parametermanager_v1.ParameterManagerClient()

    # Build the resource name of the parameter.
    name = client.parameter_path(project_id, "global", parameter_id)

    # Get the current parameter details.
    parameter = client.get_parameter(name=name)

    parameter.kms_key = None

    # Define the update mask for the kms_key field.
    update_mask = field_mask_pb2.FieldMask(paths=["kms_key"])

    # Define the request to update the parameter.
    request = parametermanager_v1.UpdateParameterRequest(
        parameter=parameter, update_mask=update_mask
    )

    # Call the API to update (kms_key) the parameter.
    response = client.update_parameter(request=request)

    # Print the parameter ID that it was disabled.
    print(f"Removed kms key for parameter {parameter_id}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Remove the KMS key from a parameter
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
#
def remove_param_kms_key project_id:, parameter_id:
  # Create a Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager

  # Build the resource name of the parent project.
  name = client.parameter_path project: project_id, location: "global", parameter: parameter_id

  parameter = {
    name: name
  }

  update_mask = {
    paths: ["kms_key"]
  }

  # Update the parameter.
  param = client.update_parameter parameter: parameter, update_mask: update_mask

  # Print the parameter name.
  puts "Removed kms_key for parameter #{param.name}"
end

Regional parameters

gcloud

Execute the following command:

Linux, macOS, or Cloud Shell

      gcloud parametermanager parameters update "PARAMETER_ID" \
          --location "LOCATION" \
          --clear-kms-key

Windows (PowerShell)

      gcloud parametermanager parameters update "PARAMETER_ID" `
          --location "LOCATION" `
          --clear-kms-key

Windows (cmd.exe)

      gcloud parametermanager parameters update "PARAMETER_ID" ^
          --location "LOCATION" ^
          --clear-kms-key

REST

HTTP method and URL:

PATCH https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey

To send your request, choose one of these options:

curl

Execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey"

PowerShell

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PM_PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID?update_mask=kmsKey" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/api/option"
	"google.golang.org/genproto/protobuf/field_mask"
)

// removeRegionalParamKmsKey removes a regional parameter kms_key using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// locationID: The ID of the location where the parameter is located.
// parameterID: The ID of the parameter to be updated.
//
// The function returns an error if the parameter creation fails.
func removeRegionalParamKmsKey(w io.Writer, projectID, locationID, parameterID string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()

	// Create a Parameter Manager client.
	endpoint := fmt.Sprintf("parametermanager.%s.rep.googleapis.com:443", locationID)
	client, err := parametermanager.NewClient(ctx, option.WithEndpoint(endpoint))
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter.
	name := fmt.Sprintf("projects/%s/locations/%s/parameters/%s", projectID, locationID, parameterID)

	// Create a parameter with unformatted format.
	req := &parametermanagerpb.UpdateParameterRequest{
		Parameter: &parametermanagerpb.Parameter{
			Name:   name,
			Format: parametermanagerpb.ParameterFormat_UNFORMATTED,
		},
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"kms_key"},
		},
	}
	parameter, err := client.UpdateParameter(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to update parameter: %w", err)
	}

	fmt.Fprintf(w, "Removed kms_key for regional parameter %s\n", parameter.Name)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.Parameter;
import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.protobuf.FieldMask;
import com.google.protobuf.util.FieldMaskUtil;
import java.io.IOException;

/**
 * This class demonstrates how to change the kms key of a parameter 
 * using the Parameter Manager SDK for GCP.
 */
public class RemoveRegionalParamKmsKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "your-location-id";
    String parameterId = "your-parameter-id";

    // Call the method to remove kms key of a parameter.
    removeRegionalParamKmsKey(projectId, locationId, parameterId);
  }

  // This is an example snippet for updating the kms key of a parameter.
  public static Parameter removeRegionalParamKmsKey(
      String projectId, String locationId, String parameterId) throws IOException {

    // Endpoint to call the regional parameter manager server
    String apiEndpoint = String.format("parametermanager.%s.rep.googleapis.com:443", locationId);
    ParameterManagerSettings parameterManagerSettings =
        ParameterManagerSettings.newBuilder().setEndpoint(apiEndpoint).build();

    // Initialize the client that will be used to send requests. This client only needs to be
    // created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create(parameterManagerSettings)) {

      // Build the parameter name.
      ParameterName name = ParameterName.of(projectId, locationId, parameterId);

      // Remove kms key of a parameter  .
      Parameter parameter = Parameter.newBuilder()
          .setName(name.toString())
          .clearKmsKey()
          .build();

      // Build the field mask for the kms_key field.
      FieldMask fieldMask = FieldMaskUtil.fromString("kms_key");

      // Update the parameter kms key.
      Parameter updatedParameter = client.updateParameter(parameter, fieldMask);
      System.out.printf(
          "Removed kms key for regional parameter %s\n",
          updatedParameter.getName());

      return updatedParameter;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const locationId = 'YOUR_LOCATION_ID';
// const parameterId = 'YOUR_PARAMETER_ID';

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Adding the endpoint to call the regional parameter manager server
const options = {
  apiEndpoint: `parametermanager.${locationId}.rep.googleapis.com`,
};

// Instantiates a client with regional endpoint
const client = new ParameterManagerClient(options);

async function removeRegionalParamKmsKey() {
  const name = client.parameterPath(projectId, locationId, parameterId);
  const request = {
    parameter: {
      name: name,
    },
    updateMask: {
      paths: ['kms_key'],
    },
  };

  const [parameter] = await client.updateParameter(request);
  console.log(`Removed kms_key for regional parameter ${parameter.name}`);
  return parameter;
}

return await removeRegionalParamKmsKey();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for updating a parameter.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\GetParameterRequest;
use Google\Cloud\ParameterManager\V1\UpdateParameterRequest;
use Google\Protobuf\FieldMask;

/**
 * Update a regional parameter by removing kms key using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $locationId The Parameter Location (e.g. 'us-central1')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 */
function remove_regional_param_kms_key(string $projectId, string $locationId, string $parameterId): void
{
    // Specify regional endpoint.
    $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"];

    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient($options);

    // Build the resource name of the parameter.
    $parameterName = $client->parameterName($projectId, $locationId, $parameterId);

    // Prepare the request to get the parameter.
    $request = (new GetParameterRequest())
        ->setName($parameterName);

    // Retrieve the parameter using the client.
    $parameter = $client->getParameter($request);

    $parameter->clearKmsKey();

    $updateMask = (new FieldMask())
        ->setPaths(['kms_key']);

    // Prepare the request to update the parameter.
    $request = (new UpdateParameterRequest())
        ->setUpdateMask($updateMask)
        ->setParameter($parameter);

    // Update the parameter using the client.
    $updatedParameter = $client->updateParameter($request);

    // Print the parameter details.
    printf('Removed kms key for regional parameter %s' . PHP_EOL, $updatedParameter->getName());
}

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def remove_regional_param_kms_key(
    project_id: str, location_id: str, parameter_id: str
) -> parametermanager_v1.Parameter:
    """
    Remove the kms key of a specified regional parameter
    in the specified project using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is to be created.
        location_id (str): The region where the parameter is to be created.
        parameter_id (str): The ID of the regional parameter for
        which kms key is to be updated.

    Returns:
        parametermanager_v1.Parameter: An object representing the
        updated regional parameter.

    Example:
        remove_regional_param_kms_key(
            "my-project",
            "us-central1",
            "my-regional-parameter"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    from google.protobuf import field_mask_pb2

    # Create the Parameter Manager client.
    api_endpoint = f"parametermanager.{location_id}.rep.googleapis.com"
    # Create the Parameter Manager client for the specified region.
    client = parametermanager_v1.ParameterManagerClient(
        client_options={"api_endpoint": api_endpoint}
    )

    # Build the resource name of the regional parameter.
    name = client.parameter_path(project_id, location_id, parameter_id)

    # Get the current regional parameter details.
    parameter = client.get_parameter(name=name)

    # Set the kms key field of the regional parameter.
    parameter.kms_key = None

    # Define the update mask for the kms_key field.
    update_mask = field_mask_pb2.FieldMask(paths=["kms_key"])

    # Define the request to update the parameter.
    request = parametermanager_v1.UpdateParameterRequest(
        parameter=parameter, update_mask=update_mask
    )

    # Call the API to update (kms_key) the parameter.
    response = client.update_parameter(request=request)

    # Print the parameter ID that was updated.
    print(f"Removed kms key for regional parameter {parameter_id}")

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Remove the KMS key from a regional parameter
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param location_id [String] The location name (e.g. "us-central1")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
#
def remove_regional_param_kms_key project_id:, location_id:, parameter_id:
  # Endpoint for the regional parameter manager service.
  api_endpoint = "parametermanager.#{location_id}.rep.googleapis.com"

  # Create the Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager do |config|
    config.endpoint = api_endpoint
  end

  # Build the resource name of the parent project.
  name = client.parameter_path project: project_id, location: location_id, parameter: parameter_id

  parameter = {
    name: name
  }

  update_mask = {
    paths: ["kms_key"]
  }

  # Update the parameter.
  param = client.update_parameter parameter: parameter, update_mask: update_mask

  # Print the parameter name.
  puts "Removed kms_key for regional parameter #{param.name}"
end

Additional information

Existing parameters can be updated to use CMEK.
Parameters that already use CMEK can have their CMEK keys changed, or removed to revert to Google default encryption.

Error handling

Operations fail if the CMEK key is unavailable or if the service identity lacks the necessary permissions.
The parameter version creation fails if the CMEK and parameter are not in the same location.

What's next

Learn more about CMEK.

Enable customer-managed encryption keys for Parameter Manager Stay organized with collections Save and categorize content based on your preferences.

How CMEK works in Parameter Manager

Before you begin

Configure CMEK on a parameter

gcloud

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

Ruby

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

Ruby

gcloud

gcloud

gcloud

Update CMEK configuration

gcloud

gcloud

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

Ruby

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

Ruby

View parameter version CMEK configuration

gcloud

API

Add a Cloud EKM key to a CMEK policy

Disable CMEK

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

Enable customer-managed encryption keys for Parameter Manager