加密 Cloud Speech-to-Text 資源

本頁面說明如何在 Cloud Speech-to-Text 中設定加密金鑰,以便加密 Speech-to-Text 資源。

Speech-to-Text 可讓您提供 Cloud Key Management Service 加密金鑰,並使用提供的金鑰加密資料。如要進一步瞭解加密,請參閱加密簡介

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Speech-to-Text APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  6. 安裝 Google Cloud CLI。

  7. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  8. 執行下列指令,初始化 gcloud CLI:

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. Verify that billing is enabled for your Google Cloud project.

  11. Enable the Speech-to-Text APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  12. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  13. 安裝 Google Cloud CLI。

  14. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  15. 執行下列指令,初始化 gcloud CLI:

    gcloud init

    16. 用戶端程式庫可以使用應用程式預設憑證,輕鬆向 Google API 進行驗證,然後傳送要求給這些 API。有了應用程式預設憑證,您就能在本機測試應用程式並部署,不必變更基礎程式碼。詳情請參閱「 進行驗證以使用用戶端程式庫」一文。

  16. 如果您使用本機殼層,請為使用者帳戶建立本機驗證憑證: 

    gcloud auth application-default login

    如果您使用 Cloud Shell,則不需要執行這項操作。

    如果系統傳回驗證錯誤,且您使用外部識別資訊提供者 (IdP),請確認您已 使用聯合身分登入 gcloud CLI

此外,請務必安裝用戶端程式庫

啟用 Cloud Key Management Service 金鑰的存取權

Cloud Speech-to-Text 會使用服務帳戶存取 Cloud KMS 金鑰。依預設,服務帳戶無法存取 Cloud KMS 金鑰。

服務帳戶電子郵件地址如下:

service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

如要使用 Cloud KMS 金鑰加密 Speech-to-Text 資源,請將 roles/cloudkms.cryptoKeyEncrypterDecrypter 角色授予這個服務帳戶:

gcloud projects add-iam-policy-binding PROJECT_NUMBER \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

如要進一步瞭解專案 Identity and Access Management (IAM) 政策,請參閱「管理專案、資料夾和機構的存取權」。

如要進一步瞭解如何管理 Cloud Storage 存取權,請參閱 Cloud Storage 說明文件中的「建立及管理存取權控管清單」。

指定加密金鑰

以下範例說明如何使用 Config 資源,將加密金鑰提供給 Cloud Speech-to-Text:

Python

import os

from google.cloud.speech_v2 import SpeechClient
from google.cloud.speech_v2.types import cloud_speech

PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT")


def enable_cmek(
    kms_key_name: str,
) -> cloud_speech.Config:
    """Enable Customer-Managed Encryption Keys (CMEK) in a project and region.
    Args:
        kms_key_name (str): The full resource name of the KMS key to be used for encryption.
            E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}
    Returns:
        cloud_speech.Config: The response from the update configuration request,
        containing the updated configuration details.
    """
    # Instantiates a client
    client = SpeechClient()

    request = cloud_speech.UpdateConfigRequest(
        config=cloud_speech.Config(
            name=f"projects/{PROJECT_ID}/locations/global/config",
            kms_key_name=kms_key_name,
        ),
        update_mask={"paths": ["kms_key_name"]},
    )

    # Updates the KMS key for the project and region.
    response = client.update_config(request=request)

    print(f"Updated KMS key: {response.kms_key_name}")
    return response

在專案的 Config 資源中指定加密金鑰後,在相應位置建立的所有新資源都會使用這個金鑰加密。如要進一步瞭解加密內容和時機,請參閱「加密簡介」頁面。

加密資源的 kms_key_namekms_key_version_name 欄位會填入 Speech-to-Text API 回應。

移除加密措施

如要避免日後資源使用加密金鑰加密,請使用上述程式碼,並在要求中提供空字串 ("") 做為金鑰。這樣可確保新資源不會加密。這項指令不會解密現有資源。

金鑰輪替和刪除

金鑰輪替後,以舊版 Cloud KMS 金鑰加密的資源仍會以該版本加密。金鑰輪替後建立的任何資源,都會使用新的預設金鑰版本加密。金鑰輪替後更新的任何資源 (使用 Update* 方法),都會以新的預設金鑰版本重新加密。

刪除金鑰後,語音轉文字服務就無法解密您的資料,也無法建立或存取以刪除金鑰加密的資源。同樣地,如果撤銷金鑰的 Speech-to-Text 權限,Speech-to-Text 就無法解密您的資料,也無法建立資源或存取以 Speech-to-Text 權限遭撤銷金鑰加密的資源。

重新加密資料

如要重新加密資源,請在更新 Config 資源中的金鑰規格後,為每個資源呼叫對應的 Update* 方法。

清除所用資源

為避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請按照下列步驟操作。

  1. 選用:撤銷您建立的驗證憑證,並刪除本機憑證檔案。

    gcloud auth application-default revoke

  2. 選用:從 gcloud CLI 撤銷憑證。 

    gcloud auth revoke

控制台

  • 前往 Google Cloud 控制台的「Manage resources」(管理資源) 頁面。

    前往「Manage resources」(管理資源)

  • 在專案清單中選取要刪除的專案,然後點選「Delete」(刪除)
  • 在對話方塊中輸入專案 ID,然後按一下 [Shut down] (關閉) 以刪除專案。

    • gcloud

    刪除 Google Cloud 專案:

    gcloud projects delete PROJECT_ID

    後續步驟