Some jobs require using sensitive data. Encrypt the data using Key Management Service (KMS) and store it in Google Cloud Storage (GCS). This document shows the commands necessary to create a service account and store its encrypted key in a GCS bucket.
NOTE: This document assumes that you are logged in to the Google Cloud project with administrative rights.
- gcloud to communicate with Google Cloud Platform (GCP)
- Basic knowledge of GCP key rings and keys
Use the export {VARIABLE}={value}
command to set up these variables, where:
- PROJECT is a Google Cloud project.
- BUCKET_NAME is a GCS bucket in the Google Cloud project that stores Prow Secrets
- KEYRING_NAME is the KMS key ring.
- ENCRYPTION_KEY_NAME is the key name in the key ring that is used for data encryption.
- LOCATION is the geographical location of the data center that handles requests for Cloud KMS regarding a given resource and stores the corresponding cryptographic keys. When set to
global
, your Cloud KMS resources are available from multiple data centres.
NOTE: Before you follow this guide, check Prow Secrets setup for the Google Cloud project.
When you communicate for the first time with Google Cloud, set the context to your Google Cloud project. Run this command:
gcloud config set project $PROJECT
The purpose of the bucket is to store encrypted credentials necessary for Prow jobs like provisioning clusters or virtual machines. Run this command to create a bucket:
gsutil mb -p $PROJECT gs://$BUCKET_NAME/
Use this command to create a key ring for the private keys:
gcloud kms keyrings create $KEYRING_NAME --location $LOCATION
Create a key to encrypt your private key.
gcloud kms keys create $ENCRYPTION_KEY_NAME --location $LOCATION \
--keyring $KEYRING_NAME --purpose encryption
Use this command to create a new version of a key:
gcloud kms keys versions create --key=$ENCRYPTION_KEY_NAME --location $LOCATION \
--keyring $KEYRING_NAME --primary
Use this command to disable an old version of a key:
gcloud kms keys versions disable $VERSION --key=$ENCRYPTION_KEY_NAME --location $LOCATION \
--keyring $KEYRING_NAME --primary
Follow these steps:
-
Export the variables, where:
- SA_NAME is the name of the service account.
- SA_DISPLAY_NAME is the display name of the service account.
- SECRET_FILE is the path to the private key.
- ROLE is the role bound to the service account.
See an example of variables you must export for such an account:
export SA_NAME=sa-gcs-plank export SA_DISPLAY_NAME=sa-gcs-plank export SECRET_FILE=sa-gcs-plank export ROLE=roles/storage.objectAdmin
-
Create a service account:
gcloud iam service-accounts create $SA_NAME --display-name $SA_DISPLAY_NAME
-
Create a private key for the service account:
gcloud iam service-accounts keys create $SECRET_FILE --iam-account=$SA_NAME@$PROJECT.iam.gserviceaccount.com
-
Add a policy binding to the service account:
gcloud projects add-iam-policy-binding $PROJECT --member=serviceAccount:$SA_NAME@$PROJECT.iam.gserviceaccount.com --role=$ROLE
Follow these steps:
- Create a new key for a service account:
gcloud iam service-accounts keys create $SECRET_FILE --iam-account=$SA_NAME@$PROJECT.iam.gserviceaccount.com
- List all keys:
gcloud iam service-accounts keys list --iam-account=$SA_NAME@$PROJECT.iam.gserviceaccount.com --managed-by=user
- Delete an old key:
gcloud iam service-accounts keys delete $KEY_ID --iam-account=$SA_NAME@$PROJECT.iam.gserviceaccount.com
-
Export the SECRET_FILE variable which is the path to the file which contains the Secret.
-
Encrypt the Secret:
gcloud kms encrypt --location global --keyring $KEYRING_NAME --key $ENCRYPTION_KEY_NAME --plaintext-file $SECRET_FILE --ciphertext-file $SECRET_FILE.encrypted
Upload the encrypted Secret to GCP:
gsutil cp $SECRET_FILE.encrypted gs://$BUCKET_NAME/
Delete the private key files:
rm {file-name}
rm {file-name}.encrypted