0

I'm exploring Customer Managed Encryption Keys and my use case is:

  1. Create a signed URL to upload to storage along with KMS key name query parameter
  2. Pass it to a client of my service
  3. Client uses signed URL to upload the data directly Cloud Storage

But Key Name format includes GCloud project id in the URI:

projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEYNAME

I believe project id is sensitive enough to be not leaked out to the clients. Is there any way to still upload data directly to storage via my client without leaking the project id but still using the KMS Key Name that is meant for this particular client?

(Assuming Default Key for the buckets is not an option)

pinkpanther
  • 4,770
  • 2
  • 38
  • 62
  • Why do you need to give the requester access to the KMS key? That’s not how CMEK works: https://stackoverflow.com/a/60780988/365738 – sethvargo Aug 15 '20 at 17:28
  • @sethvargo I'm not giving the requester access to the KMS key. The signed URL that I give to my client for uploading object would just have the KMS key name that tells cloud storage which key to use. The client is not Google SDK it's just makes a HTTP request. – pinkpanther Aug 15 '20 at 17:33
  • Why do you need to tell Cloud Storage which key to use at request time? CMEK is configured at object creation time (or bucket creation time), and then the Cloud Storage service account does the encryption/decryption automatically. Only the GCS SA needs permission to use the key. – sethvargo Aug 16 '20 at 14:10
  • But my client of a service of mine is what uploads the data directly to storage so it needs to specify the key name as the actual key name depends on some business logic on server side. It passes this key name to the client. > CMEK is configured at object creation time (or bucket creation time) I know bucket can be set default key name, but can objects be set keyname without creation. Are you differentiating object creation vs object upload? If so can you elaborate as that would enable my service itself to create an object and my client then just upload the data without key name. – pinkpanther Aug 16 '20 at 16:59
  • Are you using different CMEK keys per object in the same bucket? In that case, your caller would need to specify the key as part of the request. However, if you used bucket-level, they would not. – sethvargo Aug 17 '20 at 14:39
  • As with most GCP APIs, you can sub project ID for project _number_ and it'll also "just work" – sethvargo Aug 17 '20 at 14:40
  • `Are you using different CMEK keys per object in the same bucket? In that case, your caller would need to specify the key as part of the request` Yes, that's exactly what I want to do. I'm aware my client needs to specify the key (which I will pass it to my client). However my question was about how to avoid leaking project id. `As with most GCP APIs, you can sub project ID for project number and it'll also "just work` This is interesting. Could you elaborate or give a link to what you are talking about? Thanks. – pinkpanther Aug 18 '20 at 14:14
  • I understand now. I will check if for our purposes both would mean sensitive. – pinkpanther Aug 18 '20 at 14:16
  • You can use the project ID or project number. As far as I know, there's no other option besides bucket-level CMEK. – sethvargo Aug 18 '20 at 14:59

0 Answers0