google-cloud-kms

问题 I'm trying to encrypt env vars for database in Cloud SQL in my RoR app deploying to Google App Engine. Following this doc https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials However, I have an error when running both gcloud builds submit and gcloud app deploy . Both are error out with: Failure status: UNKNOWN: Error Response: [4] DEADLINE_EXCEEDED / build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1. I then check the gcloud builds

问题 I am working on a PII de-identification project and using google cloud's data loss prevention api. Use case: To encrypt a field with cloud KMS key. Created a dlp-deidentification template, here is the snippet: { "deidentify_template":{ "display_name":"deidentification_encryption", "description":"deidentification_encryption", "deidentify_config":{ "record_transformations":{ "field_transformations":[ { "fields":[ { "name":"password" } ], "primitive_transformation":{ "crypto_hash_config": {

问题 I am working on a PII de-identification project and using google cloud's data loss prevention api. Use case: To encrypt a field with cloud KMS key. Created a dlp-deidentification template, here is the snippet: { "deidentify_template":{ "display_name":"deidentification_encryption", "description":"deidentification_encryption", "deidentify_config":{ "record_transformations":{ "field_transformations":[ { "fields":[ { "name":"password" } ], "primitive_transformation":{ "crypto_hash_config": {

问题 I am working on a PII de-identification project and using google cloud's data loss prevention api. Use case: To encrypt a field with cloud KMS key. Created a dlp-deidentification template, here is the snippet: { "deidentify_template":{ "display_name":"deidentification_encryption", "description":"deidentification_encryption", "deidentify_config":{ "record_transformations":{ "field_transformations":[ { "fields":[ { "name":"password" } ], "primitive_transformation":{ "crypto_hash_config": {

问题 How can I access the variables I define in Google Secret Manager from my Google Cloud Build Pipeline ? 回答1: You can access to secret from Cloud Build by using the standard Cloud Builder gcloud But, there is 2 issues: If you want to use the secret value in another Cloud Build step, you have to store your secret in a file, the only way to reuse a previous value from one step to another one The current Cloud Builder gcloud isn't up to date (today, 03 feb 2020). You have to add a gcloud component

来源： https://stackoverflow.com/questions/60763521/restricting-encrypt-decrypt-permissions-for-a-cloud-kms-key-with-cmek-and-cloud

来源： https://stackoverflow.com/questions/60763521/restricting-encrypt-decrypt-permissions-for-a-cloud-kms-key-with-cmek-and-cloud

问题 If I had credentials I need to store in Google Compute Engine or Google App Engine for use at build time, how should I store them? Is there something better than storing them in code, or in a bucket? 回答1: One option is to encrypt the secrets with a key from Cloud KMS, and store them either in a storage bucket or keep them in the binary. This lets you manage permissions and logging on the key, to indirectly manage who accesses the secret. 回答2: As of December 2019, you should store secrets with

问题 If I had credentials I need to store in Google Compute Engine or Google App Engine for use at build time, how should I store them? Is there something better than storing them in code, or in a bucket? 回答1: One option is to encrypt the secrets with a key from Cloud KMS, and store them either in a storage bucket or keep them in the binary. This lets you manage permissions and logging on the key, to indirectly manage who accesses the secret. 回答2: As of December 2019, you should store secrets with

问题 If I had credentials I need to store in Google Compute Engine or Google App Engine for use at build time, how should I store them? Is there something better than storing them in code, or in a bucket? 回答1: One option is to encrypt the secrets with a key from Cloud KMS, and store them either in a storage bucket or keep them in the binary. This lets you manage permissions and logging on the key, to indirectly manage who accesses the secret. 回答2: As of December 2019, you should store secrets with