OpenMCF logoOpenMCF

Loading...

GCP KMS Key Ring

Creates an organizational container for cryptographic keys in Google Cloud KMS. A key ring groups CryptoKeys by project and location, providing IAM scoping and logical organization for encryption, signing, and MAC operations. Key rings are permanent resources — once created, they cannot be deleted from GCP.

What Gets Created

When you deploy a GcpKmsKeyRing resource, OpenMCF provisions:

  • KMS Key Ring — a google_kms_key_ring resource in the specified project and location, serving as the parent container for CryptoKeys

Prerequisites

  • GCP credentials configured via environment variables or OpenMCF provider config
  • An existing GCP project — referenced via projectId
  • Cloud KMS API enabled (cloudkms.googleapis.com) on the target project
  • IAM permissions — roles/cloudkms.admin or roles/cloudkms.keyRingCreator on the target project

Quick Start

Create a file key-ring.yaml:

apiVersion: gcp.openmcf.org/v1
kind: GcpKmsKeyRing
metadata:
  name: prod-encryption
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpKmsKeyRing.prod-encryption
spec:
  projectId:
    value: my-gcp-project-123
  keyRingName: prod-encryption
  location: us-central1

Deploy:

openmcf apply -f key-ring.yaml

This creates a KMS key ring named prod-encryption in the us-central1 region, ready to hold CryptoKeys for encryption, signing, or MAC operations.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
projectIdStringValueOrRefGCP project ID where the key ring is created. Can reference a GcpProject resource via valueFrom.Required
keyRingNamestringName of the key ring in GCP. Permanent — cannot be changed or reused after creation.1-63 chars: letters, digits, hyphens, underscores. Pattern: ^[a-zA-Z0-9_-]{1,63}$
locationstringGCP location where the key ring resides. Permanent — cannot be changed after creation. Use a region (us-central1), multi-region (us, europe, asia), or global.Required

Optional Fields

This component has no optional fields. All three fields are required and immutable after creation.

Examples

Regional Key Ring

A key ring scoped to a single GCP region, suitable for most production workloads:

apiVersion: gcp.openmcf.org/v1
kind: GcpKmsKeyRing
metadata:
  name: prod-keys
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpKmsKeyRing.prod-keys
spec:
  projectId:
    value: my-prod-project-123
  keyRingName: prod-encryption
  location: us-central1

Global Key Ring

A key ring available in all GCP regions, useful for cross-region encryption or when data residency is not a constraint:

apiVersion: gcp.openmcf.org/v1
kind: GcpKmsKeyRing
metadata:
  name: shared-keys
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpKmsKeyRing.shared-keys
spec:
  projectId:
    value: my-security-project-456
  keyRingName: global-shared-keys
  location: global

Multi-Region Key Ring (EU Compliance)

A key ring scoped to the europe multi-region for data residency compliance:

apiVersion: gcp.openmcf.org/v1
kind: GcpKmsKeyRing
metadata:
  name: eu-compliance-keys
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpKmsKeyRing.eu-compliance-keys
spec:
  projectId:
    value: my-eu-project-789
  keyRingName: eu-compliance-keys
  location: europe

Using Foreign Key References

Reference a project ID from a GcpProject resource instead of hardcoding:

apiVersion: gcp.openmcf.org/v1
kind: GcpKmsKeyRing
metadata:
  name: data-encryption
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpKmsKeyRing.data-encryption
spec:
  projectId:
    valueFrom:
      kind: GcpProject
      name: data-project
      field: status.outputs.project_id
  keyRingName: data-encryption
  location: us-central1

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
key_ring_idstringFully qualified resource path (e.g., projects/my-project/locations/us-central1/keyRings/prod-encryption). This is the primary reference used by GcpKmsKey and other downstream resources.
key_ring_namestringShort name of the key ring as it exists in GCP.

Related Components

  • GcpKmsKey — creates encryption keys within this key ring for CMEK
  • GcpProject — provides the GCP project where the key ring is created
  • GcpBigQueryDataset — uses CryptoKeys from this key ring for customer-managed encryption
  • GcpCloudSql — uses CryptoKeys from this key ring for CMEK encryption

Next article

GCP Memorystore Instance

GCP Memorystore Instance Deploys a fully managed GCP Memorystore instance supporting the Valkey protocol (Redis-compatible) with configurable sharding, Private Service Connect (PSC) networking, persistence modes (RDB/AOF), automated backups, and customer-managed encryption keys. The instance connects to consumer VPCs exclusively through PSC endpoints. What Gets Created When you deploy a GcpMemorystoreInstance resource, OpenMCF provisions: Memorystore Instance — a memorystore.Instance resource...
Read next article
Presets
3 ready-to-deploy configurationsView presets →