This page shows you how to create a key ring in Cloud KMS. A key ring is the root resource for Cloud KMS keys and key versions. Each key ring exists within a given location. For more information about Cloud KMS resources, see Cloud KMS resources.
Before you begin
Before completing the tasks on this page, you need the following:
- A Google Cloud project resource to contain your Cloud KMS resources. This project is called your key project. We recommend that your key project does not contain any other Google Cloud resources. Enable the Cloud KMS API on your key project.
- The name of the location where you want to create your key ring. Choose a location that is near your other resources and that supports your chosen protection level. To view available locations and the protection levels they support, see Cloud KMS locations.
Required roles
To get the permissions that you need to create key rings,
ask your administrator to grant you the
Cloud KMS Admin (roles/cloudkms.admin
) IAM role on the project or a parent resource.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to create key rings. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to create key rings:
-
cloudkms.keyRings.create
-
cloudkms.keyRings.get
-
cloudkms.keyRings.list
-
cloudkms.locations.get
-
cloudkms.locations.list
-
resourcemanager.projects.get
You might also be able to get these permissions with custom roles or other predefined roles.
Create a key ring
Follow these steps to create a key ring for your new key. If you want to use an existing key ring instead, you can create a key.
Console
Go to the Key Management page in the Google Cloud console.
Click Create key ring.
For Key ring name, enter a name for your key ring.
For Key ring location, select a location like
"us-east1"
.Click Create.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
-
In your environment, run the
gcloud kms keyrings create
command:gcloud kms keyrings create KEY_RING \ --location LOCATION
Replace the following:
KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location of the key ring.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings?key_ring_id=KEY_RING" \ --request "POST" \ --header "authorization: Bearer TOKEN"
Replace the following:
PROJECT_ID
: the ID of the project that contains the key ring.KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location of the key ring.
See the KeyRing.create
API documentation
for more information.
What's next
- Learn how to create a key.
- Learn how to import keys.
- Learn how to create external keys.