Google Cloud Platform (GCP) Customer-Managed Keys Setup Guide
Follow our setup guide to configure Google Cloud Platform (GCP) customer-managed keys.
You can either use a Fivetran service account or your own GCP service account.
NOTE: In this guide, we describe creating a new key ring and a key. You may still want to create a new key for your existing key ring. In this case, the steps you need to take may differ slightly from those described in this guide.
Prerequisites
To set up GCP customer-managed keys for your Fivetran account, you need:
- A Business Critical Fivetran account
- A GCP account
Setup instructions
(Optional) Create key ring
This step is relevant if you want to create a new key ring for your GCP customer-managed key.
NOTE: If you have concerns about latency, we recommend that you create the key ring in the same region where your data is processed.
Log in to your Google Cloud Console.
Go to Security > Key management > Create key ring.
Enter the Key ring name.
Choose the Location type.
Click Create.
You are redirected to the Create Key page of the Google Console.
Create customer-managed key
In Google Cloud Console, go to Security > Key management > Key rings.
Click the key ring you created in the Create key ring step or the existing key ring in which you want to create the key.
Click Create key.
Click Name and protection level.
Enter the Key name.
Select your Protection level.
(Optional) Edit the other settings as needed. Otherwise, leave them as they are.
Click Create.
You are redirected to the Key ring details page of the Google console.
Find resource name
In Google Cloud Console, go to Security > Key management > Key rings.
Click the key ring you created in the Create key ring step or the existing key ring that contains the key you created in the Create customer-managed key step.
Click the key.
Click Keys.
Beside the customer-managed key, click the three dots in the Actions column.
Select Copy resource name from the drop-down menu.
Make a note of the resource name. You will need it to configure Fivetran.
Depending on the account service type you want to use:
- If you want to use a Fivetran service account, proceed to the Find Fivetran service account ID step.
- If you want to create a new Google Cloud service account, proceed to the Create service account step.
- If you want to use an existing Google Cloud service account, proceed to the Find ID of exisiting GCP service account step.
(Optional) Find Fivetran service account ID
If you want to use a Fivetran service account, do the following:
In Fivetran, go to Account settings > General > Account settings > Customer-Managed Keys Configuration > Add Key.
NOTE: If you already have a key, the button will be Revert instead of Add Key.
Select Fivetran service account under Service account type.
Copy the service account ID under Grant service account access to key. You will need to grant it access to the customer-managed key you created in the Create customer-managed key step.
Proceed to the Grant service account access to key and assign role step.
(Optional) Create service account
If you want to create and use a new Google Cloud service account, do the following:
In Google Cloud Console, go to IAM & Admin > Service Accounts > Create service account.
Enter the Service account name.
Copy the service account ID under Email address. You will need to grant it access to the customer-managed key you created in the Create customer-managed key step.
Enter the Service account description.
Click CREATE AND CONTINUE.
Leave the other options as they are.
Click DONE. You are redirected to the service account list page.
Proceed to the Create service account private key step.
(Optional) Find ID of existing GCP service account
If you want to use an existing Google Cloud service account, do the following:
In Google Cloud Console, go to Service Accounts.
Find the service account in the service account list using the filter.
Click the service account.
Go to the Details > Service account details.
Copy the service account ID under Email. You will need to grant it access to the customer-managed key you created in the Create customer-managed key step.
(Optional) Create service account private key
If you want to use a new or existing Google Cloud service account, do the following:
In Google Cloud Console, go to Service Accounts.
Find the service account in the service account list using the filter.
Click the service account.
Go to Keys > ADD KEY > Create new key.
Select JSON as the key type.
Click Create.
Check your default download folder. The service account private key JSON file has the following name format:
<project_name>-<12-character hash>.json. You will need it to configure Fivetran.
(Optional) Grant service account access to key and assign role
If you want to use a new or existing Google Cloud service account, do the following:
In Google Cloud Console, go to Key Management > Key ring details > Keys.
Select the checkbox next to the customer-managed key you created in the Create customer-managed key step.
Go to the Permissions tab.
Click +Grant access.
In the New principals field under Add principals, paste the service account ID you found in either step:
- Find Fivetran service account - if you choose to use a Fivetran service account
- Create service account - if you choose to use your own Google Cloud service account
In the Select a role menu under Assign roles, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
Click Save.
Finish Fivetran configuration
In the Fivetran dashboard, go to Account Settings > General > Customer-Managed Keys Configuration.
Click Add Key. If you already have a Fivetran customer-managed key, click Revert.
Select Google Cloud Key Management Service under Key Management Provider.
In the Resource name field, enter the resource name you found in the Find resource name step.
Select the Service account type.
i. (Optional) If you choose to use your own service account, drag-and-drop or Browse files to upload the service account private key you created in the Create service account private key step.
Click Save.