rarsan
commented
1 year ago Thx for kicking off this discussion. This makes sense for deployments that requires services with CMEK.
How about we add this change gradually in the order you highlighted? 1) CMEK-encrypted GCS (temporary bucket) 2) CMEK for PubSub (source) 3) CMEK for Dataflow (pipeline)
Each of these requires additional permissions handling: [1] https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#service-agent-access [2] https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#using_sources_and_sinks_that_are_protected_with_cloud_kms_keys [3] https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#granting_encrypterdecrypter_permissions
Since the project containing Cloud KMS key may be different that the project running Dataflow pipeline, I think the permissions should not be managed by this module, but I propose we document them in README. Let me know what you think.
As a hardening measures I propose following: