Get startedGet started for free

Protecting functions and data

1. Protecting functions and data

Let’s discuss how you can protect your Cloud Run functions and it’s data. You can use Cloud Key Management Service (KMS) to create and manage encryption keys that protect your Cloud Run functions and related data at rest. The keys are known as customer-managed encryption keys (CMEK) and are owned by you and not controlled by Google. They can be stored as software keys, in an HSM cluster, or externally. Deploying a function with a CMEK protects the data associated with it by using an encryption key that only you can access. If the key is disabled or destroyed, no one (including you) can access the data that is protected by the key. The following types of Cloud Run functions data are encrypted when using a CMEK: Function source code uploaded for deployment and stored by Google in Cloud Storage, and used in the build process. The results of the function build process, including: The container image built from your function source code, and each instance of the function that is deployed. The data at rest for internal event transport channels. To set up CMEK for Cloud Run functions: Create a single-region encryption key. To store your function images, create an Artifact Registry repository with CMEK enabled. Use the same key for the repository as the one used to enable CMEK for the function. Grant the Cloud Run functions, Artifact Registry, and Cloud Storage service accounts access to the key. Enable CMEK on your function. A sample use case for using CMEKs involves storing and accessing objects in Cloud Storage buckets. You can use customer-managed encryption keys on individual objects, or configure your bucket to use a key by default on all new objects added to the bucket. Objects that are uploaded are stored encrypted with the CMEK. A Cloud Run function can be triggered from Eventarc whenever there are changes to objects in the Cloud Storage bucket. The function can then retrieve the decrypted object from the bucket in Cloud Storage. You can also implement a function to encrypt individual objects and upload them to Cloud Storage. To use CMEKs, you must grant your project’s Cloud Storage service account or service agent access to the key. To grant service accounts access to the key, add each service account as a principal of the key, and then grant the service account the Cloud KMS CryptoKey Encrypter/Decrypter role. The service account email used is that of the: Cloud Run Functions Service Agent, Artifact Registry Service Agent, Cloud Storage Service Agent. After setting up an Artifact Registry repository with CMEK enabled and granting the required service agents access to your key, you can enable CMEK for your function by deploying the function and specifying the key and repository. Cloud Run functions uses the primary version of a key for CMEK protection. You cannot specify a particular key version to use when enabling CMEK for your functions. If a key is destroyed or disabled, or the requisite permissions on it are revoked: Active instances of functions protected by the key are not shut down. Executions of these functions that are already in progress will continue to run. New executions will fail as long as Cloud Run functions does not have access to the key. Executions that require new function instances will fail.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.