Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preemptively handle BigQuery KMS changes #9208

Closed
rileykarson opened this issue May 20, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#4934, GoogleCloudPlatform/terraform-google-conversion#737, hashicorp/terraform-provider-google-beta#3406 or #9500
Closed

Preemptively handle BigQuery KMS changes #9208

rileykarson opened this issue May 20, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#4934, GoogleCloudPlatform/terraform-google-conversion#737, hashicorp/terraform-provider-google-beta#3406 or #9500
Assignees
@megan07
Labels
size/m technical-debt
Milestone
Sprint 13 (2021)

Comments

@rileykarson
Copy link
Collaborator

It isn't clear whether you're supposed to specify keys or versions on tables following the change. If you specify a key and get back a version, we may want to make the version a separate output field.

Update your KMS-enabled BigQuery tools by September 1, 2021, to parse cryptoKeyVersions tokens.

Dear Google Cloud Platform Customer,

We are writing to let you know that starting September 1, 2021, BigQuery will start reporting the cryptoKeyVersions of Cloud Key Management Service (KMS) keys. This key is used to protect BigQuery tables and models. After September 1, 2021, the EncryptionConfiguration kmsKeyName field in the table and model metadata will display KMS key names in the following format:

projects/.../locations/.../keyRings/.../cryptoKeys/.../cryptoKeyVersions/...
The previous format was:

projects/.../locations/.../keyRings/.../cryptoKeys/...
Will this change affect me?
The following projects listed below have BigQuery tables currently protected by customer-managed encryption keys (CMEKs):

  • XXX

What do I need to do?
If you have KMS-enabled BigQuery tools or services that parse the KMS key name field, kmsKeyName, update them to support a KMS key name with or without the cryptoKeyVersions token before September 1, 2021. Your tools must support both formats, since the changes to the key name display formats will be applied gradually.

What remains unchanged?
When specifying a KMS key to encrypt a table or model, you should continue to provide the key name without the cryptoKeyVersions (projects/.../locations/.../keyRings/.../cryptoKeys/...). KMS uses the primary key version of the key at resource creation time to protect the table or model.

Because the kmsKeyName field on a dataset is the default for newly created resources beneath it, datasets will continue to accept and display KMS keys without the cryptoKeyVersions.

If you have any questions or require assistance, please reply to this email to contact Google Cloud Support.

Thanks for choosing BigQuery.
@slevenick slevenick added this to the Sprint 13 (2021) milestone May 24, 2021
@megan07 megan07 self-assigned this Jun 25, 2021
@megan07 megan07 mentioned this issue Jun 30, 2021
Merged
5 tasks
This was referenced Jul 2, 2021
Merged
Merged
Merged
@github-actions
Copy link

github-actions bot commented Aug 2, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@megan07 megan07

Labels
size/m technical-debt
Projects
None yet
Milestone
Sprint 13 (2021)
3 participants
@rileykarson @slevenick @megan07