See the supported connectors for Application Integration.

Cloud KMS - decrypt task

The Cloud KMS - decrypt task lets you decrypt ciphertext or data that was encrypted with a Cloud Key Management Service (Cloud KMS) key. To decrypt the encrypted data, you must use the same key that was used during encryption. The decrypted text that is returned from Cloud KMS is base64-encoded.

Cloud KMS is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.

Before you begin

Ensure that you perform the following tasks in your Google Cloud project before configuring the Cloud KMS - decrypt task:

  1. Enable the Cloud Key Management Service (KMS) API (

    Enable the Cloud Key Management Service (KMS) API

  2. Create an authentication profile. Application Integration uses an authentication profile to connect to an authentication endpoint for the Cloud KMS - decrypt task.

Configure the Cloud KMS - decrypt task

  1. In the Google Cloud console, go to the Application Integration page.

    Go to Application Integration

  2. In the navigation menu, click Integrations.

    The Integrations page appears listing all the integrations available in the Google Cloud project.

  3. Select an existing integration or click Create integration to create a new one.

    If you are creating a new integration:

    1. Enter a name and description in the Create Integration pane.
    2. Select a region for the integration.
    3. Select a service account for the integration. You can change or update the service account details of an integration any time from the Integration summary pane in the integration toolbar.
    4. Click Create.

    This opens the integration in the integration editor.

  4. In the integration editor navigation bar, click Tasks to view the list of available tasks.
  5. Click and place the Cloud KMS - decrypt element in the integration editor.
  6. Click the Cloud KMS - decrypt element on the designer to view the Cloud KMS - decrypt task configuration pane.
  7. Go to Authentication, and select an existing authentication profile that you want to use.

    Optional. If you have not created an authentication profile prior to configuring the task, Click + New authentication profile and follow the steps as mentioned in Create a new authentication profile.

  8. Go to Task Input, and configure the displayed inputs fields using the following Task input parameters table.

    Changes to the inputs fields are saved automatically.

Task input parameters

The following table describes the input parameters of the Cloud KMS - decrypt task:

Property Data type Description
Region String Cloud KMS location for the key ring.
ProjectsId String Your Google Cloud project ID.
KeyRingsId String Name of the key ring where the key will be located.
CryptoKeysIdString Name of the key to use for decryption.
RequestJSON See request JSON structure. Specify the encrypted (cipher) text to be decrypted in the ciphertext field of the request body.

Task output

The Cloud KMS - decrypt task returns a response containing the decrypted data in a base64-encoded format. You must decode the base64-encoded value to get the output string.

Error handling strategy

An error handling strategy for a task specifies the action to take if the task fails due to a temporary error. For information about how to use an error handling strategy, and to know about the different types of error handling strategies, see Error handling strategies.

What's next

  1. Add edges and edge conditions.
  2. Test and publish your integration.
  3. Configure a trigger.
  4. Add a Data Mapping task.
  5. See all tasks for Google Cloud services.