Use customer-managed encryption keys

Cloud Deploy, along with its dependent services, lets you manage your own encryption keys for storage and transit of any user data.

Cloud Deploy data

Cloud Deploy stores resource data encrypted. This storage does not include any user data.

Cloud Deploy dependent services can use customer-managed encryption keys. The sections that follow address the practices of each dependent service.

Cloud Build

Render and deploy operations are performed through Cloud Build, which is CMEK compliant. For more information on configuring Cloud Build to be CMEK compliant, see the Cloud Build documentation.

Rendering source and rendered manifests are stored in Cloud Storage buckets. Cloud Build stores its logs using Cloud Logging, and Cloud Deploy explicitly turns off Cloud Storage logging for use with Cloud Deploy.

Cloud Storage

To use CMEK with Cloud Deploy, you need to use custom Cloud Storage buckets and configure those buckets for CMEK.

To specify your custom, CMEK-managed Cloud Storage buckets for use with Cloud Deploy:

  • Include the --gcs-source-staging-dir flag on the gcloud deploy releases create command.

    This flag identifies the Cloud Storage bucket in which to store the rendering source files.

  • Change the storage location in your Cloud Deploy execution environment.

    This setting identifies the Cloud Storage bucket in which to store your rendered manifests.

Pub/Sub topics

Cloud Deploy uses Pub/Sub to publish notifications to topics. You can configure these topics to use customer-managed encryption keys.


Cloud Deploy and its dependent services publish logs to Cloud Logging, part of Google Cloud Observability.

You can configure Logging for CMEK.