This page provides instructions for creating a Memorystore for Valkey instance that uses customer-managed encryption keys (CMEK). It also provides instructions for managing instances that use CMEK. For more information about CMEK for Memorystore for Valkey, see About customer-managed encryption keys (CMEK).
Before you begin
Make sure that you have the Memorystore Admin role on your user account.
Workflow to create an instance that uses CMEK
Create a key ring and key in the location where you want the Memorystore for Valkey instance to be.
Copy or write down the key name (
KEY_NAME
), the location of the key, and the name of the key ring (KEY_RING
). You need this information when granting the service account access to the key.Grant the Memorystore for Valkey service account access to the key.
Go to a project and create a Memorystore for Valkey instance with CMEK enabled in the same region as the key ring and key.
Your Memorystore for Valkey instance is now enabled with CMEK.
Create a key ring and key
Create a key ring and key. Both must be in the same region as your Memorystore for Valkey instance. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithm.
After you create the key ring and key, copy or write down the KEY_NAME
, the
key location, and the KEY_RING
. You need this information when you grant the
service account access to the key.
Grant the Memorystore for Valkey service account access to the key
Before you can create a Memorystore for Valkey instance that uses CMEK, you must grant a specific Memorystore for Valkey service account access to the key.
To grant access to the service account, use the following format:
service-PROJECT_NUMBER@gcp-sa-memorystore.iam.gserviceaccount.com
gcloud
To grant the service account access to the key, use the gcloud kms keys add-iam-policy-binding
command. Replace VARIABLES with appropriate values.
gcloud kms keys add-iam-policy-binding \ projects/PROJECT_ID/locations/REGION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-memorystore.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Create a Memorystore for Valkey instance that uses CMEK
gcloud
To create an instance that uses CMEK, use the gcloud memorystore instances
create
command. Replace
VARIABLES with appropriate values.
gcloud memorystore instances create INSTANCE_ID \ --project=PROJECT_NAME \ --location=REGION_ID \ --endpoints='[{"connections": [{"pscAutoConnection": {"network": "projects/PROJECT_NAME/global/networks/NETWORK_ID", "projectId": "PROJECT_NAME"}}]}]' \ --kms-key=projects/PROJECT_NAME/locations/REGION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME \ --shard-count=SHARD_NUMBER \ --persistence-config-mode=PERSISTENCE_CONFIG_MODE
View key information for a CMEK-enabled instance
Follow these instructions to see if CMEK is enabled for your instance, and to view the active key.
gcloud
To verify if CMEK is enabled and to see the key reference, use the gcloud memorystore instances describe
command to view the encryptionInfo
and kmsKey
fields. Replace VARIABLES with
appropriate values.
gcloud memorystore instances describe INSTANCE_ID \ --project=PROJECT_NAME \ --location=REGION_ID
Manage key versions
For information about what happens when you disable, destroy, rotate, enable, and restore a key version, see Behavior of a CMEK key version.
For instructions on how to disable and re-enable key versions, see Enable and disable key versions.
For instructions on how to destroy and restore key versions, see Destroy and restore key versions.
What's next
- Learn more about backups.
- Learn more about persistence.