Describes the customer-managed encryption key (CMEK) settings associated with a project, folder, organization, billing account, or flexible resource.
Note: CMEK for the Logs Router can currently only be configured for GCP organizations. Once configured, it applies to all projects and folders in the GCP organization.
See Enabling CMEK for Logs
Router </logging/docs/routing/managed-encryption>
__ for more
information.
The resource name for the configured Cloud KMS key. KMS key
name format: "projects/[PROJECT_ID]/locations/[LOCATION]/keyR
ings/[KEYRING]/cryptoKeys/[KEY]" For example: "projects/my-
project-id/locations/my-region/keyRings/key-ring-
name/cryptoKeys/key-name"
To enable CMEK for the Logs
Router, set this field to a valid kms_key_name
for which
the associated service account has the required
roles/cloudkms.cryptoKeyEncrypterDecrypter
role assigned
for the key. The Cloud KMS key used by the Log Router can be
updated by changing the kms_key_name
to a new valid key
name. Encryption operations that are in progress will be
completed with the key that was in use when they started.
Decryption operations will be completed using the key that was
used at the time of encryption unless access to that key has
been revoked. To disable CMEK for the Logs Router, set this
field to an empty string. See Enabling CMEK for Logs Router
</logging/docs/routing/managed-encryption>
__ for more
information.