加密 Speech-to-Text 資源

本頁說明如何在 Speech-to-Text 中設定加密金鑰,以便加密 Speech-to-Text 資源。

語音轉文字功能可讓您提供 Cloud Key Management Service 加密金鑰,並使用所提供的金鑰加密資料。如要進一步瞭解加密功能,請參閱「加密」頁面。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Speech-to-Text APIs.

    Enable the APIs

  5. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      前往「身分與存取權管理」頁面
    2. 選取專案。
    3. 按一下 「授予存取權」

    4. 在「New principals」(新增主體) 欄位中輸入使用者 ID。 通常是 Google 帳戶的電子郵件地址。

    5. 在「請選擇角色」清單中,選取角色。
    6. 如要授予其他角色,請按一下 「Add another role」(新增其他角色),然後新增其他角色。
    7. 按一下 [Save]

  6. Install the Google Cloud CLI.

  7. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  8. To initialize the gcloud CLI, run the following command: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  10. Make sure that billing is enabled for your Google Cloud project.

  11. Enable the Speech-to-Text APIs.

    Enable the APIs

  12. Make sure that you have the following role or roles on the project: Cloud Speech Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      前往「身分與存取權管理」頁面
    2. 選取專案。
    3. 按一下 「授予存取權」

    4. 在「New principals」(新增主體) 欄位中輸入使用者 ID。 通常是 Google 帳戶的電子郵件地址。

    5. 在「請選擇角色」清單中,選取角色。
    6. 如要授予其他角色,請按一下 「Add another role」(新增其他角色),然後新增其他角色。
    7. 按一下 [Save]

  13. Install the Google Cloud CLI.

  14. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  15. To initialize the gcloud CLI, run the following command: 

    gcloud init

    16. 用戶端程式庫可以使用應用程式預設憑證,輕鬆向 Google API 進行驗證,並傳送要求給這些 API。有了應用程式預設憑證,您就能在本機測試應用程式,然後再部署應用程式,無須變更基礎程式碼。詳情請參閱「 驗證用戶端程式庫」。

  16. If you're using a local shell, then create local authentication credentials for your user account: 

    gcloud auth application-default login

    You don't need to do this if you're using Cloud Shell.

    If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

    17. 此外,請務必安裝用戶端程式庫

    啟用 Cloud Key Management Service 金鑰存取權

    Speech-to-Text 會使用服務帳戶存取 Cloud KMS 金鑰。根據預設,服務帳戶無權存取 Cloud KMS 金鑰。

    服務帳戶的電子郵件地址如下:

    service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

    如要使用 Cloud KMS 金鑰加密語音轉文字資源,您可以為這個服務帳戶指派 roles/cloudkms.cryptoKeyEncrypterDecrypter 角色:

    gcloud projects add-iam-policy-binding PROJECT_NUMBER \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

    如要進一步瞭解專案 IAM 政策,請參閱「管理專案、資料夾和機構的存取權」。

    如要進一步瞭解如何管理 Cloud Storage 存取權,請參閱 Cloud Storage 說明文件中的「建立及管理存取權控管清單」。

    指定加密金鑰

    以下是使用 Config 資源,向 Speech-to-Text 提供加密金鑰的範例:

    Python

    import os

from google.cloud.speech_v2 import SpeechClient
from google.cloud.speech_v2.types import cloud_speech

PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT")


def enable_cmek(
    kms_key_name: str,
) -> cloud_speech.Config:
    """Enable Customer-Managed Encryption Keys (CMEK) in a project and region.
    Args:
        kms_key_name (str): The full resource name of the KMS key to be used for encryption.
            E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}
    Returns:
        cloud_speech.Config: The response from the update configuration request,
        containing the updated configuration details.
    """
    # Instantiates a client
    client = SpeechClient()

    request = cloud_speech.UpdateConfigRequest(
        config=cloud_speech.Config(
            name=f"projects/{PROJECT_ID}/locations/global/config",
            kms_key_name=kms_key_name,
        ),
        update_mask={"paths": ["kms_key_name"]},
    )

    # Updates the KMS key for the project and region.
    response = client.update_config(request=request)

    print(f"Updated KMS key: {response.kms_key_name}")
    return response

    在專案的 [Config] 資源中指定加密金鑰後,系統會使用這組金鑰加密在對應位置建立的任何新資源。如要進一步瞭解加密內容和時間,請參閱「加密」頁面。

    在 Speech-to-Text API 回應中,加密資源會填入 kms_key_namekms_key_version_name 欄位。

    移除加密措施

    如要避免日後的資源以加密金鑰加密,請使用上述程式碼,並在要求中提供空字串 ("") 做為金鑰。這可確保不會對新資源進行加密。這個指令不會解密現有資源。

    金鑰輪替和刪除

    在金鑰輪替時,使用舊版 Cloud KMS 金鑰加密的資源,仍會使用該版本加密。金鑰輪替後建立的任何資源,都會使用金鑰的新預設版本加密。金鑰輪替後,使用 Update* 方法更新的任何資源都會使用新預設金鑰版本重新加密。

    刪除金鑰後,Speech-to-Text 就無法解密資料,也無法建立資源或存取使用刪除金鑰加密的資源。同樣地,當您撤銷金鑰的語音轉文字權限時,語音轉文字就無法解密您的資料,也無法建立資源或存取使用語音轉文字權限撤銷金鑰加密的資源。

    重新加密資料

    如要重新加密資源,您可以在 Config 資源中更新金鑰規格後,為每個資源呼叫對應的 Update* 方法。

    清除所用資源

    如要避免系統向您的 Google Cloud 帳戶收取本頁所用資源的費用,請按照下列步驟操作。

    1. Optional: Revoke the authentication credentials that you created, and delete the local credential file. 

      gcloud auth application-default revoke

    2. Optional: Revoke credentials from the gcloud CLI. 

      gcloud auth revoke

    控制台

  17. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  18. In the project list, select the project that you want to delete, and then click Delete.
  19. In the dialog, type the project ID, and then click Shut down to delete the project.

    20. gcloud

    Delete a Google Cloud project:

    gcloud projects delete PROJECT_ID

    後續步驟