Skip to content

, ,

Implementing App Level Encryption in Google PubSub using Google Cloud KMS

March 7, 2017

If you need any sort of application level encryption while using Google PubSub as a distributed messaging queue, it is not obvious on how to implement it because there is no documentation from Google that I could find around the exact same thing. There was some code but I had to make sense of it and combine a few other things to get it working finally.

I was able to implement it using Google Cloud KMS and it was pretty easy to do so. So, here goes..

You would need a service account in order to get this working. Next, copy paste the below two files locally:

  • –
  • –

Make sure you have all the libraries installed like gcloud to run these python files. Also, replace the variables that are marked as “<>” as per your GCloud environment. You would need a project_id, location, keyring, cryptokey, testtopic and testsub. testsub would be the subscription for the testtopic.

You would also need to add “Cloud KMS CryptoKey Encrypter/Decrypter” permissions for your service account by navigating to IAM&Admin -> Key Management in the Console.

Now, when you run python, that file basically encrypts a json – {test:”test”} and drops it in the testtopic.

Next, when you run python, that file subscribes to testsub that is a subscription for testtopic. It then pulls the data and gets the encrypted data. It then uses the KMS API with the service account credentials to decrypt the message.

Thus, anybody who is able to grab the messages from the PubSub topic cannot really decrypt any messages because they wouldn’t be authorized to do so! Simple and easy..



From → DevOps, Security

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: