Google Tink Java and KMS integration

[A Shrimal]

Hello everyone,

I am trying to achieve the following tasks:

1) Read from JDBC using Apache beam Java (dataflow)

2) Encrypt few columns using Google Tink and KMS

3) Write this data to BigQuery

4) Create authorised views by decrypting columns using KMS

So far I am able to achieve the following:

1) Able to connect to JDBC

2) Able to write to BigQuery

3) Able to create Keyrings and Keys in google KMS

I am able to create a Keyset in my java code (link) and use the same key for decryption in BigQuery using AEAD.DECRYPT_STRING function (link).

The only part that I can't figure is instead of creating a key in my Java code I want fetch the same key from Google KMS (point 3) and use the same key for encryption. And again use the same key for decryption in BigQuery. This will help me keep the keys more secure and centralised.

Is this possible? How can I achieve this?

Thanks in advance

[Efim (Cloud Platform Support)]

Hi,

What exactly is the block for fetching the key, and using it for decryption and encryption?

What error you get?

Do you have role 'roles/cloudkms.cryptoKeyEncrypterDecrypter', as per this guide? More permissions listed here.

Is the key you are trying to use  primary, or secondary? Secondary keys are only used for decryption, as stated in here.

Is the key in the enabled state?

Please note that this group is for a general type of questions, and according to its description "To get the quickest solution, we recommend you ask specific technical questions like "how do I…" or "what does this error mean?" on StackOverflow or ServerFault"