Access Control to AI Datasets with GCP KMS

Question

Pulumi · Accepted Answer

To control access to AI datasets on Google Cloud Platform (GCP) with Google Cloud Key Management Service (KMS), you will use a few resources working together:

1. **Google Cloud AI Dataset** (`gcp.vertex.AiDataset`): This resource will be used to create and manage the dataset that contains your AI data.
2. **Google Cloud Key Management Service (KMS) Key Ring** (`gcp.kms.KeyRing`): Holds cryptographic keys that will be used to encrypt your datasets.
3. **Google Cloud KMS Crypto Key** (`gcp.kms.CryptoKey`): The actual encryption key that will encrypt your data.
4. **Encryption Specification** (`encryptionSpec`): This is not a separate resource but a parameter you set in your AI Dataset to specify which KMS key to use for encryption.

The `AiDataset` resource allows you to create a dataset in the Vertex AI environment, where you can store your AI data. Datasets can be encrypted with encryption keys managed in KMS, providing an additional layer of security. You first create a `KeyRing` and then a `CryptoKey` within that KeyRing. You then link the `CryptoKey` to the AI Dataset by referencing it in the `encryptionSpec` property when creating the dataset.

Below is a Pulumi Python program that illustrates how you could set up a Google Cloud AI Dataset using a KMS encryption key for access control:

```python
import pulumi
import pulumi_gcp as gcp

# Set up the GCP project and location
project = 'my-gcp-project'
region = 'us-central1'
dataset_display_name = 'my-ai-dataset'

# Create a KeyRing for holding the CryptoKey
key_ring = gcp.kms.KeyRing('my-key-ring',
                            location=region,
                            project=project)

# Create a CryptoKey for encrypting the AI dataset
crypto_key = gcp.kms.CryptoKey('my-crypto-key',
                               key_ring=key_ring.id,
                               rotation_period='100000s',  # Example rotation period
                               project=project)

# Create the AI Dataset with encryption using the KMS CryptoKey
ai_dataset = gcp.vertex.AiDataset('my-ai-dataset',
                                  project=project,
                                  region=region,
                                  display_name=dataset_display_name,
                                  encryption_spec=gcp.vertex.AiDatasetEncryptionSpecArgs(
                                      kms_key_name=crypto_key.id
                                  ))

# Export the AI Dataset ID and CryptoKey ID for reference
pulumi.export('ai_dataset_id', ai_dataset.id)
pulumi.export('crypto_key_id', crypto_key.id)
```

This program completes the following steps:
- Creates a new KMS KeyRing resource named 'my-key-ring' in the specified region and under your GCP project.
- Under the created KeyRing, a new KMS CryptoKey resource named 'my-crypto-key' is created, which can be used to encrypt data and specifies a key rotation period (this is just an example and should be configured according to your security requirements).
- Then it creates a new AI Dataset resource named 'my-ai-dataset', which is encrypted using the CryptoKey by specifying `kms_key_name` under `encryption_spec`.

You need to replace `'my-gcp-project'` with your actual Google Cloud project ID and `'us-central1'` with the location where you want to deploy the KeyRing.

Remember this Pulumi program should be run in an environment where you've [installed the Pulumi CLI](https://www.pulumi.com/docs/get-started/install/) and [configured it for GCP](https://www.pulumi.com/docs/intro/cloud-providers/gcp/setup/). The program assumes you've already authenticated with GCP and set up the appropriate permissions for Pulumi to make these changes on your behalf.

Lastly, exporting the IDs of the AI Dataset and CryptoKey allows you to easily reference them later, perhaps for data monitoring, logging or linking to other resources in your cloud infrastructure.