Access Control to AI Datasets with GCP KMS
PythonTo control access to AI datasets on Google Cloud Platform (GCP) with Google Cloud Key Management Service (KMS), you will use a few resources working together:
- Google Cloud AI Dataset (
gcp.vertex.AiDataset
): This resource will be used to create and manage the dataset that contains your AI data. - Google Cloud Key Management Service (KMS) Key Ring (
gcp.kms.KeyRing
): Holds cryptographic keys that will be used to encrypt your datasets. - Google Cloud KMS Crypto Key (
gcp.kms.CryptoKey
): The actual encryption key that will encrypt your data. - Encryption Specification (
encryptionSpec
): This is not a separate resource but a parameter you set in your AI Dataset to specify which KMS key to use for encryption.
The
AiDataset
resource allows you to create a dataset in the Vertex AI environment, where you can store your AI data. Datasets can be encrypted with encryption keys managed in KMS, providing an additional layer of security. You first create aKeyRing
and then aCryptoKey
within that KeyRing. You then link theCryptoKey
to the AI Dataset by referencing it in theencryptionSpec
property when creating the dataset.Below is a Pulumi Python program that illustrates how you could set up a Google Cloud AI Dataset using a KMS encryption key for access control:
import pulumi import pulumi_gcp as gcp # Set up the GCP project and location project = 'my-gcp-project' region = 'us-central1' dataset_display_name = 'my-ai-dataset' # Create a KeyRing for holding the CryptoKey key_ring = gcp.kms.KeyRing('my-key-ring', location=region, project=project) # Create a CryptoKey for encrypting the AI dataset crypto_key = gcp.kms.CryptoKey('my-crypto-key', key_ring=key_ring.id, rotation_period='100000s', # Example rotation period project=project) # Create the AI Dataset with encryption using the KMS CryptoKey ai_dataset = gcp.vertex.AiDataset('my-ai-dataset', project=project, region=region, display_name=dataset_display_name, encryption_spec=gcp.vertex.AiDatasetEncryptionSpecArgs( kms_key_name=crypto_key.id )) # Export the AI Dataset ID and CryptoKey ID for reference pulumi.export('ai_dataset_id', ai_dataset.id) pulumi.export('crypto_key_id', crypto_key.id)
This program completes the following steps:
- Creates a new KMS KeyRing resource named 'my-key-ring' in the specified region and under your GCP project.
- Under the created KeyRing, a new KMS CryptoKey resource named 'my-crypto-key' is created, which can be used to encrypt data and specifies a key rotation period (this is just an example and should be configured according to your security requirements).
- Then it creates a new AI Dataset resource named 'my-ai-dataset', which is encrypted using the CryptoKey by specifying
kms_key_name
underencryption_spec
.
You need to replace
'my-gcp-project'
with your actual Google Cloud project ID and'us-central1'
with the location where you want to deploy the KeyRing.Remember this Pulumi program should be run in an environment where you've installed the Pulumi CLI and configured it for GCP. The program assumes you've already authenticated with GCP and set up the appropriate permissions for Pulumi to make these changes on your behalf.
Lastly, exporting the IDs of the AI Dataset and CryptoKey allows you to easily reference them later, perhaps for data monitoring, logging or linking to other resources in your cloud infrastructure.
- Google Cloud AI Dataset (