Encrypt Speech-to-Text resources

This page demonstrates how to set an encryption key in Speech-to-Text to encrypt Speech-to-Text resources.

Speech-to-Text lets you provide Cloud Key Management Service encryption keys and encrypts data with the provided key. To learn more about encryption, see the encryption page.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Speech-to-Text APIs.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.

3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.
3. Click person_add Grant access .

4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save .

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Speech-to-Text APIs.

Enable the APIs

Make sure that you have the following role or roles on the project: Cloud Speech Administrator

Check for the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.

3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.
3. Click person_add Grant access .

4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save .

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, see Authenticate for using client libraries .

1. If you're using a local shell, then create local authentication credentials for your user account:

   gcloud  
   auth  
   application-default  
   login

   You don't need to do this if you're using Cloud Shell.

   If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity .

Also ensure you have installed the client library .

Enable access to Cloud Key Management Service keys

Speech-to-Text uses a service account to access your Cloud KMS keys. By default, the service account has no access to Cloud KMS keys.

The service account email address is the following:

 service- PROJECT_NUMBER 
@gcp-sa-speech.iam.gserviceaccount.com 

To encrypt Speech-to-Text resources using Cloud KMS keys, you can give this service account the roles/cloudkms.cryptoKeyEncrypterDecrypter role:

 gcloud  
projects  
add-iam-policy-binding  
 PROJECT_NUMBER 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-speech.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/cloudkms.cryptoKeyEncrypterDecrypter 

More information about project IAM policy is available at Manage access to projects, folders, and organizations .

More information about managing access to Cloud Storage is available at Create and Manage access control lists in the Cloud Storage documentation.

Specify an encryption key

Here is an example of providing an encryption key to Speech-to-Text using the Config resource:

  import 
  
 os 
 from 
  
 google.cloud.speech_v2 
  
 import 
 SpeechClient 
 from 
  
 google.cloud.speech_v2.types 
  
 import 
 cloud_speech 
 PROJECT_ID 
 = 
 os 
 . 
 getenv 
 ( 
 "GOOGLE_CLOUD_PROJECT" 
 ) 
 def 
  
 enable_cmek 
 ( 
 kms_key_name 
 : 
 str 
 , 
 ) 
 - 
> cloud_speech 
 . 
 Config 
 : 
  
 """Enable Customer-Managed Encryption Keys (CMEK) in a project and region. 
 Args: 
 kms_key_name (str): The full resource name of the KMS key to be used for encryption. 
 E.g,: projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME} 
 Returns: 
 cloud_speech.Config: The response from the update configuration request, 
 containing the updated configuration details. 
 """ 
 # Instantiates a client 
 client 
 = 
 SpeechClient 
 () 
 request 
 = 
 cloud_speech 
 . 
 UpdateConfigRequest 
 ( 
 config 
 = 
 cloud_speech 
 . 
 Config 
 ( 
 name 
 = 
 f 
 "projects/ 
 { 
 PROJECT_ID 
 } 
 /locations/global/config" 
 , 
 kms_key_name 
 = 
 kms_key_name 
 , 
 ), 
 update_mask 
 = 
 { 
 "paths" 
 : 
 [ 
 "kms_key_name" 
 ]}, 
 ) 
 # Updates the KMS key for the project and region. 
 response 
 = 
 client 
 . 
 update_config 
 ( 
 request 
 = 
 request 
 ) 
 print 
 ( 
 f 
 "Updated KMS key: 
 { 
 response 
 . 
 kms_key_name 
 } 
 " 
 ) 
 return 
 response 
 

When an encryption key is specified in the [ Config ] resource of your project, any new resources created in the corresponding location are encrypted using this key. See the encryption page for more information on what is encrypted and when.

Encrypted resources have the kms_key_name and kms_key_version_name fields populated in Speech-to-Text API responses.

Remove encryption

To prevent future resources from being encrypted with an encryption key, use the code above and provide the empty string ( "" ) as the key in the request. This ensures that new resources aren't encrypted. This command doesn't decrypt existing resources.

Key rotation and deletion

On key rotation, resources that are encrypted with a previous version of the Cloud KMS key remain encrypted with that version. Any resources created after the key rotation are encrypted with the new default version of the key. Any resources updated (using Update* methods) after the key rotation are reencrypted with the new default version of the key.

On key deletion, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the deleted key. Likewise, when you revoke Speech-to-Text permission for a key, Speech-to-Text can't decrypt your data and can't create resources or access resources encrypted with the Speech-to-Text permission-revoked key.

Reencrypt data

To reencrypt your resources, you can call the corresponding Update* method for each resource after updating the key specification in the Config resource.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

1. Optional: Revoke the authentication credentials that you created, and delete the local credential file.

   gcloud  
   auth  
   application-default  
   revoke

2. Optional: Revoke credentials from the gcloud CLI.

   gcloud  
   auth  
   revoke

What's next

• Learn more about what is encrypted when specifying encryption keys in Speech-to-Text.
• Learn how to transcribe streaming audio .
• Learn how to transcribe long audio files .
• Practice transcribing short audio files .
• For best performance, accuracy, and other tips, see the best practices documentation.