Create a dataset with a customer-managed encryption key
Stay organized with collections
Save and categorize content based on your preferences.
The following example creates a dataset named `mydataset`, and also uses the `google_kms_crypto_key` and `google_kms_key_ring` resources to specify a Cloud Key Management Service key for the dataset. You must enable the Cloud Key Management Service API before running this example.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
, and code samples are licensed under the Apache 2.0 License
. For details, see the Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis code creates a BigQuery dataset named \u003ccode\u003emydataset\u003c/code\u003e using Terraform.\u003c/p\u003e\n"],["\u003cp\u003eIt uses the \u003ccode\u003egoogle_kms_crypto_key\u003c/code\u003e and \u003ccode\u003egoogle_kms_key_ring\u003c/code\u003e resources to configure a Cloud Key Management Service key for the dataset's encryption.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration sets default partition and table expiration times, along with a description, location, time travel hours and labels for the dataset.\u003c/p\u003e\n"],["\u003cp\u003eIt grants the BigQuery service account permission to encrypt and decrypt Cloud KMS keys.\u003c/p\u003e\n"],["\u003cp\u003eThe code sets up a random ID, then uses it in the KMS key ring configuration, while also ensuring that the BigQuery service account has the necessary permissions to interact with the Cloud KMS keys.\u003c/p\u003e\n"]]],[],null,["# Create a dataset with a customer-managed encryption key\n\nThe following example creates a dataset named \\`mydataset\\`, and also uses the \\`google_kms_crypto_key\\` and \\`google_kms_key_ring\\` resources to specify a Cloud Key Management Service key for the dataset. You must enable the Cloud Key Management Service API before running this example.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Create datasets](/bigquery/docs/datasets)\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n resource \"google_bigquery_dataset\" \"default\" {\n dataset_id = \"mydataset\"\n default_partition_expiration_ms = 2592000000 # 30 days\n default_table_expiration_ms = 31536000000 # 365 days\n description = \"dataset description\"\n location = \"US\"\n max_time_travel_hours = 96 # 4 days\n\n default_encryption_configuration {\n kms_key_name = google_kms_crypto_key.crypto_key.id\n }\n\n labels = {\n billing_group = \"accounting\",\n pii = \"sensitive\"\n }\n depends_on = [google_project_iam_member.service_account_access]\n }\n\n resource \"google_kms_crypto_key\" \"crypto_key\" {\n name = \"example-key\"\n key_ring = google_kms_key_ring.key_ring.id\n }\n\n resource \"random_id\" \"default\" {\n byte_length = 8\n }\n\n resource \"google_kms_key_ring\" \"key_ring\" {\n name = \"${random_id.default.hex}-example-keyring\"\n location = \"us\"\n }\n\n # Enable the BigQuery service account to encrypt/decrypt Cloud KMS keys\n data \"google_project\" \"project\" {\n }\n\n resource \"google_project_iam_member\" \"service_account_access\" {\n project = data.google_project.project.project_id\n role = \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"\n member = \"serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com\"\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=bigquery)."]]
