Skip to content
Encode-Decode secrets using Google Cloud KMS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This is a demo application to support this blog post. It demonstrates how to use GCP Cloud KMS to easily manage secrets.


Create 3 service accounts with the below permissions

  1. Save Cloud KMS Admin service account key as kms-admin.json in the project root.
  2. Save Cloud KMS CryptoKey Encrypter/Decrypter service account key as kms-enc-dec.json in the project root.
  3. Save Cloud Datastore User service account key as datastore-user.json in the project root.

Replace the below constants in all the files with your gcp-project settings

Location        string = "global"              // replace this as per your project.
KeyRingID       string = "my-key-ring"         // replace this as per your project.
CryptoKeyName   string = "my-key"              // replace this as per your project.
ProjectName     string = "my-gcp-project-name" // replace this as per your project.


  • create the key and the key-ring by running create/main.go
  • encrypt password and save to datastore by running write/main.go
  • read from datastore and decrypt the password by running read/main.go


  • Make sure to enable Cloud KMS API and DataStore API for your project.
  • Make sure to cleanup Google Cloud Project after you run the demo.
You can’t perform that action at this time.