Monitor state changes using Pub/Sub

This page shows you how to use Pub/Sub to create notifications on state changes for Cloud KMS resources.

Before you begin

To enable APIs, grant required permissions, and create a Pub/Sub topic, follow the instructions in Before you begin in "Monitoring asset changes".

Configure a feed

Configure a feed that monitors the type of changes and resources that you are interested in.

Notify on all resource changes

To create a feed, use the gcloud asset feeds create command.

gcloud asset feeds create FEED_NAME \
  --project=PROJECT_ID  \
  --asset-types="RESOURCE_TYPE" \
  --pubsub-topic="PUBSUB_TOPIC"

Replace the following:

  • FEED_NAME: The name to use for your Pub/Sub feed.
  • PROJECT_ID: The ID of the Cloud KMS project you want to monitor.

  • RESOURCE_TYPE: The types of resource for which you want to receive notifications. Use commas between resource types—for example, cloudkms.googleapis.com/CryptoKey,cloudkms.googleapis.com/CryptoKeyVersion. You can notify on any supported resource type, including the following:

    • cloudkms.googleapis.com/CryptoKey
    • cloudkms.googleapis.com/CryptoKeyVersion
    • cloudkms.googleapis.com/EkmConnection
    • cloudkms.googleapis.com/ImportJob
    • cloudkms.googleapis.com/KeyRing

  • PUBSUB_TOPIC: The name of the Pub/Sub topic you created in Before you begin

This creates a notification when resources of the indicated type are created or updated. The notification indicates that the resource has been updated, but does not include detailed information about the update. For example, an update notification for a CryptoKeyVersion might mean the version was made primary or that the version was scheduled for destruction. When you receive a notification that a resource has been updated, you should check the resource to find its current state.

Notify on specific resource changes

To create a feed with a condition, use the gcloud asset feeds create command with the --condition-expression flag.

gcloud asset feeds create FEED_NAME \
  --project=PROJECT_ID  \
  --asset-types="RESOURCE_TYPE" \
  --pubsub-topic="PUBSUB_TOPIC" \
  --condition-expression="CONDITION_EXPRESSION"

Replace the following:

  • FEED_NAME: The name to use for your Pub/Sub feed.
  • PROJECT_ID: The ID of your Cloud KMS project.

  • RESOURCE_TYPE: The type of resource for which you want to receive notifications—for example, cloudkms.googleapis.com/CryptoKeyVersion. You can notify on any supported resource type, including the following:

    • cloudkms.googleapis.com/CryptoKey
    • cloudkms.googleapis.com/CryptoKeyVersion
    • cloudkms.googleapis.com/EkmConnection
    • cloudkms.googleapis.com/ImportJob
    • cloudkms.googleapis.com/KeyRing

  • PUBSUB_TOPIC: The name of the Pub/Sub topic you created in Before you begin

  • CONDITION_EXPRESSION: A condition expression in Common Expression Language (CEL). For example, "folders/FOLDER_NUMBER" in temporal_asset.asset.ancestors causes the feed to only create notifications when the indicated resource is located within folder FOLDER_NUMBER.

This creates a notification when resources of the indicated type that match the specified condition expression are created, deleted, or updated.