The Cloud KMS - decrypt task lets you decrypt ciphertext or data that was encrypted with a Cloud Key Management Service (Cloud KMS) key. To decrypt the encrypted data, you must use the same key that was used during encryption. The decrypted text that is returned from Cloud KMS is base64-encoded.
Cloud KMS is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.
Before you begin
Ensure that you perform the following tasks in your Google Cloud project before configuring the Cloud KMS - decrypt task:
Enable the Cloud Key Management Service (KMS) API (cloudkms.googleapis.com).
Create an authentication profile. Application Integration uses an authentication profile to connect to an authentication endpoint for the Cloud KMS - decrypt task.
Configure the Cloud KMS - decrypt task
In the Google Cloud console, go to the Application Integration page.
The Integrations page appears listing all the integrations available in the Google Cloud project.
Select an existing integration or click Create integration to create a new one.
If you are creating a new integration:
Enter a name and description in the Create Integration pane.
Select a region for the integration.
Select a service account for the integration. You can change or update the service account details of an integration any time from the infoIntegration summary pane in the integration toolbar.
Click Create. The newly created integration opens in the integration editor.
In the integration editor navigation bar, click Tasks to view the list of available tasks and connectors.
Click and place the Cloud KMS - decrypt element in the integration editor.
Click the Cloud KMS - decrypt element on the designer to view the Cloud KMS - decrypt task configuration pane.
Go to Authentication, and select an existing authentication profile that you want to use.
Optional. If you have not created an authentication profile prior to configuring the task, Click + New authentication profile and follow the steps as mentioned in Create a new authentication profile.
Go to Task Input, and configure the displayed inputs fields using the following Task input parameters table.
Changes to the inputs fields are saved automatically.
Task input parameters
The following table describes the input parameters of the Cloud KMS - decrypt task:
Property
Data type
Description
Region
String
Cloud KMS location for the key ring.
ProjectsId
String
Your Google Cloud project ID.
KeyRingsId
String
Name of the key ring where the key will be located.
CryptoKeysId
String
Name of the key to use for decryption.
Request
JSON
See request JSON structure. Specify the encrypted (cipher) text to be decrypted in the ciphertext field of the request body.
Task output
The Cloud KMS - decrypt task returns a response containing the decrypted data in a base64-encoded format. You must decode the base64-encoded value to get the output string.
Error handling strategy
An error handling strategy for a task specifies the action to take if the task fails due to a temporary error. For information about how to use an error handling strategy, and to know about the different types of error handling strategies, see Error handling strategies.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Cloud KMS - decrypt task decrypts ciphertext using a Cloud Key Management Service (Cloud KMS) key, with the decrypted output being base64-encoded.\u003c/p\u003e\n"],["\u003cp\u003eBefore using the Cloud KMS - decrypt task, ensure the Cloud Key Management Service (KMS) API is enabled and an authentication profile with the necessary IAM permissions ( \u003ccode\u003ecloudkms.cryptoKeyVersions.useToDecrypt\u003c/code\u003e ) is configured.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring the Cloud KMS - decrypt task involves selecting or creating an authentication profile and providing input parameters such as Region, ProjectsId, KeyRingsId, CryptoKeysId, and a JSON request containing the ciphertext to be decrypted.\u003c/p\u003e\n"],["\u003cp\u003eThe task's output is a base64-encoded response containing the decrypted data, which needs to be decoded to obtain the final string, and the document provides examples for how to do this.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines error handling strategies for the task, along with steps to set up edges, test, publish, and add triggers and data mapping after task configuration.\u003c/p\u003e\n"]]],[],null,["# Cloud KMS - decrypt task\n\nSee the [supported connectors](/integration-connectors/docs/connector-reference-overview) for Application Integration.\n\nCloud KMS - decrypt task\n========================\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThe **Cloud KMS - decrypt** task lets you decrypt ciphertext or data that was encrypted with a Cloud Key Management Service (Cloud KMS) key. To decrypt the encrypted data, you must use the same key that was used during encryption. The decrypted text that is returned from Cloud KMS is base64-encoded.\n\n[Cloud KMS](https://cloud.google.com/kms/docs) is a Google Cloud service that allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.\n\nBefore you begin\n----------------\n\nEnsure that you perform the following tasks in your Google Cloud project before configuring the **Cloud KMS - decrypt** task:\n\n1. Enable the Cloud Key Management Service (KMS) API (`cloudkms.googleapis.com`).\n\n\n [Enable the Cloud Key Management Service (KMS) API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com)\n2. Create an [authentication profile](/application-integration/docs/configuring-auth-profile#createAuthProfile). Application Integration uses an authentication profile to connect to an authentication endpoint for the **Cloud KMS - decrypt** task. **Note:** If you're creating an authentication profile of [Service account](/application-integration/docs/configure-authentication-profiles#service-account) type, then ensure that the service account is assigned with the IAM role that contains the following IAM permission(s):\n | - `cloudkms.cryptoKeyVersions.useToDecrypt`\n |\n | To know about IAM permissions and the predefined IAM roles that grant them, see [IAM permissions reference](/iam/docs/permissions-reference#search).\n |\n | For information about granting additional roles or permissions to a service account, see [Granting, changing, and revoking access](/iam/docs/granting-changing-revoking-access).\n\nConfigure the Cloud KMS - decrypt task\n--------------------------------------\n\n1. In the Google Cloud console, go to the **Application Integration** page.\n\n [Go to Application Integration](https://console.cloud.google.com/integrations)\n2. In the navigation menu, click **Integrations** .\n\n\n The **Integrations** page appears listing all the integrations available in the Google Cloud project.\n3. Select an existing integration or click **Create integration** to create a new one.\n\n\n If you are creating a new integration:\n 1. Enter a name and description in the **Create Integration** pane.\n 2. Select a region for the integration. **Note:** The **Regions** dropdown only lists the regions provisioned in your Google Cloud project. To provision a new region, click **Enable Region** . See [Enable new region](/application-integration/docs/enable-new-region) for more information.\n 3. Select a service account for the integration. You can change or update the service account details of an integration any time from the info **Integration summary** pane in the integration toolbar. **Note:** The option to select a service account is displayed only if you have enabled integration governance for the selected region.\n 4. Click **Create** . The newly created integration opens in the *integration editor*.\n\n\n4. In the *integration editor* navigation bar, click **Tasks** to view the list of available tasks and connectors.\n5. Click and place the **Cloud KMS - decrypt** element in the integration editor.\n6. Click the **Cloud KMS - decrypt** element on the designer to view the **Cloud KMS - decrypt** task configuration pane.\n7. Go to **Authentication** , and select an existing authentication profile that you want to use.\n\n Optional. If you have not created an authentication profile prior to configuring the task, Click **+ New authentication profile** and follow the steps as mentioned in [Create a new authentication profile](/application-integration/docs/configuring-auth-profile#createAuthProfile).\n8. Go to **Task Input** , and configure the displayed inputs fields using the following [Task input parameters](#params) table.\n\n Changes to the inputs fields are saved automatically.\n\nTask input parameters\n---------------------\n\n\nThe following table describes the input parameters of the **Cloud KMS - decrypt** task:\n\nTask output\n-----------\n\nThe **Cloud KMS - decrypt** task returns a response containing the decrypted data in a base64-encoded format. You must decode the base64-encoded value to get the output string.\n| **Tip:** You can base64-encode or decode data using the **base64** command on Linux or macOS, or the **Base64.exe** command on Windows. Programming and scripting languages typically include libraries for base64-encoding. For command-line examples, see [Decode base64](/text-to-speech/docs/base64-decoding#linux) in the Cloud Text-to-Speech documentation.\n\n\u003cbr /\u003e\n\nError handling strategy\n-----------------------\n\n\nAn error handling strategy for a task specifies the action to take if the task fails due to a [temporary error](/application-integration/docs/error-handling). For information about how to use an error handling strategy, and to know about the different types of error handling strategies, see [Error handling strategies](/application-integration/docs/error-handling-strategy).\n\nWhat's next\n-----------\n\n1. Add [edges and edge conditions](/application-integration/docs/edge-overview).\n2. [Test and publish](/application-integration/docs/test-publish-integrations) your integration.\n3. Configure a [trigger](/application-integration/docs/how-to-guides#configure-triggers).\n4. Add a [Data Mapping task](/application-integration/docs/data-mapping-task).\n5. See [all tasks for Google Cloud services](/application-integration/docs/how-to-guides#configure-tasks-for-google-cloud-services)."]]
