I want to create an asset feed that would only monitor key rotation for a specific keyring. I don't really know what I put in the "--condition-expression" in order to filter out the key rotation event and the keyring. I have created an asset feed to monitor the asset CryptoKeyVersion with no other filter and it works fine. But I couldn't find any information on the format of what the "--condition-expression" should look like. I've tested this but it didn't work.
gcloud asset feeds create test-feed \
--project=PROJECT-ID \
--asset-types="cloudkms.googleapis.com/CryptoKeyVersion" \
--pubsub-topic="projects/{Project}/topics/{Topic}" \
--condition-expression="'name' == '//cloudkms.googleapis.com/projects/{project-id}/locations/global/keyRings/{key-ring-name}/cryptoKeys/*' && 'eventType' == 'google.cloud.kms.key.update'"
. I'm not sure if this would help but when key rotation happens, this is the message payload that is sent to a pub/sub.
{
"asset": {
"ancestors": ["projects/1234", "folders/1234", "folders/1234", "folders/1234", "organizations/1234"],
"assetType": "cloudkms.googleapis.com/CryptoKeyVersion",
"name": "//cloudkms.googleapis.com/projects/project-name/locations/global/keyRings/keyring-name/cryptoKeys/test-name/cryptoKeyVersions/18",
"resource": {},
"updateTime": "2023-06-16T19:01:59.380015Z"
},
"priorAssetState": "DOES_NOT_EXIST",
"window": {
"startTime": "2023-06-16T19:01:59.380015Z"
}
}"
The usage and format of
condition-expression, together with some examples, are described at this link.