BigQuery customer-managed encryption keys allow users to specify a Cloud KMS key to protect their BigQuery table.
API:
Jobs: https://cloud.google.com/bigquery/docs/reference/rest/v2/jobs
In a job, there is a destinationEncryptionConfiguration field, which indicates which Cloud KMS key should be used for the destination.
Tables: https://cloud.google.com/bigquery/docs/reference/rest/v2/tables
In a table, there is a encryptionConfiguration field, which indicates which Cloud KMS key protects (or should protect in case of CreateTable) a BigQuery table.
These are the main APIs that are required for day-to-day interaction.
With lower priority, support for getServiceAccount would also be nice: https://cloud.google.com/bigquery/docs/reference/rest/v2/projects/getServiceAccount
Note that unlike the other methods mentioned above, this would generally only be called once and the resulting value (the email address) does not change - so it can easily also be called from UI/API/CLI without much hindrance (hence lower priority).
BigQuery customer-managed encryption keys allow users to specify a Cloud KMS key to protect their BigQuery table.
API:
Jobs: https://cloud.google.com/bigquery/docs/reference/rest/v2/jobs
In a job, there is a destinationEncryptionConfiguration field, which indicates which Cloud KMS key should be used for the destination.
Tables: https://cloud.google.com/bigquery/docs/reference/rest/v2/tables
In a table, there is a encryptionConfiguration field, which indicates which Cloud KMS key protects (or should protect in case of CreateTable) a BigQuery table.
These are the main APIs that are required for day-to-day interaction.
With lower priority, support for getServiceAccount would also be nice: https://cloud.google.com/bigquery/docs/reference/rest/v2/projects/getServiceAccount
Note that unlike the other methods mentioned above, this would generally only be called once and the resulting value (the email address) does not change - so it can easily also be called from UI/API/CLI without much hindrance (hence lower priority).