In the project I am working on, the key in the KMS would automatically rotate every 90 days, but at times may also be manually rotated in certain scenarios.
I'm looking for a way to give a trigger to a microservice every time a rotation happens, be it manual rotation or scheduled rotation. Is there a cloud function or some sort?
I don't need any code. Just a document, or a high level algorithm is more than sufficient.
Thank you
The Cloud Asset Inventory Service has a way to do this.
Create a pubsub topic (you can do this in the Cloud Console)
run a gcloud command to configure that topic
gcloud asset feeds create [TOPIC_NAME] --project=[PROJECT_NAME] --asset-types="cloudkms.googleapis.com/CryptoKeyVersion"
--pubsub-topic="[TOPIC_NAME]"
Note that you can add more conditions and list out multiple asset types (so you can trigger on keyrings, keys, and versions if desired)
From there you can hook your microservice up to the newly created pubsub topic and trigger based on updates there.
See https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes for more general documentation and the full list of asset types is here https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_resource_types. Just search "kms" in the search bar.