You need to use Cloud External Key Manager (Cloud EKM) to create an encryption key for encrypting specific BigQuery data at rest in Google Cloud. What are the first steps you should take?