We'd like to store sensitive health data using Google Cloud Storage. Customer-Supplied Encryption Keys seem to provide a solution to securely store data in the cloud so that only we, the customer, might decrypt and read it. We would like to know more about this:
Are there any chances or possibilities that Google, the US Government or someone else could gain access to the decrypted sensitive data by legal means? For instance, can the GCP operators be forced somehow to extract the CSEK during runtime and use it to decrypt the storage data and/or share it with a third party? How are Law Enforcement Requests dealt concerning CSEK-encrypted data on the GCP?
"Are there any chances or possibilities that Google, the US Government or someone else could gain access to the decrypted sensitive data by legal means?" -- Absolutely.
Understand that companies like Google are strongly opposed to disclosing user data: it works against their business model, which relies on end user trust. They go to enormous efforts to make sure that your data is protected and not even internal employees should have access to it. But, when confronted with a court order, they have a requirement to comply.
Ever since the Snowden revelations, Google, Microsoft, Amazon, and others have been requesting permission from the US government to allow them to be more transparent about when private data is handed over to government authorities. The Google Transparency Report is an excellent source for information about how Google handles legal requests for end user data.
As for your specific question about CSEK, as long as your key is uploaded to Google's server, there is the chance that a law enforcement request can demand that certain data encrypted under that key is provided to them.
What would be ideal is if you could store your data in the cloud and do computations on that encrypted data in the cloud to get the information you want without handing your key over to the cloud service provider, thus preventing law enforcement from access your data without directly going to you. There is a concept in cryptography research called Homomorphic Encryption that allows this to happen. Unfortunately, it is nowhere close to practical right now. A similar concept but more practical approach is Mylar, but unfortunately recent research has found some shortcomings in the security claims. So, the technology is not quite ready to do what you and many others want: securing data in the cloud (+ the ability for the cloud provider to do useful things with it on your behalf) without handing over cryptographic keys.