---
layout: docs
page_title: GCP Cloud KMS - Key Management - Secrets Engines
description: GCP Cloud KMS is a supported KMS provider of the Key Management secrets engine.
---

# GCP Cloud KMS

The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished
by configuring a KMS provider resource with the `gcpckms` provider and other provider-specific
parameter values.

The following sections describe how to properly configure the secrets engine to enable
the functionality.

## Authentication

The Key Management secrets engine must be configured with credentials that have sufficient
permissions to manage keys in an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
The authentication parameters are described in the [credentials](/api-docs/secret/key-management/gcpkms#credentials)
section of the API documentation. The authentication parameters will be set with the following order
of precedence:

1. `GOOGLE_CREDENTIALS` environment variable
2. [KMS provider credentials](/api-docs/secret/key-management/gcpkms#credentials) parameter
3. [Application default credentials](https://cloud.google.com/docs/authentication/production)

The service account must be authorized with the following minimum
[IAM permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles) on the
target [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings) resource:

- `cloudkms.cryptoKeys.create`
- `cloudkms.cryptoKeys.update`
- `cloudkms.importJobs.create`
- `cloudkms.importJobs.get`
- `cloudkms.cryptoKeyVersions.list`
- `cloudkms.cryptoKeyVersions.destroy`
- `cloudkms.cryptoKeyVersions.update`
- `cloudkms.cryptoKeyVersions.create`

## Configuration

The following is an example of how to configure the KMS provider resource using the Vault CLI:

```text
$ vault write keymgmt/kms/example-kms \
    provider="gcpckms" \
    key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \
    credentials=service_account_file="/path/to/service_account/credentials.json"
```

Refer to the GCP Cloud KMS [API documentation](/api-docs/secret/key-management/gcpkms)
for a detailed description of individual configuration parameters.

## Key Transfer Specification

Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance
with the [key import](https://cloud.google.com/kms/docs/key-import) specification.

## Key Purpose Compatability

The following table defines which key [purposes](/api-docs/secret/key-management#purpose) can be used
for each key type supported by GCP Cloud KMS.

| Key Type       | Purpose                 |
| -------------- | ----------------------- |
| `aes256-gcm96` | `encrypt` and `decrypt` |
| `rsa-2048`     | `decrypt` or `sign`     |
| `rsa-3072`     | `decrypt` or `sign`     |
| `rsa-4096`     | `decrypt` or `sign`     |
| `ecdsa-p256`   | `sign`                  |
| `ecdsa-p384`   | `sign`                  |