mirror of
https://github.com/hashicorp/vault.git
synced 2025-09-01 20:11:09 +02:00
56dcff5ea7
the "cloudkms.importJobs.useToImport" role is missing from the documentation, however it's needed to distribute the keys to GCP'S KMS.
75 lines
3.1 KiB
Plaintext
75 lines
3.1 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: GCP Cloud KMS - Key Management - Secrets Engines
|
|
description: GCP Cloud KMS is a supported KMS provider of the Key Management secrets engine.
|
|
---
|
|
|
|
# GCP Cloud KMS
|
|
|
|
The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
|
|
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished
|
|
by configuring a KMS provider resource with the `gcpckms` provider and other provider-specific
|
|
parameter values.
|
|
|
|
The following sections describe how to properly configure the secrets engine to enable
|
|
the functionality.
|
|
|
|
## Authentication
|
|
|
|
The Key Management secrets engine must be configured with credentials that have sufficient
|
|
permissions to manage keys in an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
|
|
The authentication parameters are described in the [credentials](/vault/api-docs/secret/key-management/gcpkms#credentials)
|
|
section of the API documentation. The authentication parameters will be set with the following order
|
|
of precedence:
|
|
|
|
1. `GOOGLE_CREDENTIALS` environment variable
|
|
2. [KMS provider credentials](/vault/api-docs/secret/key-management/gcpkms#credentials) parameter
|
|
3. [Application default credentials](https://cloud.google.com/docs/authentication/production)
|
|
|
|
The service account must be authorized with the following minimum
|
|
[IAM permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles) on the
|
|
target [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings) resource:
|
|
|
|
- `cloudkms.cryptoKeys.create`
|
|
- `cloudkms.cryptoKeys.update`
|
|
- `cloudkms.importJobs.create`
|
|
- `cloudkms.importJobs.get`
|
|
- `cloudkms.importJobs.useToImport`
|
|
- `cloudkms.cryptoKeyVersions.list`
|
|
- `cloudkms.cryptoKeyVersions.destroy`
|
|
- `cloudkms.cryptoKeyVersions.update`
|
|
- `cloudkms.cryptoKeyVersions.create`
|
|
|
|
## Configuration
|
|
|
|
The following is an example of how to configure the KMS provider resource using the Vault CLI:
|
|
|
|
```text
|
|
$ vault write keymgmt/kms/example-kms \
|
|
provider="gcpckms" \
|
|
key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \
|
|
credentials=service_account_file="/path/to/service_account/credentials.json"
|
|
```
|
|
|
|
Refer to the GCP Cloud KMS [API documentation](/vault/api-docs/secret/key-management/gcpkms)
|
|
for a detailed description of individual configuration parameters.
|
|
|
|
## Key transfer specification
|
|
|
|
Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance
|
|
with the [key import](https://cloud.google.com/kms/docs/key-import) specification.
|
|
|
|
## Key purpose compatability
|
|
|
|
The following table defines which key [purposes](/vault/api-docs/secret/key-management#purpose) can be used
|
|
for each key type supported by GCP Cloud KMS.
|
|
|
|
| Key Type | Purpose |
|
|
| -------------- | ----------------------- |
|
|
| `aes256-gcm96` | `encrypt` and `decrypt` |
|
|
| `rsa-2048` | `decrypt` or `sign` |
|
|
| `rsa-3072` | `decrypt` or `sign` |
|
|
| `rsa-4096` | `decrypt` or `sign` |
|
|
| `ecdsa-p256` | `sign` |
|
|
| `ecdsa-p384` | `sign` |
|