layout | page_title | description |
---|---|---|
docs |
GCP Cloud KMS - KMSs - configuration |
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management. |
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms"
block in Boundary's configuration file.
This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:
kms "gcpckms" {
purpose = "root"
credentials = "/usr/boundary/boundary-project-user-creds.json"
project = "boundary-project"
region = "global"
key_ring = "boundary-keyring"
crypto_key = "boundary-key"
}
These parameters apply to the kms
stanza in the Boundary configuration file:
-
purpose
- Purpose of this KMS, acceptable values are:worker-auth
,worker-auth-storage
,root
,previous-root
,recovery
,bsr
, orconfig
. -
credentials
(string: <required>)
: The path to the credentials JSON file to use. May be also specified by theGOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine. -
project
(string: <required>)
: The GCP project ID to use. May also be specified by theGOOGLE_PROJECT
environment variable. -
region
(string: "us-east-1")
: The GCP region/location where the key ring lives. May also be specified by theGOOGLE_REGION
environment variable. -
key_ring
(string: <required>)
: The GCP CKMS key ring to use. May also be specified by theGCPCKMS_WRAPPER_KEY_RING
environment variable. -
crypto_key
(string: <required>)
: The GCP CKMS crypto key to use for encryption and decryption. May also be specified by theGCPCKMS_WRAPPER_CRYPTO_KEY
environment variable.
Authentication-related values must be provided, either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
GOOGLE_PROJECT
GOOGLE_REGION