| layout | page_title | description |
|---|---|---|
docs |
GCP Cloud KMS - KMSs - configuration |
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management. |
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary's configuration file.
This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:
kms "gcpckms" {
purpose = "root"
credentials = "/usr/boundary/boundary-project-user-creds.json"
project = "boundary-project"
region = "global"
key_ring = "boundary-keyring"
crypto_key = "boundary-key"
}These parameters apply to the kms stanza in the Boundary configuration file:
-
purpose- Purpose of this KMS, acceptable values are:worker-auth,worker-auth-storage,root,previous-root,recovery,bsr, orconfig. -
credentials(string: <required>): The path to the credentials JSON file to use. May be also specified by theGOOGLE_CREDENTIALSorGOOGLE_APPLICATION_CREDENTIALSenvironment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine. -
project(string: <required>): The GCP project ID to use. May also be specified by theGOOGLE_PROJECTenvironment variable. -
region(string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by theGOOGLE_REGIONenvironment variable. -
key_ring(string: <required>): The GCP CKMS key ring to use. May also be specified by theGCPCKMS_WRAPPER_KEY_RINGenvironment variable. -
crypto_key(string: <required>): The GCP CKMS crypto key to use for encryption and decryption. May also be specified by theGCPCKMS_WRAPPER_CRYPTO_KEYenvironment variable.
Authentication-related values must be provided, either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALSorGOOGLE_APPLICATION_CREDENTIALSGOOGLE_PROJECTGOOGLE_REGION