Skip to content

hashicorp/vault-plugin-secrets-gcpkms

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
.github
.github
 
 
cmd/vault-plugin-secrets-gcpkms
cmd/vault-plugin-secrets-gcpkms
 
 
scripts
scripts
 
 
test
test
 
 
version
version
 
 
.gitignore
.gitignore
 
 
.go-version
.go-version
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
backend.go
backend.go
 
 
backend_test.go
backend_test.go
 
 
config.go
config.go
 
 
config_test.go
config_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
helpers.go
helpers.go
 
 
key.go
key.go
 
 
key_test.go
key_test.go
 
 
path_config.go
path_config.go
 
 
path_config_test.go
path_config_test.go
 
 
path_decrypt.go
path_decrypt.go
 
 
path_decrypt_test.go
path_decrypt_test.go
 
 
path_encrypt.go
path_encrypt.go
 
 
path_encrypt_test.go
path_encrypt_test.go
 
 
path_keys.go
path_keys.go
 
 
path_keys_config.go
path_keys_config.go
 
 
path_keys_config_test.go
path_keys_config_test.go
 
 
path_keys_deregister.go
path_keys_deregister.go
 
 
path_keys_deregister_test.go
path_keys_deregister_test.go
 
 
path_keys_register.go
path_keys_register.go
 
 
path_keys_register_test.go
path_keys_register_test.go
 
 
path_keys_rotate.go
path_keys_rotate.go
 
 
path_keys_rotate_test.go
path_keys_rotate_test.go
 
 
path_keys_test.go
path_keys_test.go
 
 
path_keys_trim.go
path_keys_trim.go
 
 
path_keys_trim_test.go
path_keys_trim_test.go
 
 
path_keys_verify.go
path_keys_verify.go
 
 
path_keys_verify_test.go
path_keys_verify_test.go
 
 
path_pubkey.go
path_pubkey.go
 
 
path_pubkey_test.go
path_pubkey_test.go
 
 
path_reencrypt.go
path_reencrypt.go
 
 
path_reencrypt_test.go
path_reencrypt_test.go
 
 
path_sign.go
path_sign.go
 
 
path_sign_test.go
path_sign_test.go
 
 

Repository files navigation

Vault Secrets Engine for Google Cloud KMS

Build Status

This is a plugin backend for HashiCorp Vault that manages Google Cloud KMS keys and provides pass-through encryption/decryption of data through KMS.

Please note: Security is taken seriously. If you believe you have found a security issue, do not open an issue. Responsibly disclose by contacting security@hashicorp.com.

Usage

The Google Cloud KMS Vault secrets engine is automatically bundled and included in Vault distributions. To activate the plugin, run:

$ vault secrets enable gcpkms

Optionally configure the backend with GCP credentials:

$ vault write gcpkms/config credentials="..."

Ask Vault to generate a new Google Cloud KMS key:

$ vault write gcpkms/keys/my-key \
    key_ring=projects/my-project/locations/global/keyRings/my-keyring \
    crypto_key=my-crypto-key

This will create a KMS key in Google Cloud and requests to Vault will be encrypted/decrypted with that key.

Encrypt some data:

$ vault write gcpkms/encrypt/my-key plaintext="hello world"

Decrypt the data:

$ vault write gcpkms/decrypt/my-key ciphertext="..."

Development

This plugin is automatically distributed and included with Vault. These instructions are only useful if you want to develop against the plugin.

  • Modern Go (1.11+)
  • Git

  1. Clone the repo:

    $ git clone https://github.com/hashicorp/vault-plugin-secrets-gcpkms
$ cd vault-plugin-secrets-gcpkms

  2. Build the binary:

    $ make dev

    The plugin binary will be written to the ./bin directory.

  3. Run Vault plugins from that directory:

    $ vault server -dev -dev-plugin-dir=./bin
$ vault secrets enable -path=gcpkms -plugin=vault-plugin-secrets-gcpkms plugin

Documentation

The documentation for the plugin lives in the main Vault repository in the website/ folder. Please make any documentation updates as separate Pull Requests against that repo.

Tests

This plugin has both unit tests and acceptance tests. To run the acceptance tests, you must:

  • Have a service account in the project with the roles "Cloud KMS Admin" and "Cloud KMS Crypto Operator"
  • Set GOOGLE_APPLICATION_CREDENTIALS to the service account key credentials for the above account
  • Set GOOGLE_CLOUD_PROJECT to the name of the project
  • Request an increase to the Cloud Key Management Service (KMS) API Write-Requests quota to 600 per minute

We recommend running tests in a dedicated Google Cloud project. On a fresh project, you will need to enable the Cloud KMS API. This operation only needs to be completed once per project.

$ gcloud services enable cloudkms.googleapis.com --project $GOOGLE_CLOUD_PROJECT

After the API is enabled, it may take a few minutes to propagate. Please wait and try again.

To run the tests:

$ make test

Warning: the acceptance tests change real resources which may incur real costs. Please run acceptance tests at your own risk.

Cleanup

If a test panics or fails to cleanup, you can be left with orphaned KMS keys. While their monthly cost is minimal, this may be undesirable. As such, there a cleanup script is included. To execute this script, run:

$ export GOOGLE_CLOUD_PROJECT=my-test-project
$ go run test/cleanup/main.go

WARNING! This will delete all keys in most key rings, so do not run this against a production project!

About

Manage, encrypt, decrypt, sign, and verify data with @GoogleCloudPlatform KMS and @hashicorp Vault

Resources

Readme

License

MPL-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

11 stars

Watchers

34 watching

Forks

9 forks
Report repository

Releases 1

v0.17.0 Latest
May 21, 2024

Packages

No packages published

Contributors 21

+ 7 contributors

Languages