A command to get(or put) a key encrypted with GCP CloudKMS
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
Gopkg.lock
Gopkg.toml
LICENSE
Makefile
README.md
kms.go
kms_test.go
main.go
test.sh

README.md

cloudkms

It is a command to safely manage secret key and credential file with GCS using GCP CloudKMS.

Example

# Login is required at gcloud
$ gcloud auth application-default login

# create sample key file
echo "xxxxxxxxxxxxxxxxx" > api_key.txt

# put key file
$ cloudkms put api_key.txt \
               --bucket keyfiles-gcs-bucket \
               --project sample-111 \
               --keyring sample-keyring \
               --keyname sample-keyring-key
Upload api_key.txt

$ rm -f api_key.txt

# get key list
$ cloudkms list --bucket keyfiles-gcs-bucket
service-account-key.json
api_key.txt

# Confirm the contents of the file encrypted by Cloud KMS
$ gsutil cat gs://keyfiles-gcs-bucket/kms-keys/api_key.txt.encrypted
CiQAPX9xtlnCmxixrQipWt2XixqCrMGUaW3caVkEe1QIdRg2Fj0SOwBYHqWMJ0orj3JXWu6203bHHu3cfXPW+dve3zIPlDzzbDrdMv70Q6cRorwAZrY8TY0VdZcXpt3BW6qY%

# get key file
$ export KMS_GCS_BUCKET=keyfiles-gcs-bucket
$ export KMS_PROJECT=sample-111
$ export KMS_KEYRING=sample-keyring
$ export KMS_KEYNAME=sample-keyring-key

$ cloudkms get api_key.txt
Download api_key.txt

$ cat api_key.txt
xxxxxxxxxxxxxxxxx

Usage

$ cloudkms --help
usage: cloudkms [<flags>] <command> [<args> ...]

GCP Cloud KMS Get/Put Command

Flags:
  --help  Show context-sensitive help (also try --help-long and --help-man).

Commands:
  help [<command>...]
    Show help.

  version
    Print version

  list [<flags>]
    Output encryption key files

  get [<flags>] <path>
    Get encryption key file

  put [<flags>] <path>
    Put encryption key file

------------------------------------------

$ cloudkms list --help
usage: cloudkms list [<flags>]

Output encryption key files

Flags:
  --help       Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""  Specify the GCS bucket that stores the encryption key. Configurable with environment
               variable: KMS_GCS_BUCKET

------------------------------------------

$ cloudkms get --help
usage: cloudkms get [<flags>] <path>

Get encryption key file

Flags:
  --help               Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""          Specify the GCS bucket that stores the encryption key. Configurable with
                       environment variable: KMS_GCS_BUCKET
  --project_id=""      GCP Project ID. Configurable with environment variable: KMS_PROJECT
  --location="global"  Region that stored KMS Keyring. Configurable with environment variable:
                       KMS_LOCATION
  --keyring=""         KMS Keyring. Configurable with environment variable: KMS_KEYRING
  --keyname=""         KMS keyring Keyname. Configurable with environment variable: KMS_KEYNAME

Args:
  <path>  Name of the saved encryption key

------------------------------------------

$ cloudkms put --help
usage: cloudkms put [<flags>] <path>

Put encryption key file

Flags:
  --help               Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""          Specify the GCS bucket that stores the encryption key. Configurable with
                       environment variable: KMS_GCS_BUCKET
  --project_id=""      GCP Project ID. Configurable with environment variable: KMS_PROJECT
  --location="global"  Region that stored KMS Keyring. Configurable with environment variable:
                       KMS_LOCATION
  --keyring=""         KMS Keyring. Configurable with environment variable: KMS_KEYRING
  --keyname=""         KMS keyring Keyname. Configurable with environment variable: KMS_KEYNAME

Args:
  <path>  Name of the saved encryption key

Installation

Executable binaries are available at releases.

$ wget https://github.com/morix1500/go-cloudkms/releases/download/v1.0.0/cloudkms_linux_amd64 -O cloudkms 
$ chmod a+x cloudkms

License

Please see the LICENSE file for details.

Author

Shota Nishino(Morix)
https://github.com/morix1500