Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

cloudkms

It is a command to safely manage secret key and credential file with GCS using GCP CloudKMS.

Example

# Login is required at gcloud
$ gcloud auth application-default login

# create sample key file
echo "xxxxxxxxxxxxxxxxx" > api_key.txt

# put key file
$ cloudkms put api_key.txt \
               --bucket keyfiles-gcs-bucket \
               --project sample-111 \
               --keyring sample-keyring \
               --keyname sample-keyring-key
Upload api_key.txt

$ rm -f api_key.txt

# get key list
$ cloudkms list --bucket keyfiles-gcs-bucket
service-account-key.json
api_key.txt

# Confirm the contents of the file encrypted by Cloud KMS
$ gsutil cat gs://keyfiles-gcs-bucket/kms-keys/api_key.txt.encrypted
CiQAPX9xtlnCmxixrQipWt2XixqCrMGUaW3caVkEe1QIdRg2Fj0SOwBYHqWMJ0orj3JXWu6203bHHu3cfXPW+dve3zIPlDzzbDrdMv70Q6cRorwAZrY8TY0VdZcXpt3BW6qY%

# get key file
$ export KMS_GCS_BUCKET=keyfiles-gcs-bucket
$ export KMS_PROJECT=sample-111
$ export KMS_KEYRING=sample-keyring
$ export KMS_KEYNAME=sample-keyring-key

$ cloudkms get api_key.txt
Download api_key.txt

$ cat api_key.txt
xxxxxxxxxxxxxxxxx

Usage

$ cloudkms --help
usage: cloudkms [<flags>] <command> [<args> ...]

GCP Cloud KMS Get/Put Command

Flags:
  --help  Show context-sensitive help (also try --help-long and --help-man).

Commands:
  help [<command>...]
    Show help.

  version
    Print version

  list [<flags>]
    Output encryption key files

  get [<flags>] <path>
    Get encryption key file

  put [<flags>] <path>
    Put encryption key file

------------------------------------------

$ cloudkms list --help
usage: cloudkms list [<flags>]

Output encryption key files

Flags:
  --help       Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""  Specify the GCS bucket that stores the encryption key. Configurable with environment
               variable: KMS_GCS_BUCKET

------------------------------------------

$ cloudkms get --help
usage: cloudkms get [<flags>] <path>

Get encryption key file

Flags:
  --help               Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""          Specify the GCS bucket that stores the encryption key. Configurable with
                       environment variable: KMS_GCS_BUCKET
  --project_id=""      GCP Project ID. Configurable with environment variable: KMS_PROJECT
  --location="global"  Region that stored KMS Keyring. Configurable with environment variable:
                       KMS_LOCATION
  --keyring=""         KMS Keyring. Configurable with environment variable: KMS_KEYRING
  --keyname=""         KMS keyring Keyname. Configurable with environment variable: KMS_KEYNAME

Args:
  <path>  Name of the saved encryption key

------------------------------------------

$ cloudkms put --help
usage: cloudkms put [<flags>] <path>

Put encryption key file

Flags:
  --help               Show context-sensitive help (also try --help-long and --help-man).
  --bucket=""          Specify the GCS bucket that stores the encryption key. Configurable with
                       environment variable: KMS_GCS_BUCKET
  --project_id=""      GCP Project ID. Configurable with environment variable: KMS_PROJECT
  --location="global"  Region that stored KMS Keyring. Configurable with environment variable:
                       KMS_LOCATION
  --keyring=""         KMS Keyring. Configurable with environment variable: KMS_KEYRING
  --keyname=""         KMS keyring Keyname. Configurable with environment variable: KMS_KEYNAME

Args:
  <path>  Name of the saved encryption key

Installation

Executable binaries are available at releases.

$ wget https://github.com/morix1500/go-cloudkms/releases/download/v1.0.0/cloudkms_linux_amd64 -O cloudkms 
$ chmod a+x cloudkms

License

Please see the LICENSE file for details.

Author

Shota Nishino(Morix)
https://github.com/morix1500

About

A command to get(or put) a key encrypted with GCP CloudKMS

Topics

Resources

License

Packages

No packages published