Boundary
gcpckms KMS
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms"
block in Boundary's configuration file.
gcpckms
example
This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:
kms "gcpckms" {
purpose = "root"
credentials = "/usr/boundary/boundary-project-user-creds.json"
project = "boundary-project"
region = "global"
key_ring = "boundary-keyring"
crypto_key = "boundary-key"
}
gcpckms
parameters
These parameters apply to the kms
stanza in the Boundary configuration file:
purpose
- Purpose of this KMS, acceptable values are:worker-auth
,worker-auth-storage
,root
,previous-root
,recovery
,bsr
, orconfig
.credentials
(string: <required>)
: The path to the credentials JSON file to use. May be also specified by theGOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.project
(string: <required>)
: The GCP project ID to use. May also be specified by theGOOGLE_PROJECT
environment variable.region
(string: "us-east-1")
: The GCP region/location where the key ring lives. May also be specified by theGOOGLE_REGION
environment variable.key_ring
(string: <required>)
: The GCP CKMS key ring to use. May also be specified by theGCPCKMS_WRAPPER_KEY_RING
environment variable.crypto_key
(string: <required>)
: The GCP CKMS crypto key to use for encryption and decryption. May also be specified by theGCPCKMS_WRAPPER_CRYPTO_KEY
environment variable.
Authentication & permissions
Authentication-related values must be provided, either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
GOOGLE_PROJECT
GOOGLE_REGION