Nomad
gcpckms keyring
The GCP Cloud KMS keyring configures Nomad to use GCP Cloud KMS to wrap its keyring. This example shows configuring GCP Cloud KMS keyring through the Nomad configuration file by providing all the required values.
keyring "gcpckms" {
active = true
name = "example"
credentials = "/etc/nomad.d/nomad-user-creds.json"
project = "nomad-project"
region = "global"
key_ring = "nomad-keyring"
crypto_key = "nomad-key"
}
gcpckms
parameters
These parameters apply to the keyring
stanza in the Nomad configuration file:
credentials
(string: <required>)
: The path to the credentials JSON file to use. Alternately specify via theGOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
environment variable or set automatically if running under Google Compute Engine.project
(string: <required>)
: The GCP project ID to use. Alternately specify via theGOOGLE_PROJECT
environment variable.region
(string: <required>)
: The GCP region/location where the key ring lives. Alternately specify via theGOOGLE_REGION
environment variable.key_ring
(string: <required>)
: The GCP CKMS key ring to use.crypto_key
(string: <required>)
: The GCP CKMS crypto key to use for encryption and decryption.
Authentication & permissions
You must provide authentication-related values either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
GOOGLE_PROJECT
GOOGLE_REGION
Note: The client uses the official Google SDK and the specified credentials, environment credentials, or application default credentials in that order, if you do not provide the aforementioned GCP-specific values.
The service account needs the following minimum permissions on the crypto key:
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeys.get
These permissions can be described with the following role:
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeys.get
Use cloudkms.cryptoKeys.get
permission for retrieving metadata information of
keys from CloudKMS within this engine initialization process.
Key rotation
This keyring supports rotating keys defined in Google Cloud KMS doc. Both scheduled rotation and manual rotation is supported for CKMS since the key information. Old keys version must not be disabled or deleted and are used to decrypt older data. Any new or updated data is encrypted with the primary key version.