Vault
GCP Cloud KMS (API)
The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
key rings. This is accomplished by
configuring a KMS provider resource with the gcpckms
provider and other provider-specific parameter
values.
The following sections provide API documentation that is specific to GCP Cloud KMS.
Create/Update KMS provider
This endpoint creates or updates a KMS provider. If a KMS provider with the given name
does not exist, it will be created. If the KMS provider exists, it will be updated with
the given parameter values.
Method | Path |
---|---|
POST | /keymgmt/kms/:name |
Parameters
name
(string: <required>)
– Specifies the name of the KMS provider to create or update. This is provided as part of the request URL.provider
(string: <required>)
– Specifies the name of a KMS provider that's external to Vault. Must be set togcpckms
. Cannot be changed after creation.key_collection
(string: <required>)
– Refers to the resource ID of an existing GCP Cloud KMS key ring. Cannot be changed after creation.credentials
(map<string|string>: nil)
– The credentials to use for authentication with GCP Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified as environment variables. See the authentication section for details on precedence.service_account_file
(string: <required>)
- The path to a Google service account key file. The key file must be readable on the host that Vault server is running on. May also be provided by theGOOGLE_CREDENTIALS
environment variable or by application default credentials.