Vault
GCP Cloud KMS
The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
key rings. This is accomplished
by configuring a KMS provider resource with the gcpckms
provider and other provider-specific
parameter values.
The following sections describe how to properly configure the secrets engine to enable the functionality.
Authentication
The Key Management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an existing GCP Cloud KMS key ring. The authentication parameters are described in the credentials section of the API documentation. The authentication parameters will be set with the following order of precedence:
GOOGLE_CREDENTIALS
environment variable- KMS provider credentials parameter
- Application default credentials
The service account must be authorized with the following minimum IAM permissions on the target key ring resource:
cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.update
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.useToImport
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeyVersions.create
Configuration
The following is an example of how to configure the KMS provider resource using the Vault CLI:
$ vault write keymgmt/kms/example-kms \
provider="gcpckms" \
key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \
credentials=service_account_file="/path/to/service_account/credentials.json"
Refer to the GCP Cloud KMS API documentation for a detailed description of individual configuration parameters.
Key transfer specification
Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance with the key import specification.
Key purpose compatability
The following table defines which key purposes can be used for each key type supported by GCP Cloud KMS.
Key Type | Purpose |
---|---|
aes256-gcm96 | encrypt and decrypt |
rsa-2048 | decrypt or sign |
rsa-3072 | decrypt or sign |
rsa-4096 | decrypt or sign |
ecdsa-p256 | sign |
ecdsa-p384 | sign |