From 4699c06185ed52a77dd4b28eafb1dc84ce314c76 Mon Sep 17 00:00:00 2001 From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Date: Fri, 10 Oct 2025 14:09:45 +0000 Subject: [PATCH] backport of commit 204d8ec011347a89a14cf6b2c28a0f554b327f48 --- website/content/docs/configuration/kms/aead.mdx | 2 ++ website/content/docs/configuration/kms/alicloudkms.mdx | 5 +++++ website/content/docs/configuration/kms/awskms.mdx | 5 +++++ website/content/docs/configuration/kms/azurekeyvault.mdx | 5 +++++ website/content/docs/configuration/kms/gcpckms.mdx | 5 +++++ website/content/docs/configuration/kms/transit.mdx | 5 +++++ 6 files changed, 27 insertions(+) diff --git a/website/content/docs/configuration/kms/aead.mdx b/website/content/docs/configuration/kms/aead.mdx index d6e29dd4bf..e3b77bd526 100644 --- a/website/content/docs/configuration/kms/aead.mdx +++ b/website/content/docs/configuration/kms/aead.mdx @@ -29,3 +29,5 @@ kms "aead" { - `key` - The base64-encoded 256-bit encryption key. - `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. diff --git a/website/content/docs/configuration/kms/alicloudkms.mdx b/website/content/docs/configuration/kms/alicloudkms.mdx index 5c941ef8fa..78a0b25b47 100644 --- a/website/content/docs/configuration/kms/alicloudkms.mdx +++ b/website/content/docs/configuration/kms/alicloudkms.mdx @@ -24,6 +24,7 @@ kms "alicloudkms" { access_key = "0wNEpMMlzy7szvai" secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA" kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73" + key_id = "global_worker-auth" } ``` @@ -54,6 +55,10 @@ These parameters apply to the `kms` stanza in the Boundary configuration file: and decryption. May also be specified by the `ALICLOUDKMS_WRAPPER_KEY_ID` environment variable. +- `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. + ## Authentication Authentication-related values must be provided, either as environment diff --git a/website/content/docs/configuration/kms/awskms.mdx b/website/content/docs/configuration/kms/awskms.mdx index 72a3e8a808..667f3dea5e 100644 --- a/website/content/docs/configuration/kms/awskms.mdx +++ b/website/content/docs/configuration/kms/awskms.mdx @@ -22,6 +22,7 @@ kms "awskms" { secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey" endpoint = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com" + key_id = "global_worker-auth" } ``` @@ -78,6 +79,10 @@ These parameters apply to the `kms` stanza in the Boundary configuration file: Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html). If not set, Boundary will use the default API endpoint for your region. +- `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. + ## Authentication Authentication-related values must be provided, either as environment diff --git a/website/content/docs/configuration/kms/azurekeyvault.mdx b/website/content/docs/configuration/kms/azurekeyvault.mdx index 66b9275f16..bd9d657e98 100644 --- a/website/content/docs/configuration/kms/azurekeyvault.mdx +++ b/website/content/docs/configuration/kms/azurekeyvault.mdx @@ -25,6 +25,7 @@ kms "azurekeyvault" { client_secret = "DUJDS3..." vault_name = "hc-vault" key_name = "vault_key" + key_id = "global_worker-auth" } ``` @@ -53,6 +54,10 @@ These parameters apply to the `kms` stanza in the Vault configuration file: - `key_name` `(string: )`: The Key Vault key to use for encryption and decryption. May also be specified by the `AZUREKEYVAULT_WRAPPER_KEY_NAME` environment variable. +- `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. + ## Authentication Authentication-related values must be provided, either as environment diff --git a/website/content/docs/configuration/kms/gcpckms.mdx b/website/content/docs/configuration/kms/gcpckms.mdx index 5ff0f21ab5..d9a4f58fbe 100644 --- a/website/content/docs/configuration/kms/gcpckms.mdx +++ b/website/content/docs/configuration/kms/gcpckms.mdx @@ -24,6 +24,7 @@ kms "gcpckms" { region = "global" key_ring = "boundary-keyring" crypto_key = "boundary-key" + key_id = "global_worker-auth" } ``` @@ -53,6 +54,10 @@ These parameters apply to the `kms` stanza in the Boundary configuration file: encryption and decryption. May also be specified by the `GCPCKMS_WRAPPER_CRYPTO_KEY` environment variable. +- `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. + ## Authentication & permissions Authentication-related values must be provided, either as environment diff --git a/website/content/docs/configuration/kms/transit.mdx b/website/content/docs/configuration/kms/transit.mdx index 891ea9b16a..f3086c1d3c 100644 --- a/website/content/docs/configuration/kms/transit.mdx +++ b/website/content/docs/configuration/kms/transit.mdx @@ -22,6 +22,7 @@ kms "transit" { address = "https://vault:8200" token = "s.Qf1s5zigZ4OX6akYjQXJC1jY" disable_renewal = "false" + key_id = "global_worker-auth" // Key configuration key_name = "transit_key_name" @@ -87,6 +88,10 @@ These parameters apply to the `kms` stanza in the Vault configuration file: transmissions to and from the Vault server. This may also be specified using the `VAULT_SKIP_VERIFY` environment variable. +- `key_id` - The unique name of this key. +It is used to identify the key when you perform a root key migration. +You can use the `key_id` field with all KMS stanzas. + ## Authentication Authentication-related values must be provided, either as environment