aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b24f6dcee8'
${ noResults }
boundary/website/content/docs/configuration/kms/gcpckms.mdx

66 lines
2.2 KiB
Raw Blame History

---
layout: docs
page_title: GCP Cloud KMS - KMSs - configuration
description: >-
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
---
# `gcpckms` KMS
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
The GCP Cloud KMS seal is activated by the presence of a `seal "gcpckms"` block in Boundary's configuration file.
## `gcpckms` example
This example shows configuring GCP Cloud KMS through the Boundary
configuration file by providing all the required values:
```hcl
kms "gcpckms" {
purpose = "root"
credentials = "/usr/boundary/boundary-project-user-creds.json"
project = "boundary-project"
region = "global"
key_ring = "boundary-keyring"
crypto_key = "boundary-key"
}
```
## `gcpckms` parameters
These parameters apply to the `kms` stanza in the Boundary configuration file:
- `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
`root`, `previous-root`, `recovery`, `bsr`, or `config`.
- `credentials` `(string: <required>)`: The path to the credentials JSON file
to use. May be also specified by the `GOOGLE_CREDENTIALS` or
`GOOGLE_APPLICATION_CREDENTIALS` environment variable or set automatically if
running under Google App Engine, Google Compute Engine or Google Kubernetes
Engine.
- `project` `(string: <required>)`: The GCP project ID to use. May also be
specified by the `GOOGLE_PROJECT` environment variable.
- `region` `(string: "us-east-1")`: The GCP region/location where the key ring
lives. May also be specified by the `GOOGLE_REGION` environment variable.
- `key_ring` `(string: <required>)`: The GCP CKMS key ring to use. May also be specified
by the `GCPCKMS_WRAPPER_KEY_RING` environment variable.
- `crypto_key` `(string: <required>)`: The GCP CKMS crypto key to use for
encryption and decryption. May also be specified by the `GCPCKMS_WRAPPER_CRYPTO_KEY`
environment variable.
## Authentication &amp; permissions
Authentication-related values must be provided, either as environment
variables or as configuration parameters.
GCP authentication values:
- `GOOGLE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS`
- `GOOGLE_PROJECT`
- `GOOGLE_REGION`
Reference in new issue View Git Blame Copy Permalink