GCP Cloud KMS

The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS key rings. This is accomplished by configuring a KMS provider resource with the gcpckms provider and other provider-specific parameter values.

The following sections describe how to properly configure the secrets engine to enable the functionality.

Authentication

The Key Management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an existing GCP Cloud KMS key ring. The authentication parameters are described in the credentials section of the API documentation. The authentication parameters will be set with the following order of precedence:

1. GOOGLE_CREDENTIALS environment variable
2. KMS provider credentials parameter
3. Application default credentials

The service account must be authorized with the following minimum IAM permissions on the target key ring resource:

• cloudkms.cryptoKeys.create
• cloudkms.cryptoKeys.update
• cloudkms.importJobs.create
• cloudkms.importJobs.get
• cloudkms.importJobs.useToImport
• cloudkms.cryptoKeyVersions.list
• cloudkms.cryptoKeyVersions.destroy
• cloudkms.cryptoKeyVersions.update
• cloudkms.cryptoKeyVersions.create

Configuration

The following is an example of how to configure the KMS provider resource using the Vault CLI:

$ vault write keymgmt/kms/example-kms \
    provider="gcpckms" \
    key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \
    credentials=service_account_file="/path/to/service_account/credentials.json"

Refer to the GCP Cloud KMS API documentation for a detailed description of individual configuration parameters.

Key transfer specification

Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance with the key import specification.

Key purpose compatability

The following table defines which key purposes can be used for each key type supported by GCP Cloud KMS.