GCP Cloud KMS
The key management secrets engine supports lifecycle management of keys in GCP Cloud KMS
key rings. This is accomplished
by configuring a KMS provider resource with the gcpckms
provider and other provider-specific
parameter values.
The following sections describe how to properly configure the secrets engine to enable the functionality.
Refer to the setup guide for CLI command examples.
Authentication
The key management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an existing GCP Cloud KMS key ring. The authentication parameters are described in the credentials section of the API documentation. The authentication parameters will be set with the following order of precedence:
GOOGLE_CREDENTIALS
environment variable- KMS provider credentials parameter
- Application default credentials
The service account must be authorized with the following minimum IAM permissions on the target key ring resource:
cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.update
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.useToImport
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeyVersions.create
Key transfer specification
Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance with the key import specification.
Key purpose compatability
The following table defines which key purposes can be used for each key type supported by GCP Cloud KMS.
Key Type | Purpose |
---|---|
aes256-gcm96 | encrypt and decrypt |
rsa-2048 | decrypt or sign |
rsa-3072 | decrypt or sign |
rsa-4096 | decrypt or sign |
ecdsa-p256 | sign |
ecdsa-p384 | sign |