Boundary
alicloudkms KMS
The AliCloud KMS configures Boundary to use AliCloud KMS for key management. The AliCloud KMS is activated by one of the following:
- The presence of a
kms "alicloudkms"
block in Boundary's configuration file.
alicloudkms
example
This example shows configuring AliCloud KMS through the Boundary configuration file by providing all the required values:
kms "alicloudkms" {
purpose = "root"
region = "us-east-1"
access_key = "0wNEpMMlzy7szvai"
secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"
kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"
}
alicloudkms
parameters
These parameters apply to the kms
stanza in the Boundary configuration file:
purpose
- Purpose of this KMS, acceptable values are:worker-auth
,worker-auth-storage
,root
,previous-root
,recovery
, orconfig
.region
(string: <required> "us-east-1")
: The AliCloud region where the encryption key lives. May also be specified by theALICLOUD_REGION
environment variable.domain
(string: "kms.us-east-1.aliyuncs.com")
: If set, overrides the endpoint AliCloud would normally use for KMS for a particular region. May also be specified by theALICLOUD_DOMAIN
environment variable.access_key
(string: <required>)
: The AliCloud access key ID to use. May also be specified by theALICLOUD_ACCESS_KEY
environment variable or as part of the AliCloud profile from the AliCloud CLI or instance profile.secret_key
(string: <required>)
: The AliCloud secret access key to use. May also be specified by theALICLOUD_SECRET_KEY
environment variable or as part of the AliCloud profile from the AliCloud CLI or instance profile.kms_key_id
(string: <required>)
: The AliCloud KMS key ID to use for encryption and decryption. May also be specified by theALICLOUDKMS_WRAPPER_KEY_ID
environment variable.
Authentication
Authentication-related values must be provided, either as environment variables or as configuration parameters.
Note: Although the configuration file allows you to pass in
ALICLOUD_ACCESS_KEY
and ALICLOUD_SECRET_KEY
as part of the 's parameters, it
is strongly recommended to set these values via environment variables.
AliCloud authentication values:
* `ALICLOUD_REGION`
* `ALICLOUD_ACCESS_KEY`
* `ALICLOUD_SECRET_KEY`
The client uses the official AliCloud SDK and will use environment credentials, the specified credentials, or RAM role credentials in that order.