gcpckms KMS

The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.

The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary's configuration file.

gcpckms example

This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:

kms "gcpckms" {
  purpose     = "root"
  credentials = "/usr/boundary/boundary-project-user-creds.json"
  project     = "boundary-project"
  region      = "global"
  key_ring    = "boundary-keyring"
  crypto_key  = "boundary-key"
}

gcpckms parameters

These parameters apply to the kms stanza in the Boundary configuration file:

• purpose - Purpose of this KMS, acceptable values are: worker-auth, worker-auth-storage, root, previous-root, recovery, or config.

• credentials (string: <required>): The path to the credentials JSON file to use. May be also specified by the GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.

• project (string: <required>): The GCP project ID to use. May also be specified by the GOOGLE_PROJECT environment variable.

• region (string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by the GOOGLE_REGION environment variable.

• key_ring (string: <required>): The GCP CKMS key ring to use. May also be specified by the GCPCKMS_WRAPPER_KEY_RING environment variable.

• crypto_key (string: <required>): The GCP CKMS crypto key to use for encryption and decryption. May also be specified by the GCPCKMS_WRAPPER_CRYPTO_KEY environment variable.

Authentication & permissions

Authentication-related values must be provided, either as environment variables or as configuration parameters.

GCP authentication values:

• GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS
• GOOGLE_PROJECT
• GOOGLE_REGION