»GCP Cloud KMS
The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
key rings. This is accomplished
by configuring a KMS provider resource with the
gcpckms provider and other provider-specific
The following sections describe how to properly configure the secrets engine to enable the functionality.
The Key Management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an existing GCP Cloud KMS key ring. The authentication parameters are described in the credentials section of the API documentation. The authentication parameters will be set with the following order of precedence:
- KMS provider credentials parameter
- Application default credentials
The service account must be authorized with the following minimum IAM permissions on the target key ring resource:
The following is an example of how to configure the KMS provider resource using the Vault CLI:
$ vault write keymgmt/kms/example-kms \ provider="gcpckms" \ key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \ credentials=service_account_file="/path/to/service_account/credentials.json"
Refer to the GCP Cloud KMS API documentation for a detailed description of individual configuration parameters.
Key Transfer Specification
Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance with the key import specification.
Key Purpose Compatability
The following table defines which key purposes can be used for each key type supported by GCP Cloud KMS.