GCP Cloud KMS

The key management secrets engine supports lifecycle management of keys in GCP Cloud KMS key rings. This is accomplished by configuring a KMS provider resource with the gcpckms provider and other provider-specific parameter values.

The following sections describe how to properly configure the secrets engine to enable the functionality.

Refer to the setup guide for CLI command examples.

Authentication

The key management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an existing GCP Cloud KMS key ring. The authentication parameters are described in the credentials section of the API documentation. The authentication parameters will be set with the following order of precedence:

1. GOOGLE_CREDENTIALS environment variable
2. KMS provider credentials parameter
3. Application default credentials

The service account must be authorized with the following minimum IAM permissions on the target key ring resource:

• cloudkms.cryptoKeys.create
• cloudkms.cryptoKeys.update
• cloudkms.importJobs.create
• cloudkms.importJobs.get
• cloudkms.importJobs.useToImport
• cloudkms.cryptoKeyVersions.list
• cloudkms.cryptoKeyVersions.destroy
• cloudkms.cryptoKeyVersions.update
• cloudkms.cryptoKeyVersions.create

Key transfer specification

Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance with the key import specification.

Key purpose compatibility

The following table defines which key purposes can be used for each key type supported by GCP Cloud KMS.