»gcpckms KMS

The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.

The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary's configuration file.

»gcpckms Example

This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:

kms "gcpckms" {
  purpose     = "root"
  credentials = "/usr/boundary/boundary-project-user-creds.json"
  project     = "boundary-project"
  region      = "global"
  key_ring    = "boundary-keyring"
  crypto_key  = "boundary-key"
kms "gcpckms" {  purpose     = "root"  credentials = "/usr/boundary/boundary-project-user-creds.json"  project     = "boundary-project"  region      = "global"  key_ring    = "boundary-keyring"  crypto_key  = "boundary-key"}

»gcpckms Parameters

These parameters apply to the kms stanza in the Boundary configuration file:

  • purpose - Purpose of this KMS, acceptable values are: worker-auth, root, recovery, or config.

  • credentials (string: <required>): The path to the credentials JSON file to use. May be also specified by the GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.

  • project (string: <required>): The GCP project ID to use. May also be specified by the GOOGLE_PROJECT environment variable.

  • region (string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by the GOOGLE_REGION environment variable.

  • key_ring (string: <required>): The GCP CKMS key ring to use.

  • crypto_key (string: <required>): The GCP CKMS crypto key to use for encryption and decryption.

»Authentication & Permissions

Authentication-related values must be provided, either as environment variables or as configuration parameters.

GCP authentication values: