»gcpckms KMS
The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary's configuration file.
»gcpckms Example
This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:
kms "gcpckms" {
purpose = "root"
credentials = "/usr/boundary/boundary-project-user-creds.json"
project = "boundary-project"
region = "global"
key_ring = "boundary-keyring"
crypto_key = "boundary-key"
}
»gcpckms Parameters
These parameters apply to the kms stanza in the Boundary configuration file:
purpose- Purpose of this KMS, acceptable values are:worker-auth,root,recovery, orconfig.credentials(string: <required>): The path to the credentials JSON file to use. May be also specified by theGOOGLE_CREDENTIALSorGOOGLE_APPLICATION_CREDENTIALSenvironment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.project(string: <required>): The GCP project ID to use. May also be specified by theGOOGLE_PROJECTenvironment variable.region(string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by theGOOGLE_REGIONenvironment variable.key_ring(string: <required>): The GCP CKMS key ring to use.crypto_key(string: <required>): The GCP CKMS crypto key to use for encryption and decryption.
»Authentication & Permissions
Authentication-related values must be provided, either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALSorGOOGLE_APPLICATION_CREDENTIALSGOOGLE_PROJECTGOOGLE_REGION
