June 20-22 Announcing HashiConf Europe full schedule: keynotes, sessions, labs & more Register Now
  • Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
  • Overview
  • Tutorials
  • Docs
  • API
  • Community
GitHub—Stars on GitHub
Download
    • v0.8.x (latest)
    • v0.7.x
    • v0.6.x
    • v0.5.x
    • v0.4.x
    • v0.3.x
    • v0.2.x
    • v0.1.x
  • What is Boundary?
    • Overview
      • Overview
      • Production
    • Run and Login
    • Connect to Target
    • Overview
    • Non-Dev Environments
    • Systemd Install
    • Postgres Install
    • High Availability Install
    • Reference Architectures
    • Overview
    • API
    • CLI
    • Go SDK
    • Desktop
    • Desktop
    • Overview
    • Service Discovery
      • Overview
        • Overview
        • Assignable Permissions
        • Permission Grant Formats
        • Resource Table
      • Data Encryption
      • Connections/TLS
      • Overview
      • Accounts
      • Auth Methods
      • Credentials
      • Credential Libraries
      • Credential Stores
      • Groups
      • Hosts
      • Host Catalogs
      • Host Sets
      • Managed Groups
      • Scopes
      • Sessions
      • Session Connections
      • Targets
      • Roles
      • Users
      • Overview
      • OIDC Managed Groups
      • Resource Listing
      • Worker Tags
      • Events
    • Overview
    • Building
    • Developing the UI

    • Overview
      • Overview
      • TCP
      • Unix
      • Overview
      • AEAD
      • AWS KMS
      • AliCloud KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • Vault Transit
    • controller
    • worker
      • Overview
      • Common Sink Parameters
      • File Sink
      • Stderr Sink
    • plugins
    • Overview
    • Metrics
    • Health Endpoint
  • Common Workflows
    • Overview
    • Manage Roles
    • Manage Scopes
    • Manage Sessions
    • Manage Targets
    • Manage Users and Groups
    • Workflow SSH Proxy

  • Roadmap
    • Overview
    • v0.8.0
    • v0.7.0
    • v0.6.0
    • v0.5.0
    • v0.4.0
    • v0.3.0
    • v0.2.0
    • v0.1.0
Type '/' to Search

»gcpckms KMS

The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.

The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary's configuration file.

»gcpckms Example

This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:

kms "gcpckms" {
  purpose     = "root"
  credentials = "/usr/boundary/boundary-project-user-creds.json"
  project     = "boundary-project"
  region      = "global"
  key_ring    = "boundary-keyring"
  crypto_key  = "boundary-key"
}
kms "gcpckms" {
  purpose     = "root"
  credentials = "/usr/boundary/boundary-project-user-creds.json"
  project     = "boundary-project"
  region      = "global"
  key_ring    = "boundary-keyring"
  crypto_key  = "boundary-key"
}

»gcpckms Parameters

These parameters apply to the kms stanza in the Boundary configuration file:

  • purpose - Purpose of this KMS, acceptable values are: worker-auth, root, recovery, or config.

  • credentials (string: <required>): The path to the credentials JSON file to use. May be also specified by the GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.

  • project (string: <required>): The GCP project ID to use. May also be specified by the GOOGLE_PROJECT environment variable.

  • region (string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by the GOOGLE_REGION environment variable.

  • key_ring (string: <required>): The GCP CKMS key ring to use.

  • crypto_key (string: <required>): The GCP CKMS crypto key to use for encryption and decryption.

»Authentication & Permissions

Authentication-related values must be provided, either as environment variables or as configuration parameters.

GCP authentication values:

  • GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS
  • GOOGLE_PROJECT
  • GOOGLE_REGION
github logoEdit this page
DocsLearnPrivacySecurityPress KitConsent Manager