48 lines
2.2 KiB
Plaintext
48 lines
2.2 KiB
Plaintext
|
---
|
|||
|
|
layout: api
|
|||
|
|
page_title: GCP Cloud KMS - Key Management - Secrets Engines - HTTP API
|
|||
|
|
description: The GCP Cloud KMS API documentation for the Key Management secrets engine.
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# GCP Cloud KMS (API)
|
|||
|
|
|
|||
|
|
The Key Management secrets engine supports lifecycle management of keys in [GCP Cloud KMS](https://cloud.google.com/security-key-management)
|
|||
|
|
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished by
|
|||
|
|
configuring a KMS provider resource with the `gcpckms` provider and other provider-specific parameter
|
|||
|
|
values.
|
|||
|
|
|
|||
|
|
The following sections provide API documentation that is specific to GCP Cloud KMS.
|
|||
|
|
|
|||
|
|
## Create/Update KMS Provider
|
|||
|
|
|
|||
|
|
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
|
|||
|
|
does not exist, it will be created. If the KMS provider exists, it will be updated with
|
|||
|
|
the given parameter values.
|
|||
|
|
|
|||
|
|
| Method | Path |
|
|||
|
|
| :----- | :------------------- |
|
|||
|
|
| `PUT` | `/keymgmt/kms/:name` |
|
|||
|
|
|
|||
|
|
### Parameters
|
|||
|
|
|
|||
|
|
- `name` `(string: <required>)` – Specifies the name of the KMS provider to create or update.
|
|||
|
|
This is provided as part of the request URL.
|
|||
|
|
|
|||
|
|
- `provider` `(string: <required>)` – Specifies the name of a KMS provider that's external to
|
|||
|
|
Vault. Must be set to `gcpckms`. Cannot be changed after creation.
|
|||
|
|
|
|||
|
|
- `key_collection` `(string: <required>)` – Refers to the
|
|||
|
|
[resource ID](https://cloud.google.com/kms/docs/resource-hierarchy#retrieve_resource_id)
|
|||
|
|
of an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
|
|||
|
|
Cannot be changed after creation.
|
|||
|
|
|
|||
|
|
- `credentials` `(map<string|string>: nil)` – The credentials to use for authentication with GCP
|
|||
|
|
Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified
|
|||
|
|
as environment variables. See the [authentication](/docs/secrets/key-management/gcpkms#authentication)
|
|||
|
|
section for details on precedence.
|
|||
|
|
|
|||
|
|
- `service_account_file` `(string: <required>)` - The path to a Google service account key file. The
|
|||
|
|
key file must be readable on the host that Vault server is running on. May also be provided by the
|
|||
|
|
`GOOGLE_CREDENTIALS` environment variable or by
|
|||
|
|
[application default credentials](https://cloud.google.com/docs/authentication/production).
|