luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Update awskms seal docs (#5618) 

The seal already supported an endpoint configuration, but it wasn't
documented, so adding the docs for it. Also adding a note on required
KMS permissions.
This commit is contained in:
Joel Thompson 2018-10-26 09:18:04 -04:00 committed by Chris Hoffman
parent 46d3f58fbf
commit 62b54c8a5c
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
website/source/docs/configuration/seal/awskms.html.md
View File

@ -31,6 +31,7 @@ seal "awskms" {
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey"
endpoint = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"
}
```
@ -55,6 +56,12 @@ These parameters apply to the `seal` stanza in the Vault configuration file:
and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID`
environment variable.
- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
requests. May also be specified by the `AWS_KMS_ENDPOINT` environment
variable. This is useful, for example, when connecting to KMS over a [VPC
Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
If not set, Vault will use the default API endpoint for your region.
## Authentication
Authentication-related values must be provided, either as environment
@ -77,6 +84,15 @@ credentials, environment credentials, shared file credentials, or IAM role/ECS
task credentials in that order, if the above AWS specific values are not
provided.
Vault needs the following permissions on the KMS key:
* `kms:Encrypt`
* `kms:Decrypt`
* `kms:DescribeKey`
These can be granted via IAM permissions on the principal that Vault uses, on
the KMS key policy for the KMS key, or via KMS Grants on the key.
## `awskms` Environment Variables
Alternatively, the AWS KMS seal can be activated by providing the following
@ -96,4 +112,4 @@ This seal supports rotating the master keys defined in AWS KMS
rotation and manual rotation is supported for KMS since the key information is stored with the
encrypted data. Old keys must not be disabled or deleted and are used to decrypt older data.
Any new or updated data will be encrypted with the current key defined in the seal configuration
or set to current under a key alias.
or set to current under a key alias.