diff --git a/website/content/api-docs/system/managed-keys.mdx b/website/content/api-docs/system/managed-keys.mdx index b7f0786c7..5413865bb 100644 --- a/website/content/api-docs/system/managed-keys.mdx +++ b/website/content/api-docs/system/managed-keys.mdx @@ -216,6 +216,39 @@ $ curl \ - `key_type` `(string: )`: The type of key to use. At this time only supported value is `RSA`. +#### GCP Cloud KMS Parameters + +- `credentials` `(string: )`: The path of the credential file to use for authenticating to GCP. +This can also be provided in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. + +- `crypto_key` `(string: )`: The name of the GCP Cloud KMS key. If there is no existing key +and `allow_generate_key` is `true`, Vault will generate a key with this name. + +- `crypto_key_version` `(string: "1")`: The version of the key to use. + +- `key_ring` `(string: )`: The name of the key ring in GCP Cloud KMS. + +- `project` `(string: )`: The ID of the GCP project. + +- `region` `(string: )`: The region where the key ring was created. This can also be provided +with the `GOOGLE_REGION` environment variable. + +- `algorithm` `(string: )`: The signature algorithm to be used with the key. Supported +values for signature algorithms are: + - `EC_SIGN_P256_SHA256` + - `EC_SIGN_P384_SHA384` + - `EC_SIGN_P256_SHA256` + - `RSA_SIGN_PSS_2048_SHA256` + - `RSA_SIGN_PSS_3072_SHA256` + - `RSA_SIGN_PSS_4096_SHA256` + - `RSA_SIGN_PSS_4096_SHA512` + - `RSA_SIGN_PKCS1_2048_SHA256` + - `RSA_SIGN_PKCS1_3072_SHA256` + - `RSA_SIGN_PKCS1_4096_SHA256` + - `RSA_SIGN_PKCS1_4096_SHA512` + + For more information, see the GCP Cloud KMS [documentation for signing algorithms](https://cloud.google.com/kms/docs/algorithms). + ## Read managed key This endpoint returns the managed key configuration at the given path. diff --git a/website/content/docs/enterprise/managed-keys.mdx b/website/content/docs/enterprise/managed-keys.mdx index 3fb64397e..e562de11e 100644 --- a/website/content/docs/enterprise/managed-keys.mdx +++ b/website/content/docs/enterprise/managed-keys.mdx @@ -13,7 +13,7 @@ external to Vault, when handling, storing, and interacting with private key material, or are required to do so by standards requirements. To satisfy these requirements, Vault has a centralized abstraction called -*Managed Keys* that different secrets engines can plug into, allowing them to +*Managed Keys* that different secrets engines can plug into, allowing them to delegate these operations to a trusted external KMS. Minimally, a managed key consists of a named managed key entry managed by the @@ -37,8 +37,8 @@ as the Managed Key for which it intends to use. ## Backend Support Managed Keys were developed to support different types of external backends. At -this time supported backends are PKCS#11, AWS KMS and Azure Key Vault. -Support for additional integrations may be added in the future. +this time supported backends are PKCS#11, AWS KMS, Azure Key Vault, and Google +Cloud KMS. Support for additional integrations may be added in the future. ## Secret and Auth Engine Support