luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

docs: AWS KMS updates for key management secrets engine (#11958)

This commit is contained in:
Austin Gebauer 2021-06-29 10:31:25 -07:00 committed by GitHub
parent 02d45f3a66
commit b34e24fa64
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/11958.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
secrets/keymgmt (enterprise): Adds general availability for distributing and managing keys in AWS KMS.
```

3
website/content/api-docs/secret/key-management/awskms.mdx
View File

@ -6,9 +6,6 @@ description: The AWS KMS API documentation for the Key Management secrets engine
# AWS KMS (API)
~> **Note:** This provider is currently a **_beta_** feature and not recommended
for deployment in production.
The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
other provider-specific parameter values.

12
website/content/docs/secrets/key-management/awskms.mdx
View File

@ -6,9 +6,6 @@ description: AWS KMS is a supported KMS provider of the Key Management secrets e
# AWS KMS
~> **Note:** This provider is currently a **_beta_** feature and not recommended
for deployment in production.
The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
other provider-specific parameter values.
@ -64,3 +61,12 @@ for a detailed description of individual configuration parameters.
Keys are securely transferred from the secrets engine to AWS KMS regions in accordance
with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
specification.
## Key Rotation
Customer master keys (CMKs) with imported key material are not eligible for
[automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
within AWS KMS. As such, key rotations performed by the secrets engine use the
[manual key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
process. Applications should refer to the [alias](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)
associated with imported keys. Aliases will always have the form: `hashicorp/<key_name>-<unix_timestamp>`.

2
website/content/docs/secrets/key-management/index.mdx
View File

@ -9,7 +9,7 @@ description: >-
# Key Management Secrets Engine
-> **Note**: This secrets engine requires [Vault
Enterprise](https://www.hashicorp.com/products/vault/) with the Advanced Data
Enterprise](https://www.hashicorp.com/products/vault/) (1.6.0+) with the Advanced Data
Protection Module.
The Key Management secrets engine provides a consistent workflow for distribution and lifecycle