--- layout: api page_title: GCP Cloud KMS - Key Management - Secrets Engines - HTTP API description: The GCP Cloud KMS API documentation for the Key Management secrets engine. --- # GCP Cloud KMS (API) The Key Management secrets engine supports lifecycle management of keys in [GCP Cloud KMS](https://cloud.google.com/security-key-management) [key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished by configuring a KMS provider resource with the `gcpckms` provider and other provider-specific parameter values. The following sections provide API documentation that is specific to GCP Cloud KMS. ## Create/Update KMS Provider This endpoint creates or updates a KMS provider. If a KMS provider with the given `name` does not exist, it will be created. If the KMS provider exists, it will be updated with the given parameter values. | Method | Path | | :----- | :------------------- | | `PUT` | `/keymgmt/kms/:name` | ### Parameters - `name` `(string: )` – Specifies the name of the KMS provider to create or update. This is provided as part of the request URL. - `provider` `(string: )` – Specifies the name of a KMS provider that's external to Vault. Must be set to `gcpckms`. Cannot be changed after creation. - `key_collection` `(string: )` – Refers to the [resource ID](https://cloud.google.com/kms/docs/resource-hierarchy#retrieve_resource_id) of an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). Cannot be changed after creation. - `credentials` `(map: nil)` – The credentials to use for authentication with GCP Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified as environment variables. See the [authentication](/docs/secrets/key-management/gcpkms#authentication) section for details on precedence. - `service_account_file` `(string: )` - The path to a Google service account key file. The key file must be readable on the host that Vault server is running on. May also be provided by the `GOOGLE_CREDENTIALS` environment variable or by [application default credentials](https://cloud.google.com/docs/authentication/production).