open-vault/website/content/docs/secrets/key-management/gcpkms.mdx
Yoko Hyakuna f374938d31
Fix broken links referencing to API docs (#14565)
* Fix all '/api/' to '/api-docs/'

* Minor fixes

* Undo some of the unintentional changes
2022-03-17 18:14:48 -07:00

74 lines
3 KiB
Plaintext

---
layout: docs
page_title: GCP Cloud KMS - Key Management - Secrets Engines
description: GCP Cloud KMS is a supported KMS provider of the Key Management secrets engine.
---
# GCP Cloud KMS
The Key Management secrets engine supports lifecycle management of keys in GCP Cloud KMS
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished
by configuring a KMS provider resource with the `gcpckms` provider and other provider-specific
parameter values.
The following sections describe how to properly configure the secrets engine to enable
the functionality.
## Authentication
The Key Management secrets engine must be configured with credentials that have sufficient
permissions to manage keys in an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
The authentication parameters are described in the [credentials](/api-docs/secret/key-management/gcpkms#credentials)
section of the API documentation. The authentication parameters will be set with the following order
of precedence:
1. `GOOGLE_CREDENTIALS` environment variable
2. [KMS provider credentials](/api-docs/secret/key-management/gcpkms#credentials) parameter
3. [Application default credentials](https://cloud.google.com/docs/authentication/production)
The service account must be authorized with the following minimum
[IAM permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles) on the
target [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings) resource:
- `cloudkms.cryptoKeys.create`
- `cloudkms.cryptoKeys.update`
- `cloudkms.importJobs.create`
- `cloudkms.importJobs.get`
- `cloudkms.cryptoKeyVersions.list`
- `cloudkms.cryptoKeyVersions.destroy`
- `cloudkms.cryptoKeyVersions.update`
- `cloudkms.cryptoKeyVersions.create`
## Configuration
The following is an example of how to configure the KMS provider resource using the Vault CLI:
```text
$ vault write keymgmt/kms/example-kms \
provider="gcpckms" \
key_collection="projects/<project-id>/locations/<location>/keyRings/<keyring>" \
credentials=service_account_file="/path/to/service_account/credentials.json"
```
Refer to the GCP Cloud KMS [API documentation](/api-docs/secret/key-management/gcpkms)
for a detailed description of individual configuration parameters.
## Key Transfer Specification
Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance
with the [key import](https://cloud.google.com/kms/docs/key-import) specification.
## Key Purpose Compatability
The following table defines which key [purposes](/api-docs/secret/key-management#purpose) can be used
for each key type supported by GCP Cloud KMS.
| Key Type | Purpose |
| -------------- | ----------------------- |
| `aes256-gcm96` | `encrypt` and `decrypt` |
| `rsa-2048` | `decrypt` or `sign` |
| `rsa-3072` | `decrypt` or `sign` |
| `rsa-4096` | `decrypt` or `sign` |
| `ecdsa-p256` | `sign` |
| `ecdsa-p384` | `sign` |