48 lines
2.2 KiB
Plaintext
48 lines
2.2 KiB
Plaintext
---
|
||
layout: api
|
||
page_title: GCP Cloud KMS - Key Management - Secrets Engines - HTTP API
|
||
description: The GCP Cloud KMS API documentation for the Key Management secrets engine.
|
||
---
|
||
|
||
# GCP Cloud KMS (API)
|
||
|
||
The Key Management secrets engine supports lifecycle management of keys in [GCP Cloud KMS](https://cloud.google.com/security-key-management)
|
||
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished by
|
||
configuring a KMS provider resource with the `gcpckms` provider and other provider-specific parameter
|
||
values.
|
||
|
||
The following sections provide API documentation that is specific to GCP Cloud KMS.
|
||
|
||
## Create/Update KMS Provider
|
||
|
||
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
|
||
does not exist, it will be created. If the KMS provider exists, it will be updated with
|
||
the given parameter values.
|
||
|
||
| Method | Path |
|
||
| :----- | :------------------- |
|
||
| `PUT` | `/keymgmt/kms/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` `(string: <required>)` – Specifies the name of the KMS provider to create or update.
|
||
This is provided as part of the request URL.
|
||
|
||
- `provider` `(string: <required>)` – Specifies the name of a KMS provider that's external to
|
||
Vault. Must be set to `gcpckms`. Cannot be changed after creation.
|
||
|
||
- `key_collection` `(string: <required>)` – Refers to the
|
||
[resource ID](https://cloud.google.com/kms/docs/resource-hierarchy#retrieve_resource_id)
|
||
of an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
|
||
Cannot be changed after creation.
|
||
|
||
- `credentials` `(map<string|string>: nil)` – The credentials to use for authentication with GCP
|
||
Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified
|
||
as environment variables. See the [authentication](/docs/secrets/key-management/gcpkms#authentication)
|
||
section for details on precedence.
|
||
|
||
- `service_account_file` `(string: <required>)` - The path to a Google service account key file. The
|
||
key file must be readable on the host that Vault server is running on. May also be provided by the
|
||
`GOOGLE_CREDENTIALS` environment variable or by
|
||
[application default credentials](https://cloud.google.com/docs/authentication/production).
|