gcpckms KMS

The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.

The GCP Cloud KMS seal is activated by the presence of a seal "gcpckms" block in Boundary’s configuration file.

gcpckms Example

This example shows configuring GCP Cloud KMS through the Boundary configuration file by providing all the required values:

  1. kms "gcpckms" {
  2.   purpose     = "root"
  3.   credentials = "/usr/boundary/boundary-project-user-creds.json"
  4.   project     = "boundary-project"
  5.   region      = "global"
  6.   key_ring    = "boundary-keyring"
  7.   crypto_key  = "boundary-key"
  8. }

gcpckms Parameters

These parameters apply to the kms stanza in the Boundary configuration file:

  • purpose - Purpose of this KMS, acceptable values are: worker-auth, root, recovery, or config.

  • credentials (string: <required>): The path to the credentials JSON file to use. May be also specified by the GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.

  • project (string: <required>): The GCP project ID to use. May also be specified by the GOOGLE_PROJECT environment variable.

  • region (string: "us-east-1"): The GCP region/location where the key ring lives. May also be specified by the GOOGLE_REGION environment variable.

  • key_ring (string: <required>): The GCP CKMS key ring to use.

  • crypto_key (string: <required>): The GCP CKMS crypto key to use for encryption and decryption.

Authentication & Permissions

Authentication-related values must be provided, either as environment variables or as configuration parameters.

GCP authentication values: