kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bfe81772119f431fc75271d20aa7ca4fa3c1921
nomad/website/content/docs/configuration/keyring/gcpckms.mdx
Tim Gross 0f4014b4a9 docs: external KMS configuration (#23600) 
In #23580 we're implementing support for encrypting Nomad's key material with
external KMS providers or Vault Transit. This changeset breaks out the
documentation from that PR to keep the review manageable and present it to a
wider set of reviewers.

Ref: https://hashicorp.atlassian.net/browse/NET-10334
Ref: https://github.com/hashicorp/nomad/issues/14852
Ref: https://github.com/hashicorp/nomad/pull/23580
2024-07-19 15:08:54 -04:00

93 lines
2.9 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: GCP Cloud KMS - Keyrings - Configuration
description: >-
The GCP Cloud KMS keyring configures Nomad to use GCP Cloud KMS as the keyring
wrapping mechanism.
---
# `gcpckms` keyring
The GCP Cloud KMS keyring configures Nomad to use GCP Cloud KMS to wrap its
keyring. This example shows configuring GCP Cloud KMS keyring through the Nomad
configuration file by providing all the required values.
```hcl
keyring "gcpckms" {
active = true
name = "example"
credentials = "/etc/nomad.d/nomad-user-creds.json"
project = "nomad-project"
region = "global"
key_ring = "nomad-keyring"
crypto_key = "nomad-key"
}
```
## `gcpckms` parameters
These parameters apply to the `keyring` stanza in the Nomad configuration file:
- `credentials` `(string: <required>)`: The path to the credentials JSON file to
use. Alternately specify via the `GOOGLE_CREDENTIALS` or
`GOOGLE_APPLICATION_CREDENTIALS` environment variable or set automatically if
running under Google Compute Engine.
- `project` `(string: <required>)`: The GCP project ID to use. Alternately
specify via the `GOOGLE_PROJECT` environment variable.
- `region` `(string: <required>)`: The GCP region/location where the key ring
lives. Alternately specify via the `GOOGLE_REGION` environment variable.
- `key_ring` `(string: <required>)`: The GCP CKMS key ring to use.
- `crypto_key` `(string: <required>)`: The GCP CKMS crypto key to use for
encryption and decryption.
## Authentication &amp; permissions
You must provide authentication-related values either as environment
variables or as configuration parameters.
GCP authentication values:
- `GOOGLE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS`
- `GOOGLE_PROJECT`
- `GOOGLE_REGION`
Note: The client uses the official Google SDK and the specified credentials,
environment credentials, or [application default credentials][] in that order,
if you do not provide the aforementioned GCP-specific values.
The service account needs the following minimum permissions on the crypto key:
```text
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeys.get
```
These permissions can be described with the following role:
```text
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeys.get
```
Use `cloudkms.cryptoKeys.get` permission for retrieving metadata information of
keys from CloudKMS within this engine initialization process.
## Key rotation
This keyring supports rotating keys defined in Google Cloud KMS
[doc][rotating_keys]. Both scheduled rotation and manual rotation is supported
for CKMS since the key information. Old keys version must not be disabled or
deleted and are used to decrypt older data. Any new or updated data is encrypted
with the primary key version.
[application default credentials]: https://developers.google.com/identity/protocols/application-default-credentials
[rotating_keys]: https://cloud.google.com/kms/docs/rotating-keys
Reference in New Issue View Git Blame Copy Permalink