Auto Unseal was developed to aid in reducing the operational complexity of keeping the unseal key secure. Here is a sample GCP KMS stanza from Vault configuration file:
seal "gcpckms" {
credentials = "/Users/owen/vault_gcp/cluster_A/owen-gcp-seal-test-47cdc5f058c6.json"
project = "gcp-auto-unseal-test"
region = "global"
key_ring = "key-ring-1"
crypto_key = "key-test-1"
}
The gcpkms parameters are required for using GCP Cloud KMS seal. This article will show where and how to retrieve these parameters from the GCP console.
1. project: Create a new project or use existing GCP project.
2. credentials: This parameter is the path to the credentials JSON file file associated with your service account. Go to IAM & Admins -> Service Account to create an account with at least these minimum permissions on the cryptoKey API:
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeys.get
These permissions can be described with the following role:
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeys.get
- Create a service account with the above permissions and click on that account in the list
- Select "Create new key"
You will be able to download a credential file in JSON, save it to the directory for the later use of Vault configuration file.
Note: Using service account credentials stores the keys in the local filesystem of the Vault server. To avoid this, Workload Identity Federation is advised.
3. key_ring:
- Enable GCP KMS API
- Create Key Ring
- Select Create, to generate the crypto_key.
For further details, refer to the Autounseal Using GCP KMS Learn article.
References
- gcpckms Seal
- Auto-unseal using GCP Cloud KMS
- Creating and enabling service accounts for instances
- Creating symmetric encryption keys