HashiDays One conference. Three cities. Find a city near you
Nomad
Nomad Home

gcpckms keyring

The GCP Cloud KMS keyring configures Nomad to use GCP Cloud KMS to wrap its keyring. This example shows configuring GCP Cloud KMS keyring through the Nomad configuration file by providing all the required values:

keyring "gcpckms" {
  active = true
  name   = "example"

  credentials = "/etc/nomad.d/nomad-user-creds.json"
  project     = "nomad-project"
  region      = "global"
  key_ring    = "nomad-keyring"
  crypto_key  = "nomad-key"
}

gcpckms parameters

These parameters apply to the keyring stanza in the Nomad configuration file:

  • credentials (string: <required>): The path to the credentials JSON file to use. May be also specified by the GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS environment variable or set automatically if running under Google App Engine, Google Compute Engine or Google Kubernetes Engine.

  • project (string: <required>): The GCP project ID to use. May also be specified by the GOOGLE_PROJECT environment variable.

  • region (string: <required>): The GCP region/location where the key ring lives. May also be specified by the GOOGLE_REGION environment variable.

  • key_ring (string: <required>): The GCP CKMS key ring to use.

  • crypto_key (string: <required>): The GCP CKMS crypto key to use for encryption and decryption.

Authentication & permissions

Authentication-related values must be provided, either as environment variables or as configuration parameters.

GCP authentication values:

Note: The client uses the official Google SDK and will use the specified credentials, environment credentials, or application default credentials in that order, if the above GCP specific values are not provided.

The service account needs the following minimum permissions on the crypto key:

cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeys.get

These permissions can be described with the following role:

roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.get permission is used for retrieving metadata information of keys from CloudKMS within this engine initialization process.

Key rotation

This keyring supports rotating keys defined in Google Cloud KMS doc. Both scheduled rotation and manual rotation is supported for CKMS since the key information. Old keys version must not be disabled or deleted and are used to decrypt older data. Any new or updated data will be encrypted with the primary key version.

Edit this page on GitHub