Google Cloud Platform Key Management Service Keyring Configuration
This page provides reference information for configuring a Google Cloud Platform
Key Management Service (GCP Cloud KMS) keyring in the keyring "gcpckms"
block
of a Nomad agent configuration. Configure GCP credentials, project, region, key
ring, and crypto key. Learn how Nomad supports rotating keys defined in GCP
Cloud KMS.
The GCP Cloud KMS keyring configures Nomad to use GCP Cloud KMS to wrap its keyring. This example shows configuring GCP Cloud KMS keyring through the Nomad configuration file by providing all the required values.
keyring "gcpckms" { active = true name = "example" credentials = "/etc/nomad.d/nomad-user-creds.json" project = "nomad-project" region = "global" key_ring = "nomad-keyring" crypto_key = "nomad-key"}
gcpckms
parameters
These parameters apply to the keyring
stanza in the Nomad configuration file:
credentials
(string: <required>)
: The path to the credentials JSON file to use. Alternately specify via theGOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
environment variable or set automatically if running under Google Compute Engine.project
(string: <required>)
: The GCP project ID to use. Alternately specify via theGOOGLE_PROJECT
environment variable.region
(string: <required>)
: The GCP region/location where the key ring lives. Alternately specify via theGOOGLE_REGION
environment variable.key_ring
(string: <required>)
: The GCP KMS key ring to use.crypto_key
(string: <required>)
: The GCP KMS crypto key to use for encryption and decryption.
Authentication & permissions
You must provide authentication-related values either as environment variables or as configuration parameters.
GCP authentication values:
GOOGLE_CREDENTIALS
orGOOGLE_APPLICATION_CREDENTIALS
GOOGLE_PROJECT
GOOGLE_REGION
Note: The client uses the official Google SDK and the specified credentials, environment credentials, or application default credentials in that order, if you do not provide the aforementioned GCP-specific values.
The service account needs the following minimum permissions on the crypto key:
cloudkms.cryptoKeyVersions.useToEncryptcloudkms.cryptoKeyVersions.useToDecryptcloudkms.cryptoKeys.get
These permissions can be described with the following role:
roles/cloudkms.cryptoKeyEncrypterDecryptercloudkms.cryptoKeys.get
Use cloudkms.cryptoKeys.get
permission for retrieving metadata information of
keys from CloudKMS within this engine initialization process.
Key rotation
This keyring supports rotating keys defined in Google Cloud KMS doc. Both scheduled rotation and manual rotation is supported for CKMS since the key information. Old keys version must not be disabled or deleted and are used to decrypt older data. Any new or updated data is encrypted with the primary key version.