You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.
New to KubeVault? Please start here.
To use awsKmsSsm mode specify
mode.awsKmsSsm. In this mode, unseal keys and root token will be stored in AWS System Manager Parameter store and they will be encrypted using AWS encryption key.
spec: unsealer: mode: awsKmsSsm: kmsKeyID: <key_id> region: <region> ssmKeyPrefix: <key_prefix> credentialSecret: <secret_name> endpoint: <vcp-endpoint>
mode.awsKmsSsm has the following fields:
awsKmsSsm.kmsKeyID is a required field that specifies the ID or ARN of the AWS KMS key to encrypt values.
spec: unsealer: mode: awsKmsSsm: kmsKeyID: "aaaaa-bbbb-cccc-ddd-eeeeeeee"
awsKmsSsm.region is a required field that specifies the AWS region.
spec: unsealer: mode: awsKmsSsm: region: "us-east-1"
awsKmsSsm.ssmKeyPrefix is an optional field that specifies the prefix for SSM parameters. If this is not specified, then Unsealer will store parameters at the root of SSM.
spec: unsealer: mode: awsKmsSsm: ssmKeyPrefix: "/cluster/demo"
awsKmsSsm.credentialSecret is an optional field that specifies the name of the secret containing AWS access key and AWS secret key. If this is not specified, then Unsealer will attempt to retrieve credentials from the AWS metadata service. The secret contains the following data fields:
spec: unsealer: mode: awsKmsSsm: credentialSecret: "aws-cred"