You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeVault? Please start here.
To use googleKmsGcs mode specify mode.googleKmsGcs
. In this mode, unseal keys and root token will be stored in Google Cloud Storage and they will be encrypted using google cryptographic keys.
spec:
unsealer:
mode:
googleKmsGcs:
bucket: <bucket_name>
kmsProject: <project_name>
kmsLocation: <location>
kmsKeyRing: <key_ring_name>
kmsCryptoKey: <crypto_key_name>
credentialSecret: <secret_name>
mode.googleKmsGcs
has the following fields:
googleKmsGcs.bucket
is a required field that specifies the name of the bucket to store keys.
spec:
unsealer:
mode:
googleKmsGcs:
bucket: "vault-key-store"
googleKmsGcs.kmsProject
is a required field that specifies the name of the projects under which the keyring is created.
spec:
unsealer:
mode:
googleKmsGcs:
kmsProject: "project"
googleKmsGcs.kmsLocation
is a required field that specifies the location of the keyring.
spec:
unsealer:
mode:
googleKmsGcs:
kmsLocation: "global"
googleKmsGcs.kmsKeyRing
is a required field that specifies the name of the keyring.
spec:
unsealer:
mode:
googleKmsGcs:
kmsKeyRing: "key-ring"
googleKmsGcs.kmsCryptoKey
is a required field that specifies the name of the crypto key.
spec:
unsealer:
mode:
googleKmsGcs:
kmsCryptoKey: "key"
googleKmsGcs.credentialSecret
is an optional field that specifies the name of the secret containing google credentials. If this is not specified, then the instance service account will be used (if it is running on google cloud). The secret contains the following field:
sa.json
spec:
unsealer:
mode:
googleKmsGcs:
credentialSecret: "google-cred"