New to KubeVault? Please start here.
mode.awsKmsSsm
To use awsKmsSsm mode specify mode.awsKmsSsm
. In this mode, unseal keys and root token will be stored in AWS System Manager Parameter store and they will be encrypted using AWS encryption key.
spec:
unsealer:
mode:
awsKmsSsm:
kmsKeyID: <key_id>
region: <region>
ssmKeyPrefix: <key_prefix>
credentialSecret: <secret_name>
endpoint: <vcp-endpoint>
mode.awsKmsSsm
has the following fields:
awsKmsSsm.kmsKeyID
awsKmsSsm.kmsKeyID
is a required field that specifies the ID or ARN of the AWS KMS key to encrypt values.
spec:
unsealer:
mode:
awsKmsSsm:
kmsKeyID: "aaaaa-bbbb-cccc-ddd-eeeeeeee"
awsKmsSsm.region
awsKmsSsm.region
is a required field that specifies the AWS region.
spec:
unsealer:
mode:
awsKmsSsm:
region: "us-east-1"
awsKmsSsm.ssmKeyPrefix
awsKmsSsm.ssmKeyPrefix
is an optional field that specifies the prefix for SSM parameters. If this is not specified, then Unsealer will store parameters at the root of SSM.
spec:
unsealer:
mode:
awsKmsSsm:
ssmKeyPrefix: "/cluster/demo"
awsKmsSsm.credentialSecret
awsKmsSsm.credentialSecret
is an optional field that specifies the name of the secret containing AWS access key and AWS secret key. If this is not specified, then Unsealer will attempt to retrieve credentials from the AWS metadata service. The secret contains the following data fields:
access_key
secret_key
spec:
unsealer:
mode:
awsKmsSsm:
credentialSecret: "aws-cred"