New to KubeVault? Please start here.
To use googleKmsGcs mode specify mode.googleKmsGcs. In this mode, unseal keys and root token will be stored in Google Cloud Storage and they will be encrypted using google cryptographic keys.
spec:
unsealer:
mode:
googleKmsGcs:
bucket: <bucket_name>
kmsProject: <project_name>
kmsLocation: <location>
kmsKeyRing: <key_ring_name>
kmsCryptoKey: <crypto_key_name>
credentialSecret: <secret_name>
mode.googleKmsGcs has the following fields:
googleKmsGcs.bucket is a required field that specifies the name of the bucket to store keys.
spec:
unsealer:
mode:
googleKmsGcs:
bucket: "vault-key-store"
googleKmsGcs.kmsProject is a required field that specifies the name of the projects under which the keyring is created.
spec:
unsealer:
mode:
googleKmsGcs:
kmsProject: "project"
googleKmsGcs.kmsLocation is a required field that specifies the location of the keyring.
spec:
unsealer:
mode:
googleKmsGcs:
kmsLocation: "global"
googleKmsGcs.kmsKeyRing is a required field that specifies the name of the keyring.
spec:
unsealer:
mode:
googleKmsGcs:
kmsKeyRing: "key-ring"
googleKmsGcs.kmsCryptoKey is a required field that specifies the name of the crypto key.
spec:
unsealer:
mode:
googleKmsGcs:
kmsCryptoKey: "key"
googleKmsGcs.credentialSecret is an optional field that specifies the name of the secret containing google credentials. If this is not specified, then the instance service account will be used (if it is running on google cloud). The secret contains the following field:
sa.jsonspec:
unsealer:
mode:
googleKmsGcs:
credentialSecret: "google-cred"