配置
此页面提供有关 KES 客户端和 KES 服务器的 KES 配置选项的信息。
KES 客户端
作为基本标准配置,KES 客户端需要知道
- KES 服务器端点
- KES 客户端自己的客户端证书
- 与客户端证书相对应的私钥
您可以通过多种方式提供这些值,例如通过命令行中的环境变量或通过软件开发工具包。
命令行
从命令行,使用以下环境变量来定义三个基本设置。
- KES 服务器端点
export KES_SERVER=https://127.0.0.1:7373 - 客户端 X.509 证书
export KES_CLIENT_CERT=$HOME/root.cert - 与证书中嵌入的公钥相对应的私钥
export KES_CLIENT_KEY=$HOME/root.key
SDK
使用 SDK 时,请提供服务器端点并获取客户端的私钥和证书。
package main
import (
"crypto/tls"
"log"
"github.com/minio/kes"
)
func main() {
const (
endpoint = "https://127.0.0.1:7373"
certFile = "./root.cert"
keyFile = "./root.key"
)
certificate, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatalln(err)
}
client := kes.NewClient(endpoint, certificate)
// now use the client to perform operations...
_ = client
}
KES 服务器
KES 服务器需要四部分信息作为基本配置。
- 用于监听传入请求的 TCP 地址(即 IP 地址和端口)。
- X.509 证书。
- 相应的私钥。
- 根身份。
您可以使用命令行 (CLI) 标志或配置文件指定这些参数。如果您同时在命令行和配置文件中设置了某个参数,则命令行设置优先。
如果您未指定 TCP 地址,则 KES 服务器将在端口 `7373` 上的所有可用网络接口上监听。
以下命令启动一个 KES 服务器,在端口 `7373` 上所有网络接口上监听,使用 X.509 TLS 证书 `server.crt`、相应的私钥 `server.key`,以及从环境变量 `$ROOT_IDENTITY` 中获取的根身份。
kes server --cert server.crt --key private.key --root $ROOT_IDENTITY
配置文件
使用 YAML 配置文件自定义 KES 服务器行为。
配置文件分为多个部分。
- 一个通用服务器配置部分,包括服务器地址和根身份。
- 一个 TLS 部分,用于指定服务器密钥/证书和 TLS 代理配置。
- 一个 API 部分,用于启用或禁用特定端点的身份验证。
- 一个 策略部分,用于控制谁可以执行各种 API 操作。
- 一个 缓存部分,用于控制 KES 服务器在内存中缓存密钥的时间长度。
- 一个 日志记录部分,用于控制哪些日志消息写入 `STDOUT` 和 `STDERR`。
- 一个 KMS/密钥存储部分,指定存储和获取密钥的位置。
TLS 配置
使用 TLS 配置部分指定 KES 服务器的 X.509 证书和相应的私钥。
tls:
cert: server.crt
key: server.key
此外,您还可以选择在此部分配置 TLS 代理。有关更多信息,请参阅单独的 TLS 代理页面。
API 配置
默认情况下,KES 要求所有 API 调用都具有有效的 TLS 证书。您可以更改特定 API 端点的此行为,以允许在没有证书的情况下向端点发送请求。
KES API 端点的默认行为应该适用于大多数情况。仅在特定需要时自定义端点。
当您为至少一个端点禁用身份验证时,KES 将不再要求客户端调用 *任何* API 端点时都必须提供证书。但是,请求仍然必须包含证书,才能使 KES 成功处理对需要身份验证的任何 API 端点的调用。
此更改意味着,在至少配置了一个端点以禁用身份验证的 KES 服务器上,客户端不会收到 TLS 错误,而是收到 HTTP 错误。
您可以为以下 API 端点禁用身份验证:
/v1/ready/v1/status/v1/metrics/v1/api
例如,要跳过允许就绪探测和状态检查的端点的身份验证,请将以下内容添加到配置文件中:
api:
/v1/ready:
skip_auth: true
timeout: 15s
/v1/ready:
skip_auth: false
timeout: 15s
有关 KES API 的信息,请参阅 链接文本。
缓存配置
使用缓存配置部分指定 KES 服务器如何缓存从外部 KMS 获取的密钥。
cache:
expiry:
any: 5m0s
unused: 20s
通过为 `any` 缓存的密钥或 `unused` 缓存的密钥指定不同的过期值,来控制 KES 服务器必须多久从外部 KMS 获取一次密钥。
例如,`any: 5m0s` 表示 KES 服务器每 5 分钟清除一次内存缓存。`unused: 20s` 表示 KES 服务器将从缓存中删除任何在过去 20 秒内未使用的密钥。
缓存过期值的选取是在安全性与性能之间进行权衡。通过设置 `any: 1m0s`,与 `any: 5m0s` 相比,KES 服务器必须更频繁地与外部 KMS 通信 5 倍。但是,`any: 1m0s` 设置减少了 KES 服务器在没有外部 KMS 控制的情况下可以运行的时间。
以下值可以帮助您做出决策。
| 安全级别 | any | unused |
|---|---|---|
| 宽松 | 5m0s |
30s |
| 中等 | 1m0s |
20s |
| 严格 | 30s |
5s |
日志记录配置
使用日志配置部分指定哪些日志事件写入 `STDOUT` 或 `STDERR`。KES 服务器区分错误和审计日志事件。默认情况下,服务器将错误事件写入 `STDERR`,但不将审计事件记录到 `STDOUT`。
通常,错误事件表示发生了一些配置或操作错误。例如,当从 KMS 获取密钥因意外原因失败时,KES 服务器会记录错误事件。
每当 KES 服务器接受客户端请求时,都会生成一个审计事件。审计事件描述请求-响应对,并包含有关谁发出了请求的信息。
log:
error: on # To disable error logging to STDERR - explicitly set it to off
audit: off # To enable audit logging to STDOUT - explicitly set it to on
`log` 部分 **仅** 控制事件记录到 `STDOUT` 和 `STDERR`。KES 服务器还通过 API 提供审计和错误日志跟踪,使用 ` /v1/log/audit/trace` 和 ` /v1/log/error/trace`。
具有足够权限的客户端可以在任何时间订阅审计或错误日志。
策略配置
在策略配置部分,您定义策略和基于身份的访问控制规则。策略部分可以包含任意多个策略定义。每个策略必须具有唯一的名称 - 例如 `my-policy`。让我们来看一个策略示例。
policy:
my-policy:
allow:
- /v1/key/create/my-key
- /v1/key/generate/my-key
- /v1/key/decrypt/my-key
deny:
- /v1/key/*/my-key-internal
策略通过其 API 允许和拒绝规则显式地允许 API 操作。每个规则都是一个 `glob` 模式。客户端请求必须匹配 **至少一个** 允许规则并且 **不匹配** 任何拒绝规则。否则,服务器将拒绝请求。
KES 服务器评估策略如下:
- 评估所有拒绝模式。如果任何拒绝模式匹配,则使用 `prohibited by policy` 错误拒绝请求。
- 评估所有允许模式。如果至少有一个允许模式匹配,则 KES 接受请求。
- 如果没有允许模式匹配,则使用 `prohibited by policy` 错误拒绝请求。
不需要拒绝特定的 API 操作。相反,仅对细粒度访问控制使用拒绝规则。KES 服务器拒绝策略未显式允许的任何 API 操作。显式拒绝规则优先于允许规则。
前面讨论的策略 `my-policy` 授予对 ` /v1/key` API 的访问权限。特别是,该策略允许三个操作:`create`、`generate` 和 `decrypt`。但是,只能使用密钥 `my-key`。因此,`my-policy` 策略具有以下语义:
| 请求 | 响应 | 原因 |
|---|---|---|
/v1/key/create/my-key |
允许 | 请求路径匹配第一个策略路径 |
/v1/key/generate/my-key |
允许 | 请求路径匹配第二个策略路径 |
/v1/key/create/my-key2 |
拒绝 | `my-key2` 不匹配 `my-key` |
/v1/key/delete/my-key |
拒绝 | `delete` 不匹配 `create`、`generate` 或 `decrypt` |
/v1/policy/write/my-policy |
拒绝 | `policy` 不匹配 `key` |
/v0/key/create/my-key |
拒绝 | `v0` 不匹配 `v1` |
指定确切的请求路径非常不灵活。因此,策略路径是一个 glob 模式。让我们将 `my-policy` 策略调整如下:
policy:
my-policy:
allow:
- /v1/key/create/my-key*
- /v1/key/generate/my-key*
- /v1/key/decrypt/my-key*
- /v1/key/delete/my-key
deny:
- /v1/key/*/my-key-internal
现在,`my-policy` 策略将具有以下语义:
| 请求 | 响应 | 原因 |
|---|---|---|
/v1/key/create/my-key |
允许 | 请求路径匹配第一个策略路径 |
/v1/key/generate/my-key |
允许 | 请求路径匹配第二个策略路径 |
/v1/key/create/my-key2 |
允许 | 请求路径匹配第一个策略路径 |
/v1/key/delete/my-key |
允许 | 请求路径匹配第四个策略路径 |
/v1/key/delete/my-key2 |
拒绝 | `delete/my-key2` 不匹配 `delete/my-key`(没有 `*`) |
/v1/key/decrypt/my-key-internal |
拒绝 | `decrypt/my-key-internal` 被显式拒绝 |
通过使用 glob 模式,策略非常灵活,但仍然易于人类阅读。
例如:
- ` /v1/key/create/*`:允许创建具有任意名称的密钥。
- ` /v1/key/*/my-key`:允许对密钥 `my-key` 执行所有密钥 API 操作(`create`、`generate` 等)。
/v1/key/*/*:允许对任何密钥执行所有密钥 API 操作。
例如,在上面更新的策略示例中,拒绝规则/v1/key/*/my-key-internal拒绝使用密钥my-key-internal执行任何 API 操作。
请注意,全局通配符(* 或 ?)仅适用于当前路径段。/v1/key/* 和 /v1/key/*/* 不相同。第一个规则允许任意密钥 API 操作,但仅限于空密钥名称。第二个规则允许对任意密钥执行任意密钥 API 操作。
有关更多详细信息,请参阅服务器 API 页面上的完整列表。
策略和标识
使用策略部分定义哪个策略适用于哪个身份。可以根据 X.509 证书计算身份,如下所示
kes identity of <path-to-certificate-file>
您可以在策略部分将一个或多个身份分配给策略。您可以通过两种方式指定身份
- 插入身份本身
- 指定环境变量名称
如果使用环境变量,KES 服务器将在启动时插入值。
policy:
my-policy:
allow:
- /v1/key/create/my-key
- /v1/key/generate/my-key
- /v1/key/decrypt/my-key
identities:
- 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22
- ${MY_APP_IDENTITY}
您必须在启动服务器之前设置所有预期的环境变量。即使环境变量不存在或不包含“有效”身份,服务器也会启动。
密钥配置
使用密钥配置部分声明在 KES 服务器开始接受请求之前应该存在的加密密钥。
keys:
- name: "my-key"
- name: "my-key-2"
在启动时,KES 服务器确保指定的密钥存在。KES 服务器会在接受客户端请求之前尝试创建任何不存在的密钥,如果创建密钥失败,则退出。
KMS 配置
使用 KMS/密钥存储配置部分指定 KES 服务器存储和获取主密钥的位置。这应该是一个提供安全存储元素或加密密钥存储的 KMS。但是,为了进行测试和开发,您可以将主密钥存储在内存中或文件系统上。
如果未在配置文件中指定 KMS/密钥存储,则 KES 服务器会在内存中创建主密钥。这仅适用于测试或开发设置,因为在重新启动服务器时所有主密钥都会丢失。
要创建持久性测试或开发设置,请在配置文件中指定文件系统密钥存储
keystore:
fs:
path: ./keys # The key store directory. Keys will be created inside ./keys/
对于生产设置,请使用由 KMS 支持的安全密钥存储,例如Hashicorp Vault。
示例配置文件
以下 yaml 文件提供了一个带有使用说明的示例配置文件。有关最新的示例文件,请参阅GitHub 存储库。
# The config file version. Currently this field is optional but future
# KES versions will require it. The only valid value is "v1".
version: v1
# The TCP address (ip:port) for the KES server to listen on.
address: 0.0.0.0:7373 # The pseudo address 0.0.0.0 refers to all network interfaces
admin:
# The admin identity identifies the public/private key pair
# that can perform any API operation.
# The admin account can be disabled by setting a value that
# cannot match any public key - for example, "foobar" or "disabled".
identity: c84cc9b91ae2399b043da7eca616048d4b4200edf2ff418d8af3835911db945d
# The TLS configuration for the KES server. A KES server
# accepts HTTP only over TLS (HTTPS). Therefore, a TLS
# private key and public certificate must be specified,
# either here as part of the config file or via CLI arguments.
tls:
key: ./server.key # Path to the TLS private key
cert: ./server.cert # Path to the TLS certificate
password: "" # An optional password to decrypt the TLS private key
# Specify how/whether the KES server verifies certificates presented
# by clients. Valid values are "on" and "off". Defaults to off, which
# is recommended for most use cases.
auth: ""
# An optional path to a file or directory containing X.509 certificate(s).
# If set, the certificate(s) get added to the list of CA certificates for
# verifying the mTLS certificates sent by the KES clients.
#
# If empty, the system root CAs will be used.
ca: ""
# The TLS proxy configuration. A TLS proxy, like nginx, sits in
# between a KES client and the KES server and usually acts as a
# load balancer or common endpoint.
# All connections from the KES client to the TLS proxy as well
# the connections from the TLS proxy to the KES server must be
# established over TLS.
proxy:
# The identities of all TLS proxies directly connected to the
# KES server.
#
# Note that a TLS proxy can act as any identity (including root)
# since it can forward arbitrary client certificates. Client certificates
# aren't secret information and a malicious TLS proxy can fake any
# identity it has seen before. Therefore, its critical that all TLS proxy
# identities are secure and trusted servers.
identities: []
# The HTTP header sent by the TLS proxy to forward certain data
# about the client to the KES server.
header:
# The HTTP header containing the URL-escaped and PEM-encoded
# certificate of the kes client forwarded by the TLS proxy.
cert: X-Tls-Client-Cert
# The API configuration. The APIs exposed by the KES server can
# be adjusted here. Each API is identified by its API path.
#
# In general, the KES server uses reasonable defaults for all APIs.
# Only customize the APIs if there is a real need.
#
# Disabling authentication for an API must be carefully evaluated.
# One example, when disabling authentication may be justified, would
# be the liveness and readiness probes in a Kubernetes environment.
#
# When authentication is disabled, the particular API can be
# accessed by any client that can send HTTPS requests to the
# KES server.
#
# When disabling authentication for any API, the KES server will
# change its TLS handshake behavior. By default, KES requires that
# a client sends a client certificate during the handshake or KES
# aborts the handshake. This means that a client can only send an
# HTTP request to KES when it provides a certificate during the
# handshake. This is no longer the case when authentication is
# disabled for at least one API. Clients should be able to call
# the API even without a certificate. Hence, KES can no longer
# require a certificate during the TLS handshake but instead has
# to check the certificate when executing the API handler.
#
# Now, these two behaviors have slightly different semantics:
# By default, KES does not accept connections from clients without
# a TLS certificate. When disabling authentication for one API, KES
# has to accept connections from any client for all APIs. However,
# the API handlers that still require authentication will reject
# requests from clients without a certificate. Instead of a TLS
# error these clients will receive an HTTP error.
#
# Currently, authentication can only be disabled for the
# following APIs:
# - /v1/ready
# - /v1/status
# - /v1/metrics
# - /v1/api
#
api:
/v1/ready:
skip_auth: false
timeout: 15s
# The (pre-defined) policy definitions.
#
# A policy must have an unique name (e.g my-app) and specifies which
# server APIs can be accessed. An API path pattern is a glob pattern
# of the following form:
# <API-version>/<API>/<operation>/[<argument-0>/<argument-1>/...]>
#
# Each KES server API has an unique path - for example, /v1/key/create/<key-name>.
# A client request is allowed if and only if no deny pattern AND at least one
# allow pattern matches the request URL path.
#
# A policy has zero (by default) or more assigned identities. However,
# an identity can never be assigned to more than one policy at the same
# time. So, one policy has N assigned identities but one identity is
# assigned to at most one policy.
#
# In general, each user/application should only have the minimal
# set of policy permissions to accomplish whatever it needs to do.
# Therefore, it is recommended to define policies based on workflows
# and then assign them to the identities.
# The following policy section shows some example policy definitions.
# Please remove/adjust to your needs.
policy:
my-app:
allow:
- /v1/key/create/my-app*
- /v1/key/generate/my-app*
- /v1/key/decrypt/my-app*
deny:
- /v1/key/generate/my-app-internal*
- /v1/key/decrypt/my-app-internal*
identities:
- df7281ca3fed4ef7d06297eb7cb9d590a4edc863b4425f4762bb2afaebfd3258
- c0ecd5962eaf937422268b80a93dde4786dc9783fb2480ddea0f3e5fe471a731
my-app-ops:
allow:
- /v1/key/delete/my-app*
- /v1/policy/show/my-app
- /v1/identity/assign/my-app/*
identities:
- 7ec8095a5308a535b72b35c7ccd4ce1d7c14af713acd22e2935a9d6e4fe18127
cache:
# Cache expiry specifies when cache entries expire.
expiry:
# Period after which any cache entries are discarded.
# It determines how often the KES server has to fetch
# a secret key from the KMS.
#
# If not set, KES will default to an expiry of 5 minutes.
any: 5m0s
# Period after which all unused cache entries are discarded.
# It determines how often "not frequently" used secret keys
# must be fetched from the KMS.
#
# If not set, KES will default to an expiry of 30 seconds.
unused: 20s
# Period after which any cache entries in the offline cache
# are discarded.
# It determines how long the KES server can serve stateless
# requests when the KMS key store has become unavailable -
# for example, due to a network outage.
#
# If not set, KES will disable the offline cache.
#
# Offline caching should only be enabled when trying to
# reduce the impact of the KMS key store being unavailable.
offline: 0s
# The console logging configuration. In general, the KES server
# distinguishes between (operational) errors and audit events.
# By default, the KES server logs error events to STDERR but
# does not log audit log events to STDOUT.
#
# The following log configuration only affects logging to console.
log:
# Enable/Disable logging error events to STDERR. Valid values
# are "on" or "off". If not set the default is "on". If no error
# events should be logged to STDERR it has to be set explicitly
# to: "off".
error: on
# Enable/Disable logging audit events to STDOUT. Valid values
# are "on" and "off". If not set the default is "off".
# Logging audit events to STDOUT may flood your console since
# there will be one audit log event per request-response pair.
#
# For tracing/monitoring audit logs take a look at the
# /v1/log/audit/trace API.
#
# Each audit event is a JSON object representing a request-response
# pair that contains the time, client identity, the API path, HTTP
# response status code etc.
# {
# "time": "2006-01-02T15:04:05Z07:00",
# "request": {
# "ip": "87.149.99.199",
# "path": "/v1/key/create/my-app-key",
# "identity": "4067503933d4a78358f908a2df7ec14e554c612acf8a9d1aa29b7da4aa018ec9",
# },
# "response": {
# "status": 200
# }
# }
# The server will write such an audit log entry for every HTTP
# request-response pair - including invalid requests.
audit: off
# In the keys section, pre-defined keys can be specified. The KES
# server will try to create the listed keys before startup.
keys:
- name: some-key-name
- name: another-key-name
# The keystore section specifies which KMS - or in general key store - is
# used to store and fetch encryption keys.
# A KES server can only use one KMS / key store at the same time.
# If no store is explicitly specified the server will use store
# keys in-memory. In this case all keys are lost when the KES server
# restarts.
keystore:
# Configuration for storing keys on the filesystem.
# The path must be path to a directory. If it doesn't
# exist then the KES server will create the directory.
#
# The main purpose of the fs configuration is testing
# and development. It should not be used for production.
fs:
path: "" # Path to directory. Keys will be stored as files.
# Hashicorp Vault configuration. The KES server will store/fetch
# secret keys at/from Vault's key-value backend.
#
# For more information take a look at:
# https://www.vaultproject.io/api/secret/kv/kv-v1.html
vault:
endpoint: "" # The Vault endpoint - for example, https://127.0.0.1:8200
engine: "" # The path of the K/V engine - for example, secrets. If empty, defaults to: kv. (Vault default)
version: "" # The K/V engine version - either "v1" or "v2". The "v1" engine is recommended.
namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
prefix: "" # An optional K/V prefix. The server will store keys under this prefix.
transit: # Optionally encrypt keys stored on the K/V engine with a Vault-managed key.
engine: "" # The path of the transit engine - for example, "my-transit". If empty, defaults to: transit (Vault default)
key: "" # The key name that should be used to encrypt entries stored on the K/V engine.
approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
namespace: "" # Optional Vault namespace used only for authentication. For the Vault root namespace, use "/".
engine: "" # The path to the AppRole engine, for example: authenticate. If empty, defaults to: approle. (Vault default)
id: "" # Your AppRole Role ID
secret: "" # Your AppRole Secret ID
kubernetes: # Kubernetes credentials. See: https://www.vaultproject.io/docs/auth/kubernetes
namespace: "" # Optional Vault namespace used only for authentication. For the Vault root namespace, use "/".
engine: "" # The path to the Kubernetes engine, for example: authenticate. If empty, defaults to: kubernetes. (Vault default)
role: "" # The Kubernetes JWT role
jwt: "" # Either the JWT provided by K8S or a path to a K8S secret containing the JWT.
tls: # The Vault client TLS configuration for mTLS authentication and certificate verification
key: "" # Path to the TLS client private key for mTLS authentication to Vault
cert: "" # Path to the TLS client certificate for mTLS authentication to Vault
ca: "" # Path to one or more PEM root CA certificates
status: # Vault status configuration. The server will periodically reach out to Vault to check its status.
ping: 10s # Duration until the server checks Vault's status again.
fortanix:
# The Fortanix SDKMS key store. The server will store secret keys at the Fortanix SDKMS.
# See: https://www.fortanix.com/products/data-security-manager/key-management-service
sdkms:
endpoint: "" # The Fortanix SDKMS endpoint - for example: https://sdkms.fortanix.com
group_id: "" # An optional group ID newly created keys will be placed at. For example: ce08d547-2a82-411e-ae2d-83655a4b7617
# If empty, the applications default group is used.
credentials: # The Fortanix SDKMS access credentials
key: "" # The application's API key - for example: NWMyMWZlNzktZDRmZS00NDFhLWFjMzMtNjZmY2U0Y2ViMThhOnJWQlh0M1lZaDcxZC1NNnh4OGV2MWNQSDVVSEt1eXEyaURqMHRrRU1pZDg=
tls: # The KeySecure client TLS configuration
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the Fortanix SDKMS TLS certificate.
aws:
# The AWS SecretsManager key store. The server will store
# secret keys at the AWS SecretsManager encrypted with
# AWS-KMS. See: https://aws.amazon.com/secrets-manager
secretsmanager:
endpoint: "" # The AWS SecretsManager endpoint - for example, secretsmanager.us-east-2.amazonaws.com
region: "" # The AWS region of the SecretsManager - for example, us-east-2
kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager.
accesskey: "" # Your AWS Access Key
secretkey: "" # Your AWS Secret Key
token: "" # Your AWS session token (usually optional)
gemalto:
# The Gemalto KeySecure key store. The server will store
# keys as secrets on the KeySecure instance.
keysecure:
endpoint: "" # The KeySecure endpoint - for example, https://127.0.0.1
credentials: # The authentication to access the KeySecure instance.
token: "" # The refresh token to obtain new short-lived authentication tokens.
domain: "" # The KeySecure domain for which the refresh token is valid. If empty, defaults to the root domain.
retry: 15s # The time the KES server waits before it tries to re-authenticate after connection loss.
tls: # The KeySecure client TLS configuration
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the KeySecure TLS certificate.
gcp:
# The Google Cloud Platform secret manager.
# For more information take a look at:
# https://cloud.google.com/secret-manager
secretmanager:
# The project ID is a unique, user-assigned ID that can be used by Google APIs.
# The project ID must be a unique string of 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter, and cannot have a trailing hyphen.
# See: https://cloud.google.com/resource-manager/docs/creating-managing-projects#before_you_begin
project_id: ""
# An optional GCP SecretManager endpoint. If not set, defaults to: secretmanager.googleapis.com:443
endpoint: ""
# An optional list of GCP OAuth2 scopes. For a list of GCP scopes refer to: https://developers.google.com/identity/protocols/oauth2/scopes
# If not set, the GCP default scopes are used.
scopes:
- ""
# The credentials for your GCP service account. If running inside GCP (app engine) the credentials
# can be empty and will be fetched from the app engine environment automatically.
credentials:
client_email: "" # The service account email - for example, <account>@<project-ID>.iam.gserviceaccount.com
client_id: "" # The service account client ID - for example, 113491952745362495489"
private_key_id: "" # The service account private key - for example, 381514ebd3cf45a64ca8adc561f0ce28fca5ec06
private_key: "" # The raw encoded private key of the service account - for example, "-----BEGIN PRIVATE KEY-----\n ... \n-----END PRIVATE KEY-----\n
azure:
# The Azure KeyVault configuration.
# For more information take a look at:
# https://azure.microsoft.com/services/key-vault
keyvault:
endpoint: "" # The KeyVault endpoint - for example, https://my-instance.vault.azure.net
# Azure client credentials used to
# authenticate to Azure KeyVault.
credentials:
tenant_id: "" # The ID of the tenant the client belongs to - that is, a UUID.
client_id: "" # The ID of the client - that is, a UUID.
client_secret: "" # The value of the client secret.
# Azure managed identity used to
# authenticate to Azure KeyVault
# with Azure managed credentials.
managed_identity:
client_id: "" # The Azure managed identity of the client - that is, a UUID.
entrust:
# The Entrust KeyControl configuration.
# For more information take a look at:
# https://www.entrust.com/digital-security/key-management/keycontrol
keycontrol:
endpoint: "" # The KeyControl endpoint - for example, https://keycontrol.my-org.com
vault_id: "" # The Vault ID - for example, e30497c1-bff7-4e81-beb7-fb35c4b7410c
box_id: "" # The Box name or ID - for example, tenant-1
# The KeyControl access credentials
credentials:
username: "" # A username with access to the Vault and Box.
password: "" # The user password
# The KeyControl client TLS configuration
tls:
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the KeyControl TLS certificate.