Skip to content

Commit

Permalink
Update awskms seal docs (#5618)
Browse files Browse the repository at this point in the history 
The seal already supported an endpoint configuration, but it wasn't
documented, so adding the docs for it. Also adding a note on required
KMS permissions.
  • Loading branch information
@joelthompson @chrishoffman
joelthompson authored and chrishoffman committed Oct 26, 2018
1 parent 5274fe8 commit 92c7072
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion website/source/docs/configuration/seal/awskms.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ seal "awskms" {
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey"
endpoint = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"
}
```

Expand All @@ -55,6 +56,12 @@ These parameters apply to the `seal` stanza in the Vault configuration file:
and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID`
environment variable.

- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
requests. May also be specified by the `AWS_KMS_ENDPOINT` environment
variable. This is useful, for example, when connecting to KMS over a [VPC
Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
If not set, Vault will use the default API endpoint for your region.

## Authentication

Authentication-related values must be provided, either as environment
Expand All @@ -77,6 +84,15 @@ credentials, environment credentials, shared file credentials, or IAM role/ECS
task credentials in that order, if the above AWS specific values are not
provided.

Vault needs the following permissions on the KMS key:

* `kms:Encrypt`
* `kms:Decrypt`
* `kms:DescribeKey`

These can be granted via IAM permissions on the principal that Vault uses, on
the KMS key policy for the KMS key, or via KMS Grants on the key.

## `awskms` Environment Variables

Alternatively, the AWS KMS seal can be activated by providing the following
Expand All @@ -96,4 +112,4 @@ This seal supports rotating the master keys defined in AWS KMS
rotation and manual rotation is supported for KMS since the key information is stored with the
encrypted data. Old keys must not be disabled or deleted and are used to decrypt older data.
Any new or updated data will be encrypted with the current key defined in the seal configuration
or set to current under a key alias.
or set to current under a key alias.

0 comments on commit 92c7072

Please sign in to comment.