From 92c7072bfec2f73ee114bd5d1930f1147d6c15b5 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Fri, 26 Oct 2018 09:18:04 -0400 Subject: [PATCH] Update awskms seal docs (#5618) The seal already supported an endpoint configuration, but it wasn't documented, so adding the docs for it. Also adding a note on required KMS permissions. --- .../docs/configuration/seal/awskms.html.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/website/source/docs/configuration/seal/awskms.html.md b/website/source/docs/configuration/seal/awskms.html.md index d22b087ed72e..bfaec2b0dd5e 100644 --- a/website/source/docs/configuration/seal/awskms.html.md +++ b/website/source/docs/configuration/seal/awskms.html.md @@ -31,6 +31,7 @@ seal "awskms" { access_key = "AKIAIOSFODNN7EXAMPLE" secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey" + endpoint = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com" } ``` @@ -55,6 +56,12 @@ These parameters apply to the `seal` stanza in the Vault configuration file: and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID` environment variable. +- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS + requests. May also be specified by the `AWS_KMS_ENDPOINT` environment + variable. This is useful, for example, when connecting to KMS over a [VPC + Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html). + If not set, Vault will use the default API endpoint for your region. + ## Authentication Authentication-related values must be provided, either as environment @@ -77,6 +84,15 @@ credentials, environment credentials, shared file credentials, or IAM role/ECS task credentials in that order, if the above AWS specific values are not provided. +Vault needs the following permissions on the KMS key: + +* `kms:Encrypt` +* `kms:Decrypt` +* `kms:DescribeKey` + +These can be granted via IAM permissions on the principal that Vault uses, on +the KMS key policy for the KMS key, or via KMS Grants on the key. + ## `awskms` Environment Variables Alternatively, the AWS KMS seal can be activated by providing the following @@ -96,4 +112,4 @@ This seal supports rotating the master keys defined in AWS KMS rotation and manual rotation is supported for KMS since the key information is stored with the encrypted data. Old keys must not be disabled or deleted and are used to decrypt older data. Any new or updated data will be encrypted with the current key defined in the seal configuration -or set to current under a key alias. \ No newline at end of file +or set to current under a key alias.