Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs update gcp kms vault native authentication #438

Merged
merged 5 commits into from
Aug 18, 2023
Merged

docs update gcp kms vault native authentication #438

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e155b85
update gcp kms vault native authentication
Aug 17, 2023
1a37b48
remove unnecessary words
Aug 18, 2023
87fd0e0
remove unnecessary words
Aug 18, 2023
148bc09
remove unnecessary words
Aug 18, 2023
a38aae0
distinguish the IAM Service Account
Aug 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 18 additions & 5 deletions docs/gcp_kms.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,33 @@ The key-ring name and location are required in the signatory configuration.

## **Application Access:**

The below steps are for providing signatory with the permissions to access the google cloud account Key Management.
Providing Signatory with the permissions to access GCP KMS will differ depending on whether or not Signatory is running inside or outside of GCP.
One thing that each method has in common is creation of the IAM Service Account:

* Select `IAM & ADMIN` from the menu and select `Service accounts`. Create a new service account or use an existing one with all the above permissions (Get, Sign & Import) granted.
* Select the created/existing service account and within that create a new key and a prompt to download the application credentials will appear, select the JSON format.
* The downloaded JSON file is needed in signatory config or can be assigned to the below environment variable.

## **Environment variables**
### **Authenticating with the Service Account from outside GCP:**

`cloudkms` backend accepts GCP's standard `GOOGLE_APPLICATION_CREDENTIALS` environment variable
* Select the created/existing service account and within that create a new key and a prompt to download the application credentials will appear, select the JSON format.
* The downloaded JSON file is needed in signatory config or can be assigned to the below environment variable.

```sh
export GOOGLE_APPLICATION_CREDENTIALS="signatory-testing-a7sdfew625aecb.json"
```

### **Authenticating with the Service Account from GCP VM:**

Do not download the service account credentials and place them on Signatory's file system, and do not use `GOOGLE_APPLICATION_CREDENTIALS` env var. Instead, edit the VM specifications for `Identity and API access` such that it selects the IAM Service Account.

### **Authenticating with the Service Account from GKE pod:**

Do not download the service account credentials and place them on Signatory's file system, and do not use `GOOGLE_APPLICATION_CREDENTIALS` env var. Best practice is to [use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) In short:

* enable Workload Identity on the cluster
* create a kubernetes Service Account and bind it to the IAM Service Account
* annotate the kubernetes Service Account with the email address of the IAM Service Account
* update the pod spec to include the `serviceAccountName` field, this is the name of the kubernetes Service Account

## **Getting a PKH**

```sh
Expand Down