Google Cloud KMS Integration

Google Cloud KMS Integration¶

Comet backend application can store encrypted API keys in a S3/GCS Bucket so users can automate the API key retrieval.

Backend application will store the encrypted keys in the same bucket as the application
File will be in this format: {user-name}-token.encrypted
You'll be required to create a GCP Service account with Cloud KMS CryptoKey Encrypter/Decrypter permission
Create a KMS Keyring Symmetric encrypt/decrypt

With the service account key json file, you can set it like this

kubectl create secret generic kms-svs-account.json --from-file=kms-svsaccount.json=kms-svs-account.json

Files with keys are created whenever backend generates a new API key or on demand by calling /api/kms/update-tokens-for-all-users

In yout values.yaml you can set:

backend:
  # Service account key with KMS encrypt/decrypt permissions
  serviceAccountSecretName: "kms-svs-account.json"
  gcpServiceAccountFileEnabled: yes
  gcpEnableKms: yes
  gcloudKmsCryptoKey: "key-name"
  gcloudKmsKeyRing: "test-ring"
  # Project where KMS keys lives
  gcloudProject: "onprem-test-214916"

And this is a snippet on how to integrate with the SDK

[---[% import 'gcp-kms-user-flow-integration.py.j2' as gcp_kms_user_flow_integration %]---]

[---[ gcp_kms_user_flow_integration ]---]

[---[% import 'current_versions.j2' as current_versions %]---]

Note

Service Accounts does not work with this GCP KMS integration in the current backend version [---[ current_versions.backend_version ]---]

Jul. 9, 2024