Create Custom KMS encryption keys on GCP - RedHatInsights/uhc-portal GitHub Wiki

Goals

Creation of custom KMS encryption keys on GCP used to configure from OSD GCP CCS clusters during installation (Wizard step : Cluster settings > Details : Additional encryption)

Steps

  1. Download and install the gcloud tool
  2. Run command to login $ gcloud auth login
  3. Select your account and confirm the login message on the browser.
  4. Run command to set your project $ gcloud config set project <PROJECT_ID>
  5. Launch/Go to GCP web console and go to Security > Key management sections.
  6. Create a Keyring configuration. Say keyring name as keyring-name and select key ring location as global
  7. Create a Key with a valid name. Say keyname as 'key-name`
  8. Launch/Go to GCP web console and go to IAM -> Service account section.
  9. Create an IAM user with the configuration like below.
  10. service account name : provide a valid name.
  11. service account ID : provide a valid id.
  12. Click "Create" and continue
  13. Assign below roles to the IAM user created by the service account
  1. Cloud KMS CryptoKey encrypter/Decrypter
  2. Compute Admin
  3. DNS administrator
  4. Service account admin
  5. Security admin
  6. Service account key admin
  7. Service account user
  8. Storage admin

  1. Run the command on your local to bind the SA to the keyring

  2. gcloud kms keys add-iam-policy-binding <KEYNAME> --keyring <KEYRING NAME> --location global --member serviceAccount:<KEYRINGSA>@<GCP PROJECTID>.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

  3. Run command to the SA you used for the cluster creation

  4. gcloud kms keys add-iam-policy-binding <KEYNAME> --keyring <KEYRING NAME> --location global --member serviceAccount:osd-ccs-admin@<GCP PROJECT ID>.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

  5. Run the command to the GCP project number.

  6. gcloud projects describe <GCP PROJECT ID>

  7. Run the command below to add the default SA to the keyring

  8. gcloud kms keys add-iam-policy-binding <KEYNAME> --keyring <KEYRING NAME> --location global --member serviceAccount:service-<PROJECT NUMBER>@compute-system.iam.gserviceaccount.com--role roles/cloudkms.cryptoKeyEncrypterDecrypter

⚠️ **GitHub.com Fallback** ⚠️