vm broker ‐ kes ‐ gcp - allanrogerr/public GitHub Wiki
Log into GCP console (https://console.cloud.google.com/). Create a new project or select an existing project.
Navigate to Security > Data Protection > Secret Manager. https://console.cloud.google.com/security/secret-manager Enable if not already enabled.
Navigate to IAM & Admin > Service Accounts https://console.cloud.google.com/iam-admin/serviceaccounts
Create a service account for KES. Click Create and Continue then Done
Create a new role for KES - KES Minio Client Role Navigate to IAM & Admin > Roles. Create Role. Use "General Availability" Add the following permissions. Click Create
secretmanager.secrets.create
secretmanager.secrets.delete
secretmanager.secrets.get
secretmanager.secrets.list
secretmanager.versions.add
secretmanager.versions.access
Navigate to IAM > Grant Access Add the kes* principal and assign its role
Create a key for the service account Navigate to IAM & Admin > Service Accounts > Select the kes Service Account > Use the keys tab Click Add Key > Create Key > Choose JSON > Click Create
On kes-server
ssh -p 20070 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
In kes config_gcp.yml modify keystore
address: 0.0.0.0:9073 # Listen on all network interfaces on port 9073
admin:
identity: disabled
tls:
key: private.key # The KES server TLS private key
cert: public.crt # The KES server TLS certificate
policy:
minio:
allow:
- /v1/key/create/minio-key*
- /v1/key/generate/minio-key*
- /v1/key/decrypt/minio-key*
- /v1/key/list/*
- /v1/key/delete/*
identities:
- 83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c # Use the identity of your client.crt
keystore:
gcp:
secretmanager:
project_id: "sacred-bonus-392302" # Use your GCP project ID. See the main GCP Dashboad for "Project ID"
credentials:
client_email: "[email protected]" # Use the client email from your GCP credentials file
client_id: "116261135046198318378" # Use the client ID from your GCP credentials file
private_key_id: "150c54e637cbaf747b541df717f4d96c950c6af7" # Use the private key ID from your GCP credentials file
private_key: "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0ns56zKvW929x\nlFmv4Q0xAscTy40qtqi0iugwcov0peRfQtXf8micK6XH+TNSnP4WbiyfhabOF6dU\nId57cyAZzF0k7tqHyGoKM47madidgr+18pb07e2IciruuEOXZZHDeNco3cYPM9sC\nOWfUD3otJJrcS2vLj8wEOMBodHPkWIDiFhhI7PQkEE4Z0WnMfVYSNh3aY9CjomXX\nMYX8mhcXg0SIorix2tcirFKi+CUMl3eU7eXm0VQ5WrdFunfDYkwBpoG7kZLP66DS\noWYTxljJsJ2HXFEKEBLusmUWs8g0PW34yMWKeomj3kd4DMgYzIwQFNtf+LHue84D\nirnhHbrNAgMBAAECggEAPYjjEJwdKTIIUjo36f8yxtFK8JgHApfTVxsB6suDmfhQ\nmxHCmrbT4+zM4JmqXgllWU/0vO5EO298juGxEf7RX2isDRKg+eSSF+Kj2yURauwq\nEztQKabLp5I5xTWatYAhjmZjayVPPkus4A+dq3YQakPPzKCXW3UkjQWmq4+NEixw\nL6V+8rDPSrITlMu3ngUKwEwBN50/OkWUusCUzbMPw/P0j1fIggOAZluu73HNIZxY\nGC1oWRTy5QCeDLriqgJ90KGNJKn5G7Hib8xfIcJEqTtP6csx3ID0FOeg4J+pJvoN\nr733WI9YxrIN5oLxZJ1KBbTfqeW2cy6XHBTOqATSEwKBgQDfe3/gegLeHerhjPPJ\nZpyx0DWQhoADm4VViKVjmxo8dGeJSq3f99Hs/gpid5QzAsnzC6Usg3cmljLisUDO\n8CUJ7jc8juSGedn/EXxXB6gJ5f5QTlNdQylJoXNzqbDThjxJw1hIjtQmjr9yagAk\nIZV7/XHTJEN61O91+Vpn9D9S0wKBgQDO5ryTSnFUZbJriXllAj0pLPK/SbzGBqRz\nUJ0HQWz82Ecj7Q5vGIAeWosSfZRV42A4AKors3iV5TQZGztsysOtk6U69MSZ73la\nyRkxTif4CupH+1THXMQM0awNkMFf6TGVAq3YhlM9Y3qV053HqF6GrfmfWoGQaD4R\n8UB48en33wKBgCuZup8e7sRK7fJHP6DBZjzCtFCYDQ2nH+JKIIpITlwREcoVScry\nXIByJ7CCR+WT27aRRQ5kL7DViOP1VQGKlI9VbG1iK2+ZAlDjJnEMS1pzBqTAQz9k\nxP9agl3Ec30xKT3y4Jx3USicnPlDePeTnchs7/ITlx61wGox1dOGMXyFAoGAa8o7\nzkSHPF/rDylE7EG5WV1Ibi3dQhGt1UHXPTNxs1x925Kh5XEPNkEXmR+Biyl1NFfs\nT+4lUXpipP3R/MC6JxD3kPp5/nSLdae1D0HXgts06SFgLqj+nmsRxtN2WyBjK22E\n4nxAm4fbEnl4Bs+Jx4KVvNZrD6+vPqvAWgI2UWMCgYATgnlZsfaJXZeRliQgGmI9\nBOqxt0NfRGPJj/ETwooMm9qdUJQQWFmu7q85inRyJfj0oj/noWaU5w7ehtt++Iqh\nkWpFLCjoEKZh3M0u2q+eWxpMLKXXQaPutIErQs00qRTqGJ0hBXa6RoNEQJVvsM9F\nNMl6rxuN4fbcWjjb2UOV8Q==\n-----END PRIVATE KEY-----\n" # Use the private key from your GCP credentials file