GCP Key Management Service plugin requires:
- GCP Project: Active Google Cloud project with Cloud KMS API enabled
- Service Account: Service account with appropriate KMS permissions
- IAM Permissions: The service account needs the following permissions:
cloudkms.keyRings.listcloudkms.cryptoKeys.listcloudkms.cryptoKeyVersions.listcloudkms.cryptoKeyVersions.getcloudkms.cryptoKeyVersions.getPublicKey
Service Account Setup
Create a Service Account:
gcloud iam service-accounts create kms-discovery \ --description="Service account for KMS key discovery" \ --display-name="KMS Discovery"Grant KMS Permissions:
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:kms-discovery@YOUR_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/cloudkms.viewer"Generate Service Account Key:
gcloud iam service-accounts keys create kms-discovery-key.json \ --iam-account=kms-discovery@YOUR_PROJECT_ID.iam.gserviceaccount.com