GCP Requirements for BYOK

To use GCP with BYOK, you must create a new unique service account user in your GCP account. Service account creation is on the Service Account page (IAM & Admin > Service Account).

• Do not use an existing user account or existing access key. Create the service account with the following permissions see GCP BYOK Service Account Requirements.

• Create an access key by logging in to GCP using the service account.

• Do not use the access key more than one time.

• Do not delete any access keys from the service account.

• Do not attach the same GCP account to multiple Cryptographic Security Platform Vault clusters.

• Do not share the GCP BYOK service account.

You must also be aware of the following endpoint requirements: 

• If your organization restricts outbound access to the public internet, the following endpoints must be whitelisted for GCP BYOK to function correctly:

  • https://www.googleapis.com/auth/cloud-platform

  • https://oauth2.googleapis.com

  • https://cloudresourcemanager.googleapis.com

  • https://iam.googleapis.com

  • https://cloudkms.googleapis.com

  • https://accounts.google.com

• If a proxy is in use in the network, these endpoints can be tested in the Cryptographic Security Platform Vault Appliance Management application on the Settings > Proxy Settings page.