Prerequisites for using KeyControl as a GCP EKM Provider

Before you can use KeyControl as a GCP EKM provider, you must set up the following parameters in the CSP Account details page.

  • External Key Manager (EKM URI)

  • Key Access Justification Policy (optional)

  • EKM Access Control List (optional)

External Key Manager (EKM URI)

The EKM URI is the URI used by GCP to access the keys from KeyControl. If a single KeyControl is deployed, then it directly points to that vault. However if you deploy a KeyControl cluster with multiple nodes, then we recommend deploying a load balancer in front of the KeyControl cluster. In this case the EKM URI points to the load balancer.

For EKM via Internet, use the following format:  https://example.server.com

For EKM via VPC, use the following format:  https://<hostname>

Key Access Justification Policy (optional)

We highly recommend that you create a Key Access Justification policy at the CSP and KeySet level that specifies access justification reasons. These apply to all the keys created in this keyset, unless the policy is specified at the key level, which overrides this policy.

The supported justification reasons are:

  • Customer initiated access

  • Modified Customer initiated access

  • Google initiated system operation

  • Modified Google initiated system operation

  • No justification reason expected

  • Customer initiated support

  • Google initiated service

  • Third party data request

  • Google initiated review

  • Google response to production alert

  • No justification reason specified

  • Customer Authorized Workflow Servicing

  • Allow missing access justification

For more information, see https://cloud.google.com/blog/products/identity-security/control-access-to-gcp-data-with-key-access-justifications.

EKM Access Control List (optional)

This policy applies to all of the keys which are created in the associated KeySet for this CSP account, unless a policy at Key level overrides it. Note that for the GCP Control plane access, aka “coordinated keys”, only the CSP-level permissions apply

The EKM ACL specifies the list of GCP identities and permissions that they have. The identities can be specified with their service account email, for example, apbyok2@htdc-project.iam.gserviceaccount.com.

The supported permissions are: 

  • wrap

  • unwrap

  • asymmetricSign

  • getPublicKey

  • checkCryptoSpacePermissions

  • createKey

  • destroyKey