vault-init
The vault-init
service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform.
After vault-init
initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket.
Usage
The vault-init
service is designed to be run alongside a Vault server and communicate over local host.
Kubernetes
Run vault-init
in the same Pod as the Vault container. See the vault statefulset for a complete example.
Configuration
The vault-init service supports the following environment variables for configuration:
CHECK_INTERVAL
- The time in seconds between Vault health checks. (300)
GCS_BUCKET_NAME
- The Google Cloud Storage Bucket where the vault master key and root token is stored.
KMS_KEY_ID
- The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.
Example Values
CHECK_INTERVAL="300"
GCS_BUCKET_NAME="vault-storage"
KMS_KEY_ID="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key"
IAM & Permissions
The vault-init
service uses the official Google Cloud Golang SDK. This means
it supports the common ways of providing credentials to GCP.
To use this service, the service account must have the following minimum
scope(s):
https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/devstorage.read_write
Additionally, the service account must have the following minimum role(s):
roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/storage.objectAdmin OR roles/storage.legacyBucketWriter
For more information on service accounts, please see the
Google Cloud Service Accounts documentation.