secrets-manager icon indicating copy to clipboard operation
secrets-manager copied to clipboard
verified publisher icon vmware-tanzu

Option to use AWS KMS to store VSecM safe master key (instead of a kubernetes secret)

Open v0lkan opened this issue 2 years ago • 2 comments

AEGIS_CRYPTO_KEY_STORE = [k8s, kms, vault, none] AEGIS_CRYPTO_KEY_AUTH_METHOD = 'iam'

if key store is kms, and if auth method is IAM then assume that you have access to what you need and use kms as a backing store for the root key.

Note that this is only for the root key.

When set up like this, if a key exists in KMS, Aegis will use it during bootstrap (if it is set up to automatically bootstrap); or it will generate and store it to the KMS (to be used next time)

If it is set up to bootstrap manually using AEGIS_MANUAL_KEY_INPUT, then it won’t read from KMS, and will expect the operator to manually set up tke key instead.

v0lkan avatar Aug 05 '23 00:08 v0lkan

@v0lkan Could you assign that issue to me?

gurkanguray avatar Feb 26 '24 02:02 gurkanguray

Assigned; I’ll ad some details to this.

v0lkan avatar Feb 26 '24 04:02 v0lkan