配置
本页面提供有关 KES 客户端和 KES 服务器的配置选项信息。
KES Client
作为基本标准配置,KES客户端需要知道
- KES服务器端点
- KES客户端自身的客户端证书
- 客户端证书对应的私钥
您可以通过不同方式提供这些值,例如通过命令行环境变量或通过软件开发工具包。
命令行
在命令行中,使用以下环境变量来定义三个基本设置。
- KES 服务器端点:
export KES_SERVER=https://127.0.0.1:7373 - 客户端 X.509 证书:
export KES_CLIENT_CERT=$HOME/root.cert - 与证书中嵌入的公钥对应的私钥:
export KES_CLIENT_KEY=$HOME/root.key
SDK
使用 SDK 时,需要提供服务器端点并获取客户端的私钥和证书:
package main
import (
"crypto/tls"
"log"
"github.com/minio/kes"
)
func main() {
const (
endpoint = "https://127.0.0.1:7373"
certFile = "./root.cert"
keyFile = "./root.key"
)
certificate, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatalln(err)
}
client := kes.NewClient(endpoint, certificate)
// now use the client to perform operations...
_ = client
}
KES Server
KES服务器需要四条信息作为基础配置:
- TCP地址(即IP地址和端口)用于监听传入请求
- X.509 证书
- 对应的私钥
- 根身份。
您可以通过命令行(CLI)标志或配置文件来指定这些参数。 如果在命令行和配置文件中同时设置了某个参数,命令行设置将优先生效。
如果您未指定 TCP 地址,KES 服务器将在端口上监听所有可用的网络接口7373.
以下命令启动一个 KES 服务器,在所有网络接口的端口上监听7373使用 X.509 TLS 证书server.crt对应的私钥server.key,以及从环境变量中获取的根身份$ROOT_IDENTITY:
kes server --cert server.crt --key private.key --root $ROOT_IDENTITY
配置文件
通过 YAML 配置文件自定义 KES 服务器行为。
配置文件分为以下几个部分:
- 一个通用的服务器配置部分,包括服务器地址和根身份。
- A TLS 部分指定服务器密钥/证书和TLS代理配置。
- An API 部分启用或禁用特定端点的身份验证。
- A 策略部分控制谁可以执行各种API操作。
- A 缓存部分控制KES服务器在内存中缓存密钥的时间。
- A 日志记录部分控制哪些日志消息写入
STDOUT和STDERR. - A KMS / key store section指定密钥的存储和获取位置。
TLS 配置
使用 TLS 配置部分来指定 KES 服务器的 X.509 证书及对应的私钥:
tls:
cert: server.crt
key: server.key
Optionally, also configure a TLS proxy in this section. See the separateTLS 代理页面更多信息。
API Configuration
默认情况下,KES 要求所有 API 调用都必须提供有效的 TLS 证书。 您可以为特定 API 端点更改此行为,允许对端点的请求不使用证书。
KES API 端点的默认行为应适用于大多数情况。
仅在特定需求时才自定义端点。
当您为至少一个端点禁用身份验证时,KES 不再要求客户端调用时提供证书任何API endpoint. 但是,请求仍必须包含证书,KES 才能成功处理需要身份验证的任何 API endpoint 的调用。
这一变更意味着,在至少配置了一个禁用认证端点的KES服务器上,客户端在认证失败时不会收到TLS错误,而是会收到HTTP错误。
您可以禁用以下 API 端点的身份验证:
/v1/ready/v1/status/v1/metrics/v1/api
例如,要为允许就绪探针和状态检查的端点跳过身份验证,请将以下内容添加到配置文件中:
api:
/v1/ready:
skip_auth: true
timeout: 15s
/v1/ready:
skip_auth: false
timeout: 15s
看链接文本有关 KES API 的信息。
缓存配置
使用缓存配置部分来指定 KES 服务器应如何缓存从外部 KMS 获取的密钥。
cache:
expiry:
any: 5m0s
unused: 20s
通过为不同的过期值指定,控制 KES 服务器必须从外部 KMS 获取密钥的频率any缓存的键或unused缓存键。
例如,any: 5m0s这意味着 KES 服务器每 5 分钟会清空内存缓存。unused: 20s这意味着 KES 服务器会从缓存中移除过去 20 秒内未被使用的所有密钥。
缓存过期时间的选择是安全性与性能之间的权衡。
通过设置一个值为any: 1m0sKES服务器需要与外部KMS的通信频率相比增加了5倍any: 5m0s然而,any: 1m0s设置可减少 KES 服务器不受外部 KMS 控制的时间。
以下数值可能有助于您做出决策。
| 安全级别 | 任何 | 未使用 |
|---|---|---|
| 自由主义的 | 5m0s |
30s |
| 适中 | 1m0s |
20s |
| 保守的 | 30s |
5s |
日志配置
使用日志配置部分来指定哪些日志事件写入STDOUT or STDERRKES 服务器区分错误和审计日志事件。
默认情况下,服务器将错误事件写入STDERR但不将审计事件记录到STDOUT.
通常,错误事件表明发生了某些配置或操作错误。 例如,当KES服务器因意外原因从KMS获取密钥失败时,会记录错误事件。
KES服务器在接收客户端请求时会生成审计事件。 该审计事件描述了请求-响应对,并包含关于请求发起者的信息。
log:
error: on # To disable error logging to STDERR - explicitly set it to off
audit: off # To enable audit logging to STDOUT - explicitly set it to on
Thelogsection仅控制事件日志记录STDOUT和STDERRKES服务器还通过API提供审计和错误日志追踪功能,/v1/log/audit/trace和/v1/log/error/trace.
拥有足够权限的客户端可以随时订阅审计日志或错误日志。
策略配置
在策略配置部分,您需要定义策略和基于身份识别的访问控制规则。
策略部分可以包含任意数量的策略定义。
每个策略必须具有唯一的名称 - 例如:my-policy让我们来看一个示例策略:
policy:
my-policy:
allow:
- /v1/key/create/my-key
- /v1/key/generate/my-key
- /v1/key/decrypt/my-key
deny:
- /v1/key/*/my-key-internal
策略通过其API允许和拒绝规则明确允许API操作。
每条规则都是一个globpattern.
客户端请求必须匹配至少一个允许和no拒绝模式。
否则,服务器将拒绝该请求。
KES服务器按以下方式评估策略:
- 评估所有拒绝模式。
如果任何拒绝模式匹配,则拒绝该请求并返回
prohibited by policy错误。 - 评估所有允许模式。 如果至少有一个允许模式匹配,则 KES 接受该请求。
- 如果没有任何允许模式匹配,则拒绝该请求并返回
prohibited by policy错误。
没有必要拒绝特定的 API 操作。 相反,仅使用拒绝规则进行细粒度访问控制。 KES 服务器会拒绝策略未明确允许的任何 API 操作。 显式拒绝规则优先于允许规则。
该政策my-policy之前讨论的授予访问权限/v1/keyAPI。
具体来说,该策略允许三种操作:create, generate和decrypt然而,只有密钥my-key可以使用。
因此,my-policypolicy 具有以下语义:
| 请求 | 响应 | 原因 |
|---|---|---|
/v1/key/create/my-key |
允许 | 请求路径匹配第1条策略路径 |
/v1/key/generate/my-key |
允许 | 请求路径匹配第二个策略路径 |
/v1/key/create/my-key2 |
拒绝 | my-key2不匹配my-key |
/v1/key/delete/my-key |
拒绝 | delete不匹配create, generatenordecrypt |
/v1/policy/write/my-policy |
拒绝 | policy不匹配key |
/v0/key/create/my-key |
拒绝 | v0不匹配v1 |
指定确切的请求路径相当不灵活。
因此,策略路径采用通配符模式。
让我们调整my-policy政策如下:
policy:
my-policy:
allow:
- /v1/key/create/my-key*
- /v1/key/generate/my-key*
- /v1/key/decrypt/my-key*
- /v1/key/delete/my-key
deny:
- /v1/key/*/my-key-internal
现在,my-policy策略将具有以下语义:
| 请求 | 响应 | 原因 |
|---|---|---|
/v1/key/create/my-key |
允许 | 请求路径匹配第1条策略路径 |
/v1/key/generate/my-key |
允许 | 请求路径匹配第二个策略路径 |
/v1/key/create/my-key2 |
允许 | 请求路径匹配第1条策略路径 |
/v1/key/delete/my-key |
允许 | 请求路径匹配第4条策略路径 |
/v1/key/delete/my-key2 |
拒绝 | delete/my-key2不匹配delete/my-key(无*) |
/v1/key/decrypt/my-key-internal |
拒绝 | decrypt/my-key-internal被明确拒绝 |
通过使用 glob 模式,策略非常灵活,同时仍易于人类阅读。
例如:
/v1/key/create/*允许创建具有任意名称的密钥。/v1/key/*/my-key允许所有关键API操作(create,generate键的省略号(…)my-key./v1/key/*/*允许所有密钥API操作适用于任何密钥。
例如,在上述更新后的策略示例中,拒绝规则/v1/key/*/my-key-internal拒绝使用该密钥的任何API操作my-key-internal.
请注意,glob通配符(* or ?) 仅适用于当前路径段。/v1/key/*和/v1/key/*/*第一条规则允许任意的键API操作,但仅限于空键名。
第二条规则允许对任意键进行任意的键API操作。
更多详细信息,请参阅完整列表:server APIs 页面.
策略与身份
使用策略部分来定义哪个策略适用于哪个身份。 可以从 X.509 证书计算身份,具体方法如下:
kes identity of <path-to-certificate-file>
您可以在策略部分为一个策略分配一个或多个身份。 您可以通过两种方式指定身份:
- 插入身份本身
- 指定一个环境变量名称
如果您使用环境变量,KES服务器会在启动时插入该值。
policy:
my-policy:
allow:
- /v1/key/create/my-key
- /v1/key/generate/my-key
- /v1/key/decrypt/my-key
identities:
- 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22
- ${MY_APP_IDENTITY}
在启动服务器之前,必须设置所有预期的环境变量。
即使环境变量不存在或不包含"有效"身份,服务器仍会启动。
关键配置
使用密钥配置部分来声明应存在的加密密钥之前KES 服务器开始接受请求。
keys:
- name: "my-key"
- name: "my-key-2"
在启动时,KES 服务器会确保指定的密钥存在。 KES 服务器会尝试创建任何不存在的密钥。之前它接受客户端请求,如果无法创建密钥则退出。
KMS 配置
使用 KMS/密钥存储配置部分来指定 KES 服务器存储和获取主密钥的位置。 这应该是一个提供安全存储元素或加密密钥存储的 KMS。 不过,在测试和开发环境中,您可以将主密钥存储在内存中或文件系统中。
如果您在配置文件中未指定 KMS/密钥存储,KES 服务器将在内存中创建主密钥。 这仅适用于测试或开发环境,因为重启服务器时所有主密钥都会丢失。
要创建持久的测试或开发环境,请在配置文件中指定文件系统密钥库:
keystore:
fs:
path: ./keys # The key store directory. Keys will be created inside ./keys/
对于生产环境设置,请使用由KMS(如AWS KMS、Google Cloud KMS或Azure Key Vault)支持的安全密钥存储Hashicorp Vault.
Sample Configuration File
以下 yaml 文件提供了带使用说明的示例配置文件。 有关最新示例文件,请参阅GitHub 仓库.
# The config file version. Currently this field is optional but future
# KES versions will require it. The only valid value is "v1".
version: v1
# The TCP address (ip:port) for the KES server to listen on.
address: 0.0.0.0:7373 # The pseudo address 0.0.0.0 refers to all network interfaces
admin:
# The admin identity identifies the public/private key pair
# that can perform any API operation.
# The admin account can be disabled by setting a value that
# cannot match any public key - for example, "foobar" or "disabled".
identity: c84cc9b91ae2399b043da7eca616048d4b4200edf2ff418d8af3835911db945d
# The TLS configuration for the KES server. A KES server
# accepts HTTP only over TLS (HTTPS). Therefore, a TLS
# private key and public certificate must be specified,
# either here as part of the config file or via CLI arguments.
tls:
key: ./server.key # Path to the TLS private key
cert: ./server.cert # Path to the TLS certificate
password: "" # An optional password to decrypt the TLS private key
# Specify how/whether the KES server verifies certificates presented
# by clients. Valid values are "on" and "off". Defaults to off, which
# is recommended for most use cases.
auth: ""
# An optional path to a file or directory containing X.509 certificate(s).
# If set, the certificate(s) get added to the list of CA certificates for
# verifying the mTLS certificates sent by the KES clients.
#
# If empty, the system root CAs will be used.
ca: ""
# The TLS proxy configuration. A TLS proxy, like nginx, sits in
# between a KES client and the KES server and usually acts as a
# load balancer or common endpoint.
# All connections from the KES client to the TLS proxy as well
# the connections from the TLS proxy to the KES server must be
# established over TLS.
proxy:
# The identities of all TLS proxies directly connected to the
# KES server.
#
# Note that a TLS proxy can act as any identity (including root)
# since it can forward arbitrary client certificates. Client certificates
# aren't secret information and a malicious TLS proxy can fake any
# identity it has seen before. Therefore, its critical that all TLS proxy
# identities are secure and trusted servers.
identities: []
# The HTTP header sent by the TLS proxy to forward certain data
# about the client to the KES server.
header:
# The HTTP header containing the URL-escaped and PEM-encoded
# certificate of the kes client forwarded by the TLS proxy.
cert: X-Tls-Client-Cert
# The API configuration. The APIs exposed by the KES server can
# be adjusted here. Each API is identified by its API path.
#
# In general, the KES server uses reasonable defaults for all APIs.
# Only customize the APIs if there is a real need.
#
# Disabling authentication for an API must be carefully evaluated.
# One example, when disabling authentication may be justified, would
# be the liveness and readiness probes in a Kubernetes environment.
#
# When authentication is disabled, the particular API can be
# accessed by any client that can send HTTPS requests to the
# KES server.
#
# When disabling authentication for any API, the KES server will
# change its TLS handshake behavior. By default, KES requires that
# a client sends a client certificate during the handshake or KES
# aborts the handshake. This means that a client can only send an
# HTTP request to KES when it provides a certificate during the
# handshake. This is no longer the case when authentication is
# disabled for at least one API. Clients should be able to call
# the API even without a certificate. Hence, KES can no longer
# require a certificate during the TLS handshake but instead has
# to check the certificate when executing the API handler.
#
# Now, these two behaviors have slightly different semantics:
# By default, KES does not accept connections from clients without
# a TLS certificate. When disabling authentication for one API, KES
# has to accept connections from any client for all APIs. However,
# the API handlers that still require authentication will reject
# requests from clients without a certificate. Instead of a TLS
# error these clients will receive an HTTP error.
#
# Currently, authentication can only be disabled for the
# following APIs:
# - /v1/ready
# - /v1/status
# - /v1/metrics
# - /v1/api
#
api:
/v1/ready:
skip_auth: false
timeout: 15s
# The (pre-defined) policy definitions.
#
# A policy must have an unique name (e.g my-app) and specifies which
# server APIs can be accessed. An API path pattern is a glob pattern
# of the following form:
# <API-version>/<API>/<operation>/[<argument-0>/<argument-1>/...]>
#
# Each KES server API has an unique path - for example, /v1/key/create/<key-name>.
# A client request is allowed if and only if no deny pattern AND at least one
# allow pattern matches the request URL path.
#
# A policy has zero (by default) or more assigned identities. However,
# an identity can never be assigned to more than one policy at the same
# time. So, one policy has N assigned identities but one identity is
# assigned to at most one policy.
#
# In general, each user/application should only have the minimal
# set of policy permissions to accomplish whatever it needs to do.
# Therefore, it is recommended to define policies based on workflows
# and then assign them to the identities.
# The following policy section shows some example policy definitions.
# Please remove/adjust to your needs.
policy:
my-app:
allow:
- /v1/key/create/my-app*
- /v1/key/generate/my-app*
- /v1/key/decrypt/my-app*
deny:
- /v1/key/generate/my-app-internal*
- /v1/key/decrypt/my-app-internal*
identities:
- df7281ca3fed4ef7d06297eb7cb9d590a4edc863b4425f4762bb2afaebfd3258
- c0ecd5962eaf937422268b80a93dde4786dc9783fb2480ddea0f3e5fe471a731
my-app-ops:
allow:
- /v1/key/delete/my-app*
- /v1/policy/show/my-app
- /v1/identity/assign/my-app/*
identities:
- 7ec8095a5308a535b72b35c7ccd4ce1d7c14af713acd22e2935a9d6e4fe18127
cache:
# Cache expiry specifies when cache entries expire.
expiry:
# Period after which any cache entries are discarded.
# It determines how often the KES server has to fetch
# a secret key from the KMS.
#
# If not set, KES will default to an expiry of 5 minutes.
any: 5m0s
# Period after which all unused cache entries are discarded.
# It determines how often "not frequently" used secret keys
# must be fetched from the KMS.
#
# If not set, KES will default to an expiry of 30 seconds.
unused: 20s
# Period after which any cache entries in the offline cache
# are discarded.
# It determines how long the KES server can serve stateless
# requests when the KMS key store has become unavailable -
# for example, due to a network outage.
#
# If not set, KES will disable the offline cache.
#
# Offline caching should only be enabled when trying to
# reduce the impact of the KMS key store being unavailable.
offline: 0s
# The console logging configuration. In general, the KES server
# distinguishes between (operational) errors and audit events.
# By default, the KES server logs error events to STDERR but
# does not log audit log events to STDOUT.
#
# The following log configuration only affects logging to console.
log:
# Enable/Disable logging error events to STDERR. Valid values
# are "on" or "off". If not set the default is "on". If no error
# events should be logged to STDERR it has to be set explicitly
# to: "off".
error: on
# Enable/Disable logging audit events to STDOUT. Valid values
# are "on" and "off". If not set the default is "off".
# Logging audit events to STDOUT may flood your console since
# there will be one audit log event per request-response pair.
#
# For tracing/monitoring audit logs take a look at the
# /v1/log/audit/trace API.
#
# Each audit event is a JSON object representing a request-response
# pair that contains the time, client identity, the API path, HTTP
# response status code etc.
# {
# "time": "2006-01-02T15:04:05Z07:00",
# "request": {
# "ip": "87.149.99.199",
# "path": "/v1/key/create/my-app-key",
# "identity": "4067503933d4a78358f908a2df7ec14e554c612acf8a9d1aa29b7da4aa018ec9",
# },
# "response": {
# "status": 200
# }
# }
# The server will write such an audit log entry for every HTTP
# request-response pair - including invalid requests.
audit: off
# In the keys section, pre-defined keys can be specified. The KES
# server will try to create the listed keys before startup.
keys:
- name: some-key-name
- name: another-key-name
# The keystore section specifies which KMS - or in general key store - is
# used to store and fetch encryption keys.
# A KES server can only use one KMS / key store at the same time.
# If no store is explicitly specified the server will use store
# keys in-memory. In this case all keys are lost when the KES server
# restarts.
keystore:
# Configuration for storing keys on the filesystem.
# The path must be path to a directory. If it doesn't
# exist then the KES server will create the directory.
#
# The main purpose of the fs configuration is testing
# and development. It should not be used for production.
fs:
path: "" # Path to directory. Keys will be stored as files.
# Hashicorp Vault configuration. The KES server will store/fetch
# secret keys at/from Vault's key-value backend.
#
# For more information take a look at:
# https://www.vaultproject.io/api/secret/kv/kv-v1.html
vault:
endpoint: "" # The Vault endpoint - for example, https://127.0.0.1:8200
engine: "" # The path of the K/V engine - for example, secrets. If empty, defaults to: kv. (Vault default)
version: "" # The K/V engine version - either "v1" or "v2". The "v1" engine is recommended.
namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
prefix: "" # An optional K/V prefix. The server will store keys under this prefix.
transit: # Optionally encrypt keys stored on the K/V engine with a Vault-managed key.
engine: "" # The path of the transit engine - for example, "my-transit". If empty, defaults to: transit (Vault default)
key: "" # The key name that should be used to encrypt entries stored on the K/V engine.
approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
namespace: "" # Optional Vault namespace used only for authentication. For the Vault root namespace, use "/".
engine: "" # The path to the AppRole engine, for example: authenticate. If empty, defaults to: approle. (Vault default)
id: "" # Your AppRole Role ID
secret: "" # Your AppRole Secret ID
kubernetes: # Kubernetes credentials. See: https://www.vaultproject.io/docs/auth/kubernetes
namespace: "" # Optional Vault namespace used only for authentication. For the Vault root namespace, use "/".
engine: "" # The path to the Kubernetes engine, for example: authenticate. If empty, defaults to: kubernetes. (Vault default)
role: "" # The Kubernetes JWT role
jwt: "" # Either the JWT provided by K8S or a path to a K8S secret containing the JWT.
tls: # The Vault client TLS configuration for mTLS authentication and certificate verification
key: "" # Path to the TLS client private key for mTLS authentication to Vault
cert: "" # Path to the TLS client certificate for mTLS authentication to Vault
ca: "" # Path to one or more PEM root CA certificates
status: # Vault status configuration. The server will periodically reach out to Vault to check its status.
ping: 10s # Duration until the server checks Vault's status again.
fortanix:
# The Fortanix SDKMS key store. The server will store secret keys at the Fortanix SDKMS.
# See: https://www.fortanix.com/products/data-security-manager/key-management-service
sdkms:
endpoint: "" # The Fortanix SDKMS endpoint - for example: https://sdkms.fortanix.com
group_id: "" # An optional group ID newly created keys will be placed at. For example: ce08d547-2a82-411e-ae2d-83655a4b7617
# If empty, the applications default group is used.
credentials: # The Fortanix SDKMS access credentials
key: "" # The application's API key - for example: NWMyMWZlNzktZDRmZS00NDFhLWFjMzMtNjZmY2U0Y2ViMThhOnJWQlh0M1lZaDcxZC1NNnh4OGV2MWNQSDVVSEt1eXEyaURqMHRrRU1pZDg=
tls: # The KeySecure client TLS configuration
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the Fortanix SDKMS TLS certificate.
aws:
# The AWS SecretsManager key store. The server will store
# secret keys at the AWS SecretsManager encrypted with
# AWS-KMS. See: https://aws.amazon.com/secrets-manager
secretsmanager:
endpoint: "" # The AWS SecretsManager endpoint - for example, secretsmanager.us-east-2.amazonaws.com
region: "" # The AWS region of the SecretsManager - for example, us-east-2
kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager.
accesskey: "" # Your AWS Access Key
secretkey: "" # Your AWS Secret Key
token: "" # Your AWS session token (usually optional)
gemalto:
# The Gemalto KeySecure key store. The server will store
# keys as secrets on the KeySecure instance.
keysecure:
endpoint: "" # The KeySecure endpoint - for example, https://127.0.0.1
credentials: # The authentication to access the KeySecure instance.
token: "" # The refresh token to obtain new short-lived authentication tokens.
domain: "" # The KeySecure domain for which the refresh token is valid. If empty, defaults to the root domain.
retry: 15s # The time the KES server waits before it tries to re-authenticate after connection loss.
tls: # The KeySecure client TLS configuration
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the KeySecure TLS certificate.
gcp:
# The Google Cloud Platform secret manager.
# For more information take a look at:
# https://cloud.google.com/secret-manager
secretmanager:
# The project ID is a unique, user-assigned ID that can be used by Google APIs.
# The project ID must be a unique string of 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter, and cannot have a trailing hyphen.
# See: https://cloud.google.com/resource-manager/docs/creating-managing-projects#before_you_begin
project_id: ""
# An optional GCP SecretManager endpoint. If not set, defaults to: secretmanager.googleapis.com:443
endpoint: ""
# An optional list of GCP OAuth2 scopes. For a list of GCP scopes refer to: https://developers.google.com/identity/protocols/oauth2/scopes
# If not set, the GCP default scopes are used.
scopes:
- ""
# The credentials for your GCP service account. If running inside GCP (app engine) the credentials
# can be empty and will be fetched from the app engine environment automatically.
credentials:
client_email: "" # The service account email - for example, <account>@<project-ID>.iam.gserviceaccount.com
client_id: "" # The service account client ID - for example, 113491952745362495489"
private_key_id: "" # The service account private key - for example, 381514ebd3cf45a64ca8adc561f0ce28fca5ec06
private_key: "" # The raw encoded private key of the service account - for example, "-----BEGIN PRIVATE KEY-----\n ... \n-----END PRIVATE KEY-----\n
azure:
# The Azure KeyVault configuration.
# For more information take a look at:
# https://azure.microsoft.com/services/key-vault
keyvault:
endpoint: "" # The KeyVault endpoint - for example, https://my-instance.vault.azure.net
# Azure client credentials used to
# authenticate to Azure KeyVault.
credentials:
tenant_id: "" # The ID of the tenant the client belongs to - that is, a UUID.
client_id: "" # The ID of the client - that is, a UUID.
client_secret: "" # The value of the client secret.
# Azure managed identity used to
# authenticate to Azure KeyVault
# with Azure managed credentials.
managed_identity:
client_id: "" # The Azure managed identity of the client - that is, a UUID.
entrust:
# The Entrust KeyControl configuration.
# For more information take a look at:
# https://www.entrust.com/digital-security/key-management/keycontrol
keycontrol:
endpoint: "" # The KeyControl endpoint - for example, https://keycontrol.my-org.com
vault_id: "" # The Vault ID - for example, e30497c1-bff7-4e81-beb7-fb35c4b7410c
box_id: "" # The Box name or ID - for example, tenant-1
# The KeyControl access credentials
credentials:
username: "" # A username with access to the Vault and Box.
password: "" # The user password
# The KeyControl client TLS configuration
tls:
ca: "" # Path to one or more PEM-encoded CA certificates for verifying the KeyControl TLS certificate.