Google Cloud Platform (GCP)
Google Cloud Platform (GCP) connection to the CipherTrust Manager can be configured using the following:
Warning
Thales strongly discourages creating a Google connection using a service account key file that grants permission to root of trust keys.
Managing Google Connections using GUI
Key File - upload the key file (a JSON file) that you have got from the GCP console while creating the service account.
Cloud Name - select the Google from the drop-down list.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for Google connection is Cloud Key Manager.
Note
Service account keys are private keys that let you authenticate as a service account. To rotate a service account key, refer to Service Account Key Rotation.
Managing Google Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete a GCP connection
List all GCP connections
Test an existing GCP connection
Test a New GCP Connection
Creating a GCP Connection
To create a GCP connection, run:
Syntax
ksctl connectionmgmt gcp create --name <Connection-Name> --key-file <Key-File-Path> --cloudname <Cloud-Name> --products <Product-Names> --meta <Key:Values>
Format of GCP Key File
{
"type": "service_account",
"project_id": "test",
"private_key_id": "hbk0662522e157b8e39cc672108de25016d736y0",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV7g0lBwL/XaBD\nbpKtMQwFQJUiIPpv8luHA5wrvRi+XgAHBey8xMSOy/ezDNTlPgF99RNFz022WuCV\nAitCCaDpuaHPSqnx7ygs8hM6Mh/Kpq0fInnCXrdcgZKpK2qIJ8H0OdSmyiZp1hNG\nOICQckcmuJ0VUQLzwbS3R8dbwFAquQSxR1WBbI1vWZia3iap1ALSsh6nBUvaH7M6\nXaLZmZxUSLBw9o50slyI6UtM9WswcNWR9iYQS78DYakM5on9/M2y8kWQozhbIT/b\nilcE2weCtiu3UJR1xtI3WDL7eW3xdfJc2kLg0AIHflOopVkiuKaaFCw7s6aQUvFn\nna9Oi7FbAgMBAAECggEAIYBI8K57arAnw8eSEqsmnb/yWsjdTyCd8rO/Bh5zvIQN\n7wufeiQ6P75zSMfOoyOlqirx3LHNEqyClPMlAQ9u8osOat7fZDK2kOtL1YY58ktN\nux10AdtBTaxA4lsZML9Bj5Oq4H+5qkNK+2knwPcUa1znxInOM4v3F+iLsKiaJUZQ\nwnew+WacECpgMHxMavDiY92/0hPIYtBgJPk4Qud/0+EZ9QnTZ1FR4NSwk2rKBOx3\nJZTDcxLHbJ/jYPt+AJo77HITXkkbwBI9l9ILq5Y/aCI3Xw5qZA8lzuqxlklqvLvJ\n3j1ivz0+3t2/Ux4Y/wKpqmEMmKUAIq0BFKd+IqiykQKBgQDwS++M7l8SwQR8Sntn\nkkseFWPFmsETe9JzTugVsaQAfn9HPDtGmr2wcK+0Fo7/NEpYm+Vodh1rlLcSs7Ak\nheOIjShdDSRXjtwSoNxVoMoAaLFP3DORERhWYCczJjeqcoP1fUC27LmvA/1NDd15\n/C9BEdVH+ltpPDwgJxYJtXE+uQKBgQDj6QLJ0b9LEYxz0ig0knN7u0g4LRPkZF58\nrLDphUF+t06XRiXa8UKkaHsCMc0hVbZJ0yvHdY640ckxhzZfLk78fmonKfW11wV0\nBMjoYZlfJPQvAydalehVBrJ4j/ZhouhYKuycRrOrCcZD+FwpKBd8ThVcRxd/9j8V\nQgMf8ciGswKBgQDXC33z55dZ1zbGbHmHtNpYr9e8DcRgRV2PJ7x3PaSBdLM+8t4x\nT2YWsqHrTozmQsuOBOYG2D13+3zi1b/6z39SwtCuhYZSfVzhpufIEb71IrwbtfrI\nBj57fk1Wbws+FIGXfmId0jhSMgXLoW7lLhSz7NusMJcB1JASTihgw+n2sQKBgQCn\nFz4kGNLWhpcikwFHCdgA7t2T0fiziaJ8ZV+O1VOfQ2UrIxK94gOp5a/JfBmYRu7O\nUTPXmCh699M5rJgAUEM4erX44Jp0JqCo3pktReDcEIu1q+o+T4l2TOKr4WARVQ5j\nFZVDPdKbox7o1j07L1mImPawIK7p8e9t9me0E9+gYQKBgCiXzwL5ngTxAqLNXTTx\nuYL/1x3Pg6uvBnltfCUTDKVFDPv9Dwaad3T9cwqZZCzlM0GqTuALzVb1NAHVcx3U\nIUXcwn8mDT/aYWClnTDW7/ZwThnOsXSxbco68JdM2bpCS9nRqhYAlLb0eLMl2pEU\n59cqC1DjxsmVcmpabyi/726I\n-----END PRIVATE KEY-----\n",
"client_email": "test@some-project.iam.gserviceaccount.com",
"client_id": "some-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test%40some-project.iam.gserviceaccount.com"
}
Example Request
ksctl connectionmgmt gcp create --name gcpConn --key-file gcp.json --products CCKM
Example Response
{
"id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-04-01T04:56:28.5260642Z",
"updatedAt": "2021-04-01T04:56:28.524593208Z",
"service": "gcp",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "gcpConn",
"products": [
"CCKM"
],
"cloud_name": "gcp",
"client_email": "test@some-project.iam.gserviceaccount.com",
"private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}
Getting Details of a GCP Connection
To get details of a GCP connection, run:
Syntax
ksctl connectionmgmt gcp get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt gcp get --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59
Example Response
{
"id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-04-01T04:56:28.526064Z",
"updatedAt": "2021-04-01T04:56:28.524593Z",
"service": "gcp",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "gcpConn",
"products": [
"CCKM"
],
"cloud_name": "gcp",
"client_email": "test@some-project.iam.gserviceaccount.com",
"private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}
Updating a GCP Connection
To update a GCP connection, run:
Syntax
ksctl connectionmgmt gcp modify --id <Connection-Name> --key-file <Key-File-Path> --cloudname <Cloud-Name> --products <Product-Names> --meta <Key:Values>
Example Request
ksctl connectionmgmt gcp modify --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59 --key-file gcp1.json
Example Response
{
"id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-04-01T04:56:28.526064Z",
"updatedAt": "2021-04-01T05:03:38.665326512Z",
"service": "gcp",
"category": "cloud",
"last_connection_ok": true,
"last_connection_at": "2021-04-01T05:00:03.806155Z",
"name": "gcpConn",
"products": [
"CCKM"
],
"meta": "",
"cloud_name": "gcp",
"client_email": "test@some-project.iam.gserviceaccount.com",
"private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}
Deleting a GCP Connection
To delete a GCP connection, run:
Syntax
ksctl connectionmgmt gcp delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt gcp delete --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59
There will be no response if GCP connection is deleted successfully.
Getting List of GCP Connections
To list all the GCP connections, run:
Syntax
ksctl connectionmgmt gcp list
Example Request
ksctl connectionmgmt gcp list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-04-01T04:56:28.526696Z",
"updatedAt": "2021-04-01T04:56:28.526696Z",
"service": "gcp",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "gcpConn",
"products": [
"CCKM"
],
"cloud_name": "gcp",
"client_email": "test@some-project.iam.gserviceaccount.com",
"private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}
]
}
Testing an Existing GCP Connection
To test an existing GCP connection, run:
Syntax
ksctl connectionmgmt gcp test --id <Connection-Name/ID> --key-file <Key-File-Path>
Example Request
ksctl connectionmgmt gcp test --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59
Example Response
{
"connection_ok": true
}
Testing a New GCP Connection
To test a New GCP connection, run:
Syntax
ksctl connectionmgmt gcp test --key-file <Key-File-Path>
Example Request
ksctl connectionmgmt gcp test --key-file gcp.json
Example Response
{
"connection_ok": true
}
Service Account Key Rotation
Rotating service account keys can help reduce the risk posed by leaked or stolen keys. To rotate the service account keys, perform the following steps:
On GCP
Identify the service account key that needs to be rotated.
Create a new key for the same service account handling the connection between CipherTrust Manager and GCP.
At this stage, the GCP cloud contains two keys: the new and the old one.
On the CipherTrust Manager
Replace the existing (old) service account key with the new key in the GCP connection manager. To do so, either go to GUI and upload the new "Key File" or use ksctl to modify the
key-file
parameter value.Test the connection. The state of the connection should be "Ready".
On GCP
Disable the replaced key.
After disabling the key, verify that CCKM works as expected.
Delete the service account key that was replaced.