Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Connection Manager

Google

search

Please Note:

Google

Google connection to the CipherTrust Manager can be configured using the following:

Warning

Thales strongly discourages creating a Google connection using a service account key file that grants permission to root of trust keys.

Managing Google Connections using GUI

  • Key File - upload the key file (a JSON file) that you have got from the GCP console while creating the service account.

  • Cloud Name - select the Google from the drop-down list.

Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.

Click Next to move to the Add Products screen of the Add Connection wizard.

Note

Currently, the only product supported for Google connection is Cloud Key Manager.

Note

Service account keys are private keys that let you authenticate as a service account. To rotate a service account key, refer to Service Account Key Rotation.

Managing Google Connections using ksctl

The following operations can be performed:

  • Create/Get/Update/Delete a Google connection

  • List all Google connections

  • Test an existing Google connection

  • Test a New Google Connection

Creating a Google Connection

To create a Google connection, run:

Syntax


ksctl connectionmgmt gcp create --name <Connection-Name> --key-file <Key-File-Path> --cloudname <Cloud-Name> --products <Product-Names> --meta <Key:Values>

Format of GCP Key File


{
"type": "service_account",
"project_id": "test",
"private_key_id": "hbk0662522e157b8e39cc672108de25016d736y0",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV7g0lBwL/XaBD\nbpKtMQwFQJUiIPpv8luHA5wrvRi+XgAHBey8xMSOy/ezDNTlPgF99RNFz022WuCV\nAitCCaDpuaHPSqnx7ygs8hM6Mh/Kpq0fInnCXrdcgZKpK2qIJ8H0OdSmyiZp1hNG\nOICQckcmuJ0VUQLzwbS3R8dbwFAquQSxR1WBbI1vWZia3iap1ALSsh6nBUvaH7M6\nXaLZmZxUSLBw9o50slyI6UtM9WswcNWR9iYQS78DYakM5on9/M2y8kWQozhbIT/b\nilcE2weCtiu3UJR1xtI3WDL7eW3xdfJc2kLg0AIHflOopVkiuKaaFCw7s6aQUvFn\nna9Oi7FbAgMBAAECggEAIYBI8K57arAnw8eSEqsmnb/yWsjdTyCd8rO/Bh5zvIQN\n7wufeiQ6P75zSMfOoyOlqirx3LHNEqyClPMlAQ9u8osOat7fZDK2kOtL1YY58ktN\nux10AdtBTaxA4lsZML9Bj5Oq4H+5qkNK+2knwPcUa1znxInOM4v3F+iLsKiaJUZQ\nwnew+WacECpgMHxMavDiY92/0hPIYtBgJPk4Qud/0+EZ9QnTZ1FR4NSwk2rKBOx3\nJZTDcxLHbJ/jYPt+AJo77HITXkkbwBI9l9ILq5Y/aCI3Xw5qZA8lzuqxlklqvLvJ\n3j1ivz0+3t2/Ux4Y/wKpqmEMmKUAIq0BFKd+IqiykQKBgQDwS++M7l8SwQR8Sntn\nkkseFWPFmsETe9JzTugVsaQAfn9HPDtGmr2wcK+0Fo7/NEpYm+Vodh1rlLcSs7Ak\nheOIjShdDSRXjtwSoNxVoMoAaLFP3DORERhWYCczJjeqcoP1fUC27LmvA/1NDd15\n/C9BEdVH+ltpPDwgJxYJtXE+uQKBgQDj6QLJ0b9LEYxz0ig0knN7u0g4LRPkZF58\nrLDphUF+t06XRiXa8UKkaHsCMc0hVbZJ0yvHdY640ckxhzZfLk78fmonKfW11wV0\nBMjoYZlfJPQvAydalehVBrJ4j/ZhouhYKuycRrOrCcZD+FwpKBd8ThVcRxd/9j8V\nQgMf8ciGswKBgQDXC33z55dZ1zbGbHmHtNpYr9e8DcRgRV2PJ7x3PaSBdLM+8t4x\nT2YWsqHrTozmQsuOBOYG2D13+3zi1b/6z39SwtCuhYZSfVzhpufIEb71IrwbtfrI\nBj57fk1Wbws+FIGXfmId0jhSMgXLoW7lLhSz7NusMJcB1JASTihgw+n2sQKBgQCn\nFz4kGNLWhpcikwFHCdgA7t2T0fiziaJ8ZV+O1VOfQ2UrIxK94gOp5a/JfBmYRu7O\nUTPXmCh699M5rJgAUEM4erX44Jp0JqCo3pktReDcEIu1q+o+T4l2TOKr4WARVQ5j\nFZVDPdKbox7o1j07L1mImPawIK7p8e9t9me0E9+gYQKBgCiXzwL5ngTxAqLNXTTx\nuYL/1x3Pg6uvBnltfCUTDKVFDPv9Dwaad3T9cwqZZCzlM0GqTuALzVb1NAHVcx3U\nIUXcwn8mDT/aYWClnTDW7/ZwThnOsXSxbco68JdM2bpCS9nRqhYAlLb0eLMl2pEU\n59cqC1DjxsmVcmpabyi/726I\n-----END PRIVATE KEY-----\n",
"client_email": "test@some-project.iam.gserviceaccount.com",
"client_id": "some-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test%40some-project.iam.gserviceaccount.com"
}

Example Request


ksctl connectionmgmt gcp create --name gcpConn --key-file gcp.json --products CCKM

Example Response


{
    "id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-04-01T04:56:28.5260642Z",
    "updatedAt": "2021-04-01T04:56:28.524593208Z",
    "service": "gcp",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "gcpConn",
    "products": [
        "CCKM"
    ],
    "cloud_name": "gcp",
    "client_email": "test@some-project.iam.gserviceaccount.com",
    "private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}

Getting Details of a Google Connection

To get details of a Google connection, run:

Syntax


ksctl connectionmgmt gcp get --id <Connection-Name/ID>

Example Request


ksctl connectionmgmt gcp get --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59

Example Response


{
    "id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-04-01T04:56:28.526064Z",
    "updatedAt": "2021-04-01T04:56:28.524593Z",
    "service": "gcp",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "gcpConn",
    "products": [
        "CCKM"
    ],
    "cloud_name": "gcp",
    "client_email": "test@some-project.iam.gserviceaccount.com",
    "private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}

Updating a Google Connection

To update a Google connection, run:

Syntax


ksctl connectionmgmt gcp modify --id <Connection-Name> --key-file <Key-File-Path> --cloudname <Cloud-Name> --products <Product-Names> --meta <Key:Values>

Example Request


ksctl connectionmgmt gcp modify --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59 --key-file gcp1.json

Example Response


{
    "id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-04-01T04:56:28.526064Z",
    "updatedAt": "2021-04-01T05:03:38.665326512Z",
    "service": "gcp",
    "category": "cloud",
    "last_connection_ok": true,
    "last_connection_at": "2021-04-01T05:00:03.806155Z",
    "name": "gcpConn",
    "products": [
        "CCKM"
    ],
    "meta": "",
    "cloud_name": "gcp",
    "client_email": "test@some-project.iam.gserviceaccount.com",
    "private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
}

Deleting a Google Connection

To delete a Google connection, run:

Syntax


ksctl connectionmgmt gcp delete --id <Connection-Name/ID>

Example Request


ksctl connectionmgmt gcp delete --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59

There will be no response if GCP connection is deleted successfully.

Getting List of Google Connections

To list all the Google connections, run:

Syntax


ksctl connectionmgmt gcp list

Example Request


ksctl connectionmgmt gcp list

Example Response


{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
        {
            "id": "047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
            "uri": "kylo:kylo:connectionmgmt:connections:gcpconn-047bcdcb-5bbe-4de8-85e2-1dc504d07c59",
            "account": "kylo:kylo:admin:accounts:kylo",
            "createdAt": "2021-04-01T04:56:28.526696Z",
            "updatedAt": "2021-04-01T04:56:28.526696Z",
            "service": "gcp",
            "category": "cloud",
            "last_connection_ok": null,
            "last_connection_at": "0001-01-01T00:00:00Z",
            "name": "gcpConn",
            "products": [
                "CCKM"
            ],
            "cloud_name": "gcp",
            "client_email": "test@some-project.iam.gserviceaccount.com",
            "private_key_id": "y437c51g956b8ab4908yb41541262a2fa3b0f84f"
        }
    ]
}

Testing an Existing Google Connection

To test an existing Google connection, run:

Syntax


ksctl connectionmgmt gcp test --id <Connection-Name/ID> --key-file <Key-File-Path>

Example Request


ksctl connectionmgmt gcp test --id 047bcdcb-5bbe-4de8-85e2-1dc504d07c59

Example Response


{
    "connection_ok": true
}

Testing a New Google Connection

To test a New Google connection, run:

Syntax


ksctl connectionmgmt gcp test --key-file <Key-File-Path>

Example Request


ksctl connectionmgmt gcp test --key-file gcp.json

Example Response


{
    "connection_ok": true
}

Service Account Key Rotation

Rotating service account keys can help reduce the risk posed by leaked or stolen keys. To rotate the service account keys, perform the following steps:

On Google

  1. Identify the service account key that needs to be rotated.

  2. Create a new key for the same service account handling the connection between CipherTrust Manager and Google.

    At this stage, the Google cloud contains two keys: the new and the old one.

On the CipherTrust Manager

  1. Replace the existing (old) service account key with the new key in the Google connection manager. To do so, either go to GUI and upload the new "Key File" or use ksctl to modify the key-file parameter value.

  2. Test the connection. The state of the connection should be "Ready".

  3. Refresh the key rings.

On Google

  1. Disable the replaced key.

    After disabling the key, verify that CCKM works as expected.

  2. Delete the service account key that was replaced.

On this page