Google Cloud Platform (GCP)
Google Cloud Platform (GCP) connection to the CipherTrust Manager can be configured using the following:
Managing Google Connections using GUI
-
Key File - upload the key file (a JSON file) that you have got from the GCP console while creating the service account.
-
Cloud Name - select the Google from the drop-down list.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for Google connection is Cloud Key Manager.
Note
Service account keys are private keys that let you authenticate as a service account. To rotate a service account key, refer to Service Account Key Rotation.
Managing Google Connections using ksctl
The following operations can be performed:
-
Create/Get/Update/Delete a GCP connection
-
List all GCP connections
-
Test an existing GCP connection
-
Test a New GCP Connection
Creating a GCP Connection
To create a GCP connection, run:
Syntax
Format of GCP Key File
Example Request
Example Response
Getting Details of a GCP Connection
To get details of a GCP connection, run:
Syntax
Example Request
Example Response
Updating a GCP Connection
To update a GCP connection, run:
Syntax
Example Request
Example Response
Deleting a GCP Connection
To delete a GCP connection, run:
Syntax
Example Request
There will be no response if GCP connection is deleted successfully.
Getting List of GCP Connections
To list all the GCP connections, run:
Syntax
Example Request
Example Response
Testing an Existing GCP Connection
To test an existing GCP connection, run:
Syntax
Example Request
Example Response
Testing a New GCP Connection
To test a New GCP connection, run:
Syntax
Example Request
Example Response
Service Account Key Rotation
Rotating service account keys can help reduce the risk posed by leaked or stolen keys. To rotate the service account keys, perform the following steps:
On GCP
-
Identify the service account key that needs to be rotated.
-
Create a new key for the same service account handling the connection between CipherTrust Manager and GCP.
At this stage, the GCP cloud contains two keys: the new and the old one.
On the CipherTrust Data Security Platform Service
-
Replace the existing (old) service account key with the new key in the GCP connection manager. To do so, either go to GUI and upload the new "Key File" or use ksctl to modify the
key-file
parameter value. -
Test the connection. The state of the connection should be "Ready".
On GCP
-
Disable the replaced key.
After disabling the key, verify that CCKM works as expected.
-
Delete the service account key that was replaced.