Google Cloud KMS

Remote signing with Google Cloud KMS is supported by Document Rails.

At the moment, only authentication using service account keys is supported.

Configuring the vault

Remote key configuration requires the following information:

key_ring_id - Key ring identifier.
crypto_key_id - Key identifier.
crypto_key_version - Key version.
location - Key location.
signature_algorithm - Signature algorithm identifier.

Supported signature algorithm identifiers:

Description	Identifier
ECDSA (P-256)	`EC_SIGN_P256_SHA256`

Examples

Create a new Google Cloud KMS key (JavaScript)

import { createKey, GoogleCloudAuthenticationType, KeyType } from "@vaultie/document-rails";

const response = await createKey(
    client,
    accessToken,
    organizationId,
    {
        key: {
            type: KeyType.GoogleCloudKMS,
            authentication: {
                type: GoogleCloudAuthenticationType.ServiceAccountKey,
                project_id: "...",
                private_key_id: "...",
                private_key: "...",
                client_email: "...",
                client_id: "...",
                auth_uri: "https://accounts.google.com/o/oauth2/auth",
                token_uri: "https://oauth2.googleapis.com/token",
                auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs",
                client_x509_cert_url: "...",
                universe_domain: "googleapis.com"
            },
            key_ring_id: "testing",
            crypto_key_id: "testing-ecdsa",
            crypto_key_version: 1,
            location: "...",
            signature_algorithm: "EC_SIGN_P256_SHA256"
        },
    }
);