A guide for preparing AWS and GCP KMS authentication files.

AWS

1. Create a user to prepare the AWS authentication file.

  • Route : AWS Console > IAM Menu > Users > Create user

 

2. Generate an access key.

  • Route : Users detail menu > Security credentials > Create access key

 

 

3. After creating the access key, download the CSV file.

  • CSV files can only be downloaded once when creating an access key.

 

4. Set the permissions required to use the KMS functions.

  • Route : Users detail menu > Permissions > Create inline policy

 

5. Select KMS and add the permissions below manually to complete permission settings.

  • kms:CreateKey
  • kms:CreateAlias
  • kms:DescribeKey
  • kms:ListAliases
  • kms:GetPublicKey
  • kms:Sign

GCP

1. Create a role to prepare the GCP authentication file.

  • Route : GCP Console > IAM & Admin menu > Roles > Create role

 

2. Complete the role creation by adding the following permissions required to use the KMS functions.

  • cloudkms.cryptoKeys.create
  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.viewPublicKe

 

3. Create a service account.

  • Route : IAM & Admin menu > Service Accounts > Create service account

 

4. Complete the settings for granting access to the service account.

  • Route : Create service account > Grant access permission > select the role you created above > complete

 

5. Create a keyring (category) to organize multiple keys and control access.

  • Route : Security > Key Management > Create key ring
    • Name and protection level : HSM
    • Purpose and algorithm : Asymmetric sign, Elliptic Curve secp256k1 – SHA256 Digest

 

6. Go to the service account details page and create the authentication file in JSON format.

  • Route : IAM & Admin menu > Service Accounts > Service Accounts detail info > Keys > Add Key  > Create new key