|
6 | 6 | .. step:: Toggle the button next to :guilabel:`Encryption at Rest using your Key Management` to :guilabel:`On`. |
7 | 7 |
|
8 | 8 | .. step:: Select :guilabel:`Google Cloud KMS`. |
| 9 | + |
| 10 | + .. step:: Enter your :guilabel:`Service Account Key`. |
9 | 11 |
|
10 | | - .. step:: Enter the :guilabel:`Key Version Resource ID`. |
| 12 | + Your :guilabel:`Service Account Key` should be formatted as a JSON |
| 13 | + object. It contains the encryption credentials for your GCP service |
| 14 | + account. |
11 | 15 |
|
12 | | - Enter the key version resource ID for the Google Cloud KMS key |
13 | | - that you want to use to encrypt your data at rest. |
| 16 | + .. step:: Enter the :guilabel:`Key Version Resource ID`. |
14 | 17 |
|
15 | 18 | Your key version resource ID is the fully-qualified resource name |
16 | 19 | for a `CryptoKeyVersion |
17 | 20 | <https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion>`__. |
18 | 21 |
|
19 | | - .. step:: Select or create an Atlas GCP service account. |
20 | | - |
21 | | - To grant access in a secure manner, |service| uses |
22 | | - a `service account <https://cloud.google.com/iam/docs/service-account-impersonation>`__ |
23 | | - specific to your |service| project to authenticate to GCP. |
24 | | - You can then assign policies to the service |
25 | | - account to control access to your project's resources. |
26 | | - |
27 | | - .. note:: |
28 | | - |
29 | | - If you previously configured encryption at rest with a static key |
30 | | - and are now migrating to a service account-based authentication, |
31 | | - note that this migration is strictly one-way. |service| does not |
32 | | - support reverting back to the static key authentication method. |
33 | | - |
34 | | - If you prefer to manually specify a service account key, |
35 | | - you can toggle :guilabel:`Enter key` to :guilabel:`On`. |
36 | | - Then, enter your key formatted as a JSON object with the |
37 | | - encryption credentials for your GCP service account in the text box. |
38 | | - |
39 | | - If you have an existing |service| GCP service account with the |
40 | | - required permissions already configured, select it from the |
41 | | - :guilabel:`Connect Service Account` dropdown menu. Otherwise, |
42 | | - complete the following steps: |
43 | | - |
44 | | - .. tabs:: |
45 | | - |
46 | | - .. tab:: First-time Setup |
47 | | - :tabid: first-time-setup |
48 | | - |
49 | | - If you have not yet set up a service account for your |service| project: |
50 | | - |
51 | | - a. Click :guilabel:`Authorize a new service account`. |
52 | | - The :guilabel:`Encrypt Data with GCP KMS` dialog box appears. |
53 | | - |
54 | | - #. Click the :guilabel:`Set Up` button to create your GCP resources. |
55 | | - |service| provisions the GCP `folder <https://cloud.google.com/resource-manager/docs/creating-managing-folders>`__ |
56 | | - and creates the service account. The folder is required in order to |
57 | | - create service accounts. |
58 | | - |
59 | | - #. Select the |service| service account from the dropdown menu |
60 | | - or :ref:`create a new one <create-org-api-key>`. |
61 | | - |
62 | | - #. Run the :gcp:`gcloud </sdk/docs/install>` commands |
63 | | - that appear to grant the service account the following |
64 | | - required permissions: |
65 | | - |
66 | | - - :guilabel:`Enable Encrypt/Decrypt operations` |
67 | | - |
68 | | - .. code-block:: sh |
69 | | - :copyable: false |
70 | | -
|
71 | | - gcloud kms keys add-iam-policy-binding \ |
72 | | - <key-name> \ |
73 | | - --location <location> \ |
74 | | - --keyring <keyring-name> \ |
75 | | - --member <ATLAS_OWNED_SERVICE_ACCOUNT_EMAIL> \ |
76 | | - --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" |
77 | | -
|
78 | | - - :guilabel:`Enable GetPublicKey operations` |
79 | | - |
80 | | - .. code-block:: sh |
81 | | - :copyable: false |
82 | | -
|
83 | | - gcloud kms keys add-iam-policy-binding \ |
84 | | - <key-name> \ |
85 | | - --location <location> \ |
86 | | - --keyring <keyring-name> \ |
87 | | - --member <ATLAS_OWNED_SERVICE_ACCOUNT_EMAIL> \ |
88 | | - --role="roles/cloudkms.viewer" |
89 | | -
|
90 | | - #. Click :guilabel:`Validate & Finish` to confirm. |
91 | | - |
92 | | - .. tab:: Existing Service Account |
93 | | - :tabid: existing-service-account |
94 | | - |
95 | | - If you have an existing service account for your |service| project: |
96 | | - |
97 | | - a. Click :guilabel:`Authorize a new service account`. |
98 | | - The :guilabel:`Encrypt Data with GCP KMS` dialog box appears. |
99 | | - |
100 | | - #. Select your existing |
101 | | - |service| service account from the dropdown menu |
102 | | - or :ref:`create a new one <create-org-api-key>`. |
103 | | - |
104 | | - #. Run the :gcp:`gcloud </sdk/docs/install>` commands |
105 | | - that appear to grant the service account the following |
106 | | - required permissions: |
107 | | - |
108 | | - - :guilabel:`Enable Encrypt/Decrypt operations` |
109 | | - |
110 | | - .. code-block:: sh |
111 | | - :copyable: false |
112 | | -
|
113 | | - gcloud kms keys add-iam-policy-binding \ |
114 | | - <key-name> \ |
115 | | - --location <location> \ |
116 | | - --keyring <keyring-name> \ |
117 | | - --member <ATLAS_OWNED_SERVICE_ACCOUNT_EMAIL> \ |
118 | | - --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" |
119 | | -
|
120 | | - - :guilabel:`Enable GetPublicKey operations` |
121 | | - |
122 | | - .. code-block:: sh |
123 | | - :copyable: false |
124 | | -
|
125 | | - gcloud kms keys add-iam-policy-binding \ |
126 | | - <key-name> \ |
127 | | - --location <location> \ |
128 | | - --keyring <keyring-name> \ |
129 | | - --member <ATLAS_OWNED_SERVICE_ACCOUNT_EMAIL> \ |
130 | | - --role="roles/cloudkms.viewer" |
131 | | -
|
132 | | - #. Click :guilabel:`Validate & Finish` to confirm. |
133 | | - |
134 | | - .. step:: Click :guilabel:`Done`. |
| 22 | + .. step:: Click :guilabel:`Save`. |
0 commit comments