GCP Cloud KMS
This guide covers how to configure Scalr's Bring Your Own Key feature using a Google Cloud KMS key.
Requirements
Before configuring BYOK, create a symmetric KMS key in Google Cloud with the following settings:
| Setting | Required Value |
|---|---|
| Location | global |
| Purpose | Symmetric encrypt/decrypt |
| Algorithm | Google Symmetric Encryption (AES-256-GCM) |
| Protection level | HSM or Software |
Scalr requires the key to be in the global location to minimise latency for KMS API calls.
Use the full key resource name without a version suffix (/cryptoKeyVersions/...):
projects/{PROJECT_ID}/locations/global/keyRings/{KEY_RING}/cryptoKeys/{KEY_NAME}Service Account Key
Complete the following steps to add a service account key in Scalrt to enable encryption.
GCP Steps
Create a service account
In the Google Cloud console, go to IAM & Admin > Service Accounts and create or select a service account. Grant it the Cloud KMS CryptoKey Encrypter/Decrypter role on your KMS key:
gcloud kms keys add-iam-policy-binding {KEY_NAME} \
--project={PROJECT_ID} \
--location=global \
--keyring={KEY_RING} \
--member="serviceAccount:{SA_EMAIL}" \
--role="roles/cloudkms.cryptoKeyEncrypterDecrypter"Create and download a JSON key
- In IAM & Admin > Service Accounts, click on your service account.
- Go to the Keys tab and click Add Key > Create new key.
- Select JSON format and download the file.
See the GCP documentation for full steps on creating service account keys.
Scalr Steps
In Scalr, go to Account Settings > Security > Encryption, click Enable, select GCP Cloud KMS, and choose Service Account Key:
- KMS key: full key resource name
- Credentials type:
Service Account Key - Service account JSON: paste or upload the JSON key file contents
Updated about 3 hours ago