Integrate AWS KMS in Rancher
Portworx can integrate with AWS KMS to generate and use KMS Datakeys. This document will show you how to spin up a Portworx cluster which is connected to an AWS KMS endpoint. The data keys created in KMS can be used to encrypt Portworx volumes.
Configuring AWS KMS with Portworx
There are multiple ways in which you can setup Portworx so that it gets authenticated with AWS.
Following are the authentication details required by Portworx to use the AWS KMS service:
-
AWS Access Key [AWS_ACCESS_KEY_ID] [required]
AWS Access Key ID of the account which has permissions to access KMS APIs
-
AWS Secret Key [AWS_SECRET_ACCESS_KEY] [required]
AWS Secret Access Key of the account which has permissions to access KMS APIs
-
AWS Secret Token Key [AWS_SECRET_TOKEN_KEY] [optional]
AWS Secret Token Key (if configured) of the account which has permissions to access KMS APIs
-
AWS KMS key [AWS_CMK] [required]
AWS KMS key. The CMK can be found out from AWS's resource ARN. Here is an example ARN for CMK:
arn:aws:kms:us-east-1::key/<cmk-id>
It specifies that the ARN is for the
kms
service forus-east-1
region. The trailing ID at the end of ARN is the actual CMK that needs to be provided to Portworx through theAWS_CMK
field. -
AWS Region of the CMK [AWS_REGION] [required]
The AWS region to which the CMK is associated to. CMKs are region specific and cannot be used across regions.
Using AWS environment variables
Portworx can authenticate with AWS using AWS SDK’s EnvProvider.
Each of the above fields can be provided as is to Portworx as environment variables.
Kubernetes users
If you are installing Portworx on Kubernetes, when generating the Portworx Kubernetes spec file on the Portworx Spec Generator page in Portworx Central:
- Pass in all the above variables as is in the Environment Variables section.
- Specify the
Secret Store Type
in the Advanced Settings section asaws
More help on generating the Portworx spec for Kubernetes is available here.