aws-kms-index
Portworx can integrate with AWS KMS to generate and use KMS Datakeys. This document will show you how to spin up a Portworx cluster which is connected to an AWS KMS endpoint. The data keys created in KMS can be used to encrypt Portworx volumes.
Configuring AWS KMS with Portworx
There are multiple ways in which you can setup Portworx so that it gets authenticated with AWS.
Following are the authentication details required by Portworx to use the AWS KMS service:
-
AWS Access Key [AWS_ACCESS_KEY_ID] [required]
AWS Access Key ID of the account which has permissions to access KMS APIs
-
AWS Secret Key [AWS_SECRET_ACCESS_KEY] [required]
AWS Secret Access Key of the account which has permissions to access KMS APIs
-
AWS Secret Token Key [AWS_SECRET_TOKEN_KEY] [optional]
AWS Secret Token Key (if configured) of the account which has permissions to access KMS APIs
-
AWS KMS key [AWS_CMK] [required]
AWS KMS key. The CMK can be found out from AWS's resource ARN. Here is an example ARN for CMK:
arn:aws:kms:us-east-1::key/<cmk-id>
It specifies that the ARN is for the
kms
service forus-east-1
region. The trailing ID at the end of ARN is the actual CMK that needs to be provided to Portworx through theAWS_CMK
field. -
AWS Region of the CMK [AWS_REGION] [required]
The AWS region to which the CMK is associated to. CMKs are region specific and cannot be used across regions.
Using AWS environment variables
Portworx can authenticate with AWS using AWS SDK’s EnvProvider.
Each of the above fields can be provided as is to Portworx as environment variables.
Using AWS EC2 Role Credentials
Portworx can authenticate with AWS using AWS SDK’s EC2RoleCredentials Provider. Follow these instructions to create an EC2 role. Make sure you provide the following access to KMS in your policy associated with EC2 role.
Here is a sample AWS Policy that gives access to KMS:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490047200000",
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms:us-east-1:<aws-id>:key/<key-id>"
]
}
]
}
Apply EC2 role to all the AWS instances where Portworx will be running.
Along with the EC2 role you will still need to provide AWS_CMK
and AWS_REGION
either through config.json
or as environment variables. To provide them through config.json
, add the following section to the config.json
on all the nodes
cat /etc/pwx/config.json
{
"clusterid": "<cluster-id>",
"secret": {
"secret_type": "aws-kms",
"aws": {
"AWS_CMK": "your-aws-kms-key-id",
"AWS_REGION": "you-aws-region-to-which-this-cmk-belongs"
},
}
...
}
Using AWS KMS with Portworx
To use AWS KMS with Portworx, proceed to one of the below sections.