Install on GKE (import test)

gcloud services enable \
    cloudapis.googleapis.com \
    cloudkms.googleapis.com \
    cloudresourcemanager.googleapis.com \
    cloudshell.googleapis.com \
    container.googleapis.com \
    containerregistry.googleapis.com \
    iam.googleapis.com


gcloud iam service-accounts create vault-server \
    --display-name "vault service account"

gcloud kms keyrings create import-test \
  --location us-east1

gcloud kms keys create import-key \
  --location us-east1 \
  --keyring import-test \
  --purpose encryption \
  --skip-initial-version-creation \
  --import-only

#Create the import job

gcloud kms import-jobs create import-job \
  --location us-east1 \
  --keyring import-test \
  --import-method rsa-oaep-3072-sha1-aes-256 \
  --protection-level software

#Checking the state of the import job

gcloud kms import-jobs describe import-job2 \
  --location us-east1 \
  --keyring import-test \
  --format="value(state)"

#Import key

gcloud kms keys versions import \
  --import-job import-job2 \
  --location us-east1 \
  --keyring import-test \
  --key import-key \
  --algorithm google-symmetric-encryption \
  --target-key-file /home/den/test.bin

gcloud kms keys versions list \
  --keyring import-test \
  --location us-east1 \
  --key import-key

gcloud kms keys set-primary-version import-key --version=1 --keyring=import-test --location=us-east1

gcloud kms keys add-iam-policy-binding import-key \
    --location us-east1 \
    --keyring import-test \
    --member serviceAccount:vault-server@import-326514.iam.gserviceaccount.com \
    --role roles/cloudkms.admin \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
    --project import-326514

gcloud container clusters create vault \
    --cluster-version 1.19 \
    --enable-autorepair \
    --enable-autoupgrade \
    --enable-ip-alias \
    --machine-type n1-standard-1 \
    --node-version 1.19 \
    --num-nodes 1 \
    --region us-east1 \
    --scopes cloud-platform \
    --service-account "vault-server@import-326514.iam.gserviceaccount.com"

Recovery Key 1: 6i0u5wYvVymunqEM8tp0wEQ63qE6lHspmHrueFdv+dfE
Recovery Key 2: La59N73DxEZcb2UStumRG4u9KSmieiyTTE2klqAcjmwL
Recovery Key 3: Ou9G8DE0LcQ0ZU9NH+yY7AF9tCieL/TAXGhZMK0WvxD+
Recovery Key 4: HLnWrCdV2oOmbPQEjnmEwY8E+DPBcfLr5kdR4aW64x+0
Recovery Key 5: DpSCi+fa2/rmhFYVGFAMhEQ/4IzrV2J43holzbY5J7tC

Initial Root Token: s.U2keOIOlFttwTjv9U5LDeMxY


export VAULT_TOKEN=s.U2keOIOlFttwTjv9U5LDeMxY


Error unsealing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:
* failed to decrypt encrypted stored keys: failed to decrypt envelope: rpc error: code = InvalidArgument desc = Decryption failed: verify that 'name' refers to the correct CryptoKey.
PreviousInit RAFTNextVault helm example

Last updated

Was this helpful?