Configure Entrust KeyControl as GCP KMS

Create an Entrust KeyControl CSP account for the GCP service account

The following steps establish the connection between Entrust KeyControl and GCP, making Entrust KeyControl the CSP of the GCP service account.

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CSP Accounts tab.

  4. Select the Action icon and then Add CSP Account from the drop-down menu that appears.

    The Add CSP Account dialog appears.

  5. In the Details tab, enter the Name and Description.

  6. From the Admin Group drop-down menu box, select Cloud Admin Group.

  7. From the Type drop-down menu box, select GCP.

  8. In the Service Account Key File (.json) field, select the file download to your computer in [create-key-for-service-account].

    For example:

    keycontrol csp account for gcp 1
  9. Select Continue.

  10. In the Schedule tab, select Never.

    For example:

    keycontrol csp account for gcp 2
  11. Select Apply.

    The new CSP account is created.

    keycontrol csp account for gcp 3

Verify the connection between Entrust KeyControl and GCP

The key created in [create-key-for-service-account] was rotated automatically after the CSP account was created. The key in the downloaded file is no longer valid. Verify the new key as follows.

  1. Select the newly created CSP account in Create an Entrust KeyControl CSP account for the GCP service account.

  2. Scroll down until you see Service Account Key ID. Note the value.

    For example:

    keycontrol csp account key 1
  3. Open a browser and sign in to the GCP portal https://console.cloud.google.com.

  4. Select IAM & Admin on the Welcome screen.

  5. Select Service Accounts in the left-hand pane.

  6. Select your service account and then select the KEYS tab.

  7. Check that the key is the same as the Service Account Key ID in Entrust KeyControl.

    For example:

    keycontrol csp account key 2