A Google Cloud KMS Wallet is a wallet securely stored in your Google Cloud account. Engine can create and transact with the wallet, but not delete it.

• Enable Google KMS API for your GCP account.

• Create a Service Account.

• Navigate to the IAM page. Find the service account and select Edit Principal to add the following roles:

  • Cloud KMS Admin
  • Cloud KMS CryptoKey Signer/Verifier

• Navigate to the Service Accounts page. Select the above service account.

• Navigate to the Keys tab. Select Add Key > Create new key.

• Select JSON to download the JSON file. This file contains the key's private key in plaintext.

• In the dashboard, navigate to Configuration > Server Wallets.

• Select Google KMS and provide the following:

  gcpApplicationProjectId

  This is the Project ID of the GCP project where the key was created.

  Where to find:

  • Navigate to the Google Cloud Console.
  • Click on the project dropdown at the top of the page.
  • The Project ID is displayed under your project's name.

  gcpKmsLocationId

  This is the location where the keyring was created (e.g., us-central1, europe-west1).

  Where to find:

  • In the Google Cloud Console, go to Security > Cryptographic Keys.
  • Click on the keyring that contains your key.
  • The location is displayed in the Location field.

  gcpKmsKeyRingId

  This is the ID of the keyring where your key is stored.

  Where to find:

  • In the Google Cloud Console, go to Security > Cryptographic Keys.
  • Select the keyring that contains your key.
  • The KeyRing ID is displayed in the list or the URL.

  gcpApplicationCredentialEmail

  This is the email associated with the service account used for accessing the KMS key.

  Where to find:

  • In the Google Cloud Console, go to IAM & Admin > Service Accounts.
  • Find the service account you are using. its email will be in the format: [email protected]

  gcpApplicationCredentialPrivateKey

  This is the private key of the service account that is used for authenticating API requests.

  Where to find:

  • Open the JSON file downloaded above.
  • Copy the value of the private_key field.

• Ensure your keyring is created with the following settings:
  • Purpose: Asymmetric sign
  • Algorithm: Elliptic Curve P-256 - SHA256 Digest
• In the dashboard, navigate to Overview > Server Wallets.
• Select Import and provide the following:
  • GCP KMS Key ID (example: 0489da75-9830-4a5a-97e3-e4a6df7775b3)
  • GCP KMS Version ID (example: 1)