Hanzo
PlatformHanzo KMSIntegrationsApp Connections

GCP Connection

Learn how to configure a GCP Connection for Hanzo KMS.

Hanzo KMS supports service account impersonation to connect with your GCP projects.

Using the GCP integration on a self-hosted instance of Hanzo KMS requires configuring a service account on GCP and configuring your instance to use it.

Enable the IAM Service Account Credentials API for the project containing the service account that will be impersonated. You can do this from the Google Cloud Console or via the command line.

Service Account API

To enable via command line, run the following command, replacing projectId with your GCP project ID:

gcloud services enable iamcredentials.googleapis.com --project=projectId

Verify the API is enabled by running:

gcloud services list --enabled --project=projectId | grep iamcredentials

Service Account IAM Page

Create a new service account that will be used to impersonate other GCP service accounts for your app connections. Create Service Account Page

Press "DONE" after creating the service account.

Download the JSON key file for your service account. This will be used to authenticate your instance with GCP. Service Account Credential Page

  1. Copy the entire contents of the downloaded JSON key file.
  2. Set it as a string value for the INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL environment variable.
  3. Restart your Hanzo KMS instance to apply the changes.
  4. You can now use GCP integration with service account impersonation.

Configure Service Account for Hanzo KMS

Service Account Page

Create a new service account with an ID that follows this requirement:

Your service account ID must end with the first two sections of your Hanzo KMS organization ID.

Example:

  • Hanzo KMS organization ID: df92581a-0fe9-42b5-b526-0a1e88ec8085
  • Required service account ID suffix: df92581a-0fe9

Create Service Account

Add the required permissions for secret syncs: Assign Service Account Permission

After configuring the appropriate roles, press "DONE".

To enable service account impersonation, you'll need to grant the Service Account Token Creator role to the Hanzo KMS instance's service account. This configuration allows Hanzo KMS to securely impersonate the new service account.

  • Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
  • Select the newly created service account
  • Click on the "PERMISSIONS" tab
  • Click "Grant Access" to add a new principal

If you're using Hanzo KMS Cloud US, use the following service account: kms-us@kms-us.iam.gserviceaccount.com

If you're using Hanzo KMS Cloud EU, use the following service account: kms-eu@kms-eu.iam.gserviceaccount.com

Service Account Page

Setup GCP Connection in Hanzo KMS

Navigate to the Integrations tab in the desired project, then select App Connections. App Connections Tab

Select the GCP Connection option from the connection options modal. Select GCP Connection

Select the Service Account Impersonation method and click Connect to GCP. Connect via GCP impersonation

Your GCP Connection is now available for use. Impersonation GCP Connection

How is this guide?

Last updated on

Fly.io Connection

Learn how to configure a Fly.io Connection for Hanzo KMS.

GitHub Connection

Learn how to configure a GitHub Connection for Hanzo KMS.

On this page

Configure Service Account for Hanzo KMS
Setup GCP Connection in Hanzo KMS