GCP IAM

GCP service account access tokens cannot be revoked. As such, revoking or regenerating a token does not invalidate the old one; it remains active until it expires.

You must enable the IAM API and IAM Credentials API in your GCP console as a prerequisite

Using the GCP integration on a self-hosted instance of Hanzo KMS requires configuring a service account on GCP and configuring your instance to use it.

Create a new service account that will be used to impersonate other GCP service accounts for your app connections.

Press "DONE" after creating the service account.

Download the JSON key file for your service account. This will be used to authenticate your instance with GCP.

1. Copy the entire contents of the downloaded JSON key file.
2. Set it as a string value for the INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL environment variable.
3. Restart your Hanzo KMS instance to apply the changes.
4. You can now use GCP integration with service account impersonation.

Create GCP Service Account

When you assign specific roles and permissions to this service account, any tokens generated through Hanzo KMS's dynamic secrets functionality will inherit these exact permissions. This means that applications using these dynamically generated tokens will have the same access capabilities as defined by the service account's role assignments, ensuring proper access control while maintaining the principle of least privilege.

After configuring the appropriate roles, press "DONE".

To enable service account impersonation, you'll need to grant the Service Account Token Creator role to the Hanzo KMS instance's service account. This configuration allows Hanzo KMS to securely impersonate the new service account.

• Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
• Select the newly created service account
• Click on the "PERMISSIONS" tab
• Click "Grant Access" to add a new principal

If you're using Hanzo KMS Cloud US, use the following service account: kms-us@kms-us.iam.gserviceaccount.com

If you're using Hanzo KMS Cloud EU, use the following service account: kms-eu@kms-eu.iam.gserviceaccount.com

If you're self-hosting, follow the "Self-Hosted Instance" guide at the top of the page and then use service account you created

Set up Dynamic Secrets with GCP IAM

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.

Name by which you want the secret to be referenced

Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)

Maximum time-to-live for a generated secret

The email tied to the service account created in earlier steps.

After submitting the form, you will see a dynamic secret created in the dashboard.

Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.

When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.

Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.

Once you click the Submit button, a new secret lease will be generated and the credentials from it will be shown to you.

Audit or Revoke Leases

Renew Leases

Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret