Create an AWS KMS key

Overview

GKE on AWS uses customer-managed AWS Key Management Service (KMS) symmetric keys to encrypt:

For production environments, we recommend using different keys for configuration and volume encryption. To further minimize risks if a key is compromised, you can also create different keys for each of the following:

For additional security, you can create an AWS KMS key policy that assigns only the minimum required set of permissions. For more information, see Creating KMS keys with specific permissions.

Create an AWS KMS key

To create a key, run the following command:

aws --region AWS_REGION kms create-key \
    --description "KEY_DESC"

Replace the following:

  • AWS_REGION with the name of your AWS region
  • KEY_DESC with a text description of your key

For each key you create, save the value named KeyMetadata.Arn in the output of this command for later use.

Creating KMS keys with specific permissions

If you create separate keys for different functions, you need to provide a KMS key policy for each key that grants appropriate permissions on that key. If you don't specify a key policy when you create a key, AWS KMS will create a default key policy that gives all principals in the owning account unlimited access to all operations for the key.

When you create a key policy, you must allow an AWS IAM policy access to the key policy. The key policy must also give your account permissions to use IAM policies. Without permission from the key policy, IAM policies that allow permissions have no effect. For more information, see Key policies in AWS KMS.

The following table describes the permissions for each of the AWS IAM roles GKE on AWS uses.

GKE Multi-Cloud API service agent role Control plane role Node pool role AWS Service Role For AutoScaling
Cluster control plane configuration encryption kms:Encrypt kms:Decrypt N/A N/A
Cluster control plane database encryption N/A kms:Encrypt
kms:Decrypt
N/A N/A
Cluster control plane main volume encryption kms:GenerateDataKeyWithoutPlaintext kms:CreateGrant N/A N/A
Cluster control plane root volume encryption N/A N/A N/A See Key policy sections that allow access to the customer managed key
Node pool configuration encryption kms:Encrypt N/A kms:Decrypt N/A
Node pool root volume encryption N/A N/A N/A See Key policy sections that allow access to the customer managed key
Other requirements kms:DescribeKey N/A N/A N/A

What's next