Using a customer managed CMK to encrypt volumes

GKE on AWS uses the AWS Key Management Service (KMS) to encrypt EBS volumes. GKE on AWS 1.7 and higher supports encrypting volumes with customer managed Customer Master Keys (CMKs). GKE on AWS versions 1.6.x and lower support AWS Managed Customer Master Keys only.

This topic describes how to set up customer managed CMK to encrypt volumes. If you don't set up customer managed CMK, GKE on AWS uses AWS managed CMKs by default.

Overview

The following GKE on AWS components support customer managed CMK encrypted volumes:

  • Bastion host root volume
  • Management service root volumes
  • Management service etcd data volumes
  • User cluster control plane root volumes
  • User cluster control plane etcd data volumes
  • User cluster node root volumes

You specify keys in your management service, cluster, and node pool configuration.

Prerequisites

To use customer managed CMK for GKE on AWS root volumes, you need the following:

Create a key policy

Your AWS KMS keys must have a key policy that allows GKE on AWS to create and read volumes encrypted with a customer managed CMK. An example policy is provided in the following section. To create the policy, perform the following the steps:

  1. From your anthos-aws directory, use terraform to get the ID of your management service.

    cd anthos-aws
    terraform output cluster_id
    The output includes your management service ID. In the example below, the ID is gke-12345abc.
    terraform output cluster_id
    gke-12345abc
    

  2. Create an AWS KMS key policy with the following contents:

    {
        "Version": "2012-10-17",
        "Id": "key-consolepolicy-3",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNT_NUMBER:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow creating encrypted EBS volumes for EC2 use",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::ACCOUNT_NUMBER:role/gke-CLUSTER_ID-management",
                        "arn:aws:iam::ACCOUNT_NUMBER:user/AWS_USER",
                        "arn:aws:iam::ACCOUNT_NUMBER:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                    ]
                },
                "Action": [
                    "kms:GenerateDataKeyWithoutPlaintext",
                    "kms:Decrypt"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "kms:CallerAccount": "ACCOUNT_NUMBER",
                        "kms:ViaService": "ec2.AWS_REGION.amazonaws.com"
                    }
                }
            },
            {
                "Sid": "Allow attaching encrypted EBS volumes for EC2 Use",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::ACCOUNT_NUMBER:role/CLUSTER_ID-management",
                        "arn:aws:iam::ACCOUNT_NUMBER:role/CLUSTER_ID-controlplane",
                        "arn:aws:iam::ACCOUNT_NUMBER:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                    ]
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "kms:CallerAccount": "ACCOUNT_NUMBER",
                        "kms:ViaService": "ec2.AWS_REGION.amazonaws.com"
                    }
                }
            }
        ]
    }
    

    Replace the following:

    • ACCOUNT_NUMBER: your AWS account number— for example, 1234567890.
    • CLUSTER_ID: your GKE on AWS management cluster ID— for example gke-12345678.
    • AWS_USER: your AWS user name.
    • AWS_REGION: The AWS region where your GKE on AWS clusters run— for example us-east1.

Configuring resources to use a customer managed CMK

This section explains how to configure customer managed CMK for GKE on AWS components. Before upgrading existing components, see Using CMK with existing clusters.

Bastion host and management service

You configure a customer managed CMK for your bastion host root volume, management service root volume, and management service etcd data volumes in your anthos-gke.yaml before setting up the management service. For more information, see, Integrating existing infrastructure and the AWSManagementService reference.

User cluster control plane volumes

You configure a customer managed CMK for your user cluster control plane and etcd data volumes in your AWSCluster definition. For more information, see Creating a custom user cluster.

User cluster node root volumes

You configure a customer managed CMK on user cluster node root volumes in your AWSNodePool definition. For more information, see Creating a custom user cluster.

Using CMK with existing clusters

You can add customer managed CMK configuration to the following existing components:

  • Bastion host root volume
  • Management service root volumes
  • User cluster control plane root volumes
  • User cluster node root volumes

GKE on AWS recreates these volumes after an upgrade or configuration change. To add customer managed CMK configuration to existing components, follow the instructions in Upgrading GKE on AWS. When you modify your resource configuration, modify the following fields:

Resource Field
AWSManagementService spec.rootVolume and spec.bastionHost.rootVolume
AWSCluster spec.controlPlane.rootVolume
AWSNodePools spec.rootVolume

When you complete the upgrade, GKE on AWS creates new resources with the customer managed CMK volumes attached.

What's next