CMEK GCP (#398)

neo4j · Jul 31, 2024 · 20a6b0c · 20a6b0c · fiquick · Aug 1, 2024
1 parent 4e2aadf
commit 20a6b0c
Showing 1 changed file with 36 additions and 3 deletions.
diff --git a/modules/ROOT/pages/platform/security/encryption.adoc b/modules/ROOT/pages/platform/security/encryption.adoc
@@ -70,10 +70,10 @@ If there is no valid CMK for the destination region and product, the Neo4j Manag
 
 === Create an AWS key
 
-. Create a key in the AWS KMS ensuring the region matches your Aura database instance.
+. Create a key in the AWS KMS making sure the region matches your Aura database instance.
 Copy the generated ARN.
 You need it in the next step.
-. Go to *security settings* in the Aura Console, create a *Customer Managed Key* and copy the JSON code that is generated in the Aura Console when you add a key.
+. Go to *security settings* in the Aura Console, add a *Customer Managed Key* and copy the JSON code that is generated in the Aura Console when you add a key.
 . In the AWS KMS, edit the key policy to include the JSON code.
 
 === Edit the AWS key policy
@@ -145,4 +145,37 @@ For more information about the Azure CLI, see link:https://learn.microsoft.com/e
 . In the *Role* tab, select *Key Vault Crypto Officer*.
 . In the *Member* tab, select *User, group, or service principal*.
 . *Select members* and paste the *Neo4j CMK Application name* that is displayed in the Aura Console. 
-. The *Neo4j CMK Application* should appear, select this application then *Review + Assign*.
+. The *Neo4j CMK Application* should appear, select this application then *Review + Assign*.
+
+== GCP keys
+
+=== Create a key ring
+
+. Go to *Key Management* in the Google Cloud console.
+. Create a *key ring*.
+. The key ring *Location type* should be set to *Region.*
+. Make sure the region matches your Aura database instance region. 
+. Select *Create* and you will automatically be taken to the key creation page. 
+
+=== Create a key
+
+. Create a key in the Google Console. 
+You can use default settings for the options, but we recommend you select a key rotation period. 
+. Select *Create* and you will be brought back to the key ring, with your key listed. 
+. Click *More* (three dots) and *Copy resource name*, you need it in the next step. 
+For more information, see link:https://cloud.google.com/kms/docs/getting-resource-ids[Google Cloud docs]
+. Go to *security settings* in the Aura Console and add a *Customer Managed Key*. 
+Paste the *resource name* into the *Encryption Key Resource Name* field.
+. After you select *Add Key* in the Aura Console, three *service accounts* are displayed in the Aura Console. 
+You will need these in the next steps.
+
+=== Grant key permissions
+
+. Go to the Google Cloud console, click into the key and go to *Permissions* then *Grant Access* 
+. In *Add principals* paste the three service accounts from the Aura Console.
+. In *Assign roles* assign both *Cloud KMS CryptoKey Encrypter/Decrypter* and *Cloud KMS Viewer* roles to all three service accounts.
+
+
+
+
+