docs: clarify BYOK KMS is decrypt-only and identity may not be in dashboard#3065
Open
jwhartley wants to merge 2 commits into
Open
docs: clarify BYOK KMS is decrypt-only and identity may not be in dashboard#3065jwhartley wants to merge 2 commits into
jwhartley wants to merge 2 commits into
Conversation
…dashboard Two clarifications to the secret-encryption section of the flowctl concept page: - The data plane identity needs decrypt access only (roles/cloudkms.cryptoKeyDecrypter on GCP KMS), not encrypt. Estuary only decrypts configs at connector run time. - Auto-encryption (flowctl and the dashboard) uses Estuary's managed key, so using your own key requires encrypting the config manually before publishing. - For cross-cloud KMS (for example a GCP KMS key with an AWS data plane), the identity to grant is not surfaced in the dashboard; contact Estuary support for it.
|
🚀 Preview deployed to https://docs.estuary.dev/pr-preview/pr-3065/ 📄 Changed pages: |
The grant mechanism differs by provider, so the decrypt-only note now covers all three: GCP IAM role binding (cryptoKeyDecrypter), AWS key-policy statement (kms:Decrypt), and Azure Key Vault access policy. Each data plane carries an identity for all three clouds, so the cross-cloud case is stated explicitly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Three clarifications to the secret-encryption section of
concepts/flowctl:roles/cloudkms.cryptoKeyDecrypter. Estuary only decrypts at connector run time and never encrypts with your key.flowctl0.5.18+ and the dashboard auto-encrypt plain-text configs with Estuary's managed key, not a bring-your-own key. To use your own key you must encrypt manually before publishing, otherwise your key is never exercised.Why
A customer asked whether the data plane service account needs Encrypt/Decrypt on their GCP KMS key. The page said to grant "access to decrypt" but never stated decrypt-only, did not warn that auto-encryption bypasses bring-your-own keys, and pointed at a dashboard panel that does not display the cross-cloud identity.
Verified against the source:
config+schemawith no keychain and falls back to its single default key, so plain-text publishes use Estuary's key (crates/config-encryption,crates/flowctl/src/draft/encrypt.rs).roles/cloudkms.cryptoKeyDecrypterto the data plane service account (est-dry-dock).