Skip to content

docs: clarify BYOK KMS is decrypt-only and identity may not be in dashboard#3065

Open
jwhartley wants to merge 2 commits into
masterfrom
docs/byok-kms-decrypt-identity
Open

docs: clarify BYOK KMS is decrypt-only and identity may not be in dashboard#3065
jwhartley wants to merge 2 commits into
masterfrom
docs/byok-kms-decrypt-identity

Conversation

@jwhartley

Copy link
Copy Markdown
Contributor

What

Three clarifications to the secret-encryption section of concepts/flowctl:

  1. Decrypt-only. The data plane identity needs decrypt access on your KMS key, not encrypt. On GCP KMS that is roles/cloudkms.cryptoKeyDecrypter. Estuary only decrypts at connector run time and never encrypts with your key.
  2. Auto-encryption uses Estuary's key. flowctl 0.5.18+ and the dashboard auto-encrypt plain-text configs with Estuary's managed key, not a bring-your-own key. To use your own key you must encrypt manually before publishing, otherwise your key is never exercised.
  3. Cross-cloud identity not in dashboard. When the KMS provider differs from the data plane's cloud (for example a GCP KMS key with an AWS data plane), the GCP service account to grant is not surfaced under Admin > Settings > Data Planes. Added a note to contact support.

Why

A customer asked whether the data plane service account needs Encrypt/Decrypt on their GCP KMS key. The page said to grant "access to decrypt" but never stated decrypt-only, did not warn that auto-encryption bypasses bring-your-own keys, and pointed at a dashboard panel that does not display the cross-cloud identity.

Verified against the source:

  • The config-encryption service sends config + schema with no keychain and falls back to its single default key, so plain-text publishes use Estuary's key (crates/config-encryption, crates/flowctl/src/draft/encrypt.rs).
  • Data plane provisioning grants roles/cloudkms.cryptoKeyDecrypter to the data plane service account (est-dry-dock).

…dashboard

Two clarifications to the secret-encryption section of the flowctl concept page:

- The data plane identity needs decrypt access only (roles/cloudkms.cryptoKeyDecrypter
  on GCP KMS), not encrypt. Estuary only decrypts configs at connector run time.
- Auto-encryption (flowctl and the dashboard) uses Estuary's managed key, so using
  your own key requires encrypting the config manually before publishing.
- For cross-cloud KMS (for example a GCP KMS key with an AWS data plane), the
  identity to grant is not surfaced in the dashboard; contact Estuary support for it.
@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown

🚀 Preview deployed to https://docs.estuary.dev/pr-preview/pr-3065/

📄 Changed pages:

The grant mechanism differs by provider, so the decrypt-only note now covers all
three: GCP IAM role binding (cryptoKeyDecrypter), AWS key-policy statement
(kms:Decrypt), and Azure Key Vault access policy. Each data plane carries an
identity for all three clouds, so the cross-cloud case is stated explicitly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs Documentation work required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant