Get key credentials

Tink can authenticate to an external Key Management System (KMS) using credentials:

Google Cloud KMS – Tink requires service accounts credentials; these are a JSON file that can be created and downloaded from the Google Cloud Console.
AWS KMS – Tink requires a credentials file that contains:
- the access key ID in the accessKey property,
- the secret access key in the secretKey property.
HashiCorp Vault – Credentials are service tokens that can be created by the vault token create command.

Once the credentials are available, you can use Tink APIs or Tinkey to generate encrypted keysets.

If you don't supply credentials, Tink attempts to load default credentials. For more information, refer to the documentation for your KMS:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2023-08-21 UTC.