Once you create a key in your external Key Management System (KMS) and get its URI, Tink needs credentials to use your key:
- Google Cloud KMS credentials are service account JSON files that can be created and downloaded from Google Cloud Console.
- AWS KMS credentials are properties files with the AWS access key ID in the
accessKey
property, and the AWS secret key in thesecretKey
property. - HashiCorp Vault credentials are service tokens that can be created by the vault token create command. (This is currently only available in Golang.)
Once you have the credentials available, you can use Tink APIs or Tinkey to generate encrypted keysets.
If you don’t supply credentials, Tink and Tinkey will attempt to load default credentials. Refer to the documentation for your KMS for more information on default credentials: