- Google Cloud KMS credentials are service account JSON files that can be created and downloaded from Google Cloud Console.
- AWS KMS credentials are properties files with the AWS access key ID in the
accessKeyproperty, and the AWS secret key in the
- HashiCorp Vault credentials are service tokens that can be created by the vault token create command. (This is currently only available in Golang.)
Once you have the credentials available, you can use Tink APIs or Tinkey to generate encrypted keysets.
If you don’t supply credentials, Tink and Tinkey will attempt to load default credentials. Refer to the documentation for your KMS for more information on default credentials: