Tink can authenticate to an external Key Management System (KMS) using credentials:
- Google Cloud KMS – Tink requires service accounts credentials; these are a JSON file that can be created and downloaded from the Google Cloud Console.
AWS KMS – Tink requires a credentials file that contains:
- the access key ID in the
accessKey
property, - the secret access key in the
secretKey
property.
- the access key ID in the
HashiCorp Vault – Credentials are service tokens that can be created by the vault token create command.
Once the credentials are available, you can use Tink APIs or Tinkey to generate encrypted keysets.
If you don't supply credentials, Tink attempts to load default credentials. For more information, refer to the documentation for your KMS: