Skip to content

feat(gcp): support universe_domain for GCP kms wrappers and vault config #31554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(gcp): support universe_domain for GCP kms wrappers and vault config #31554

wants to merge 2 commits into from

Conversation

7sinStone
Copy link

Description
This PR adds support for the universe_domain parameter for GCP KMS usage in Vault. When set, Vault forwards the value to the GCP KMS wrapper so the client uses a custom API domain; if not set Vault keeps using googleapis.com.

Related Issue
Closes #31553

Changes Introduced

  • Forward universe_domain from Vault KMS config to the gcpckms wrapper (internalshared/configutil/kms.go).

Backward Compatibility
Default behavior unchanged: if universe_domain is not set, Vault continues to use googleapis.com.

Dependency
This PR depends on a change in go-kms-wrapping that adds WithUniverseDomain. Link: go-kms-wrapping.
I tested locally using a temporary replace in my go.mod. Once the wrapper PR is merged I will update go.mod in this branch to the released tag.

Quick post-merge step (what I will do or maintainers can do):

# after go-kms-wrapping PR merged -> bump dependency
go get github.com/hashicorp/go-kms-wrapping/v2@<commit-or-tag>
go mod tidy
git add go.mod go.sum
git commit -m "go: bump go-kms-wrapping for universe_domain support"
git push

Additional Context
Enables Vault to operate with GCP sovereign/custom endpoints by opt-in config only.

Signed-off-by: Houssein Mnaouar [email protected]

@7sinStone
feat(gcp): support universe_domain for GCP kms wrappers and vault config
c8638bc 
- Parse "universe_domain" from Vault KMS config and forward to the go-kms-wrapping gcpckms wrapper via WithUniverseDomain
- This is additive and defaults to standard googleapis.com when not set.

Signed-off-by: Houssein Mnaouar <[email protected]>
@7sinStone 7sinStone requested a review from a team as a code owner September 16, 2025 00:19
@vercel Vercel
Copy link

vercel bot commented Sep 16, 2025

@7sinStone is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claudiac-m claudiac-m Awaiting requested review from claudiac-m claudiac-m is a code owner automatically assigned from hashicorp/vault

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement secret/gcp

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support optional GCP universe_domain in Vault GCP KMS

2 participants

@7sinStone @heatherezell