-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathkms.env.example
More file actions
25 lines (18 loc) · 1.18 KB
/
kms.env.example
File metadata and controls
25 lines (18 loc) · 1.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Google Cloud KMS — wallet envelope KEK (copy to your secret store; do not commit real values)
# See infra/gcp/README.md
GCP_PROJECT_ID=hyperlinksspacebot
GCP_KMS_KEY_NAME=projects/hyperlinksspacebot/locations/us-central1/keyRings/wallet-envelope/cryptoKeys/wallet-kek
GCP_KMS_SERVICE_ACCOUNT_EMAIL=wallet-kms-unwrap@hyperlinksspacebot.iam.gserviceaccount.com
# Optional: path to service account JSON (local/dev only; prefer Workload Identity in prod)
# GOOGLE_APPLICATION_CREDENTIALS=/path/to/wallet-kms-unwrap-sa-key.json
# Optional: protect GET /api/kmsping in production (header x-kms-ping-secret or ?secret=)
# KMS_PING_SECRET=
# Vercel / serverless (Option B — preferred): paste full JSON from the SA key file into the
# dashboard secret GCP_SERVICE_ACCOUNT_JSON (do not commit; do not set GOOGLE_APPLICATION_CREDENTIALS).
# GCP_SERVICE_ACCOUNT_JSON={"type":"service_account",...}
# Transport: REST is default in code. Force gRPC only if needed (e.g. Linux):
# GCP_KMS_USE_GRPC=1
# Optional: max time per encrypt/decrypt step (ms) for /api/kms-roundtrip
# KMS_PING_TIMEOUT_MS=45000
# Local only: npm run dev:vercel sets this so Neon/DB need not be reachable during build
# SKIP_DB_MIGRATE=1