pythongoogle-cloud-platformurllibgoogle-cloud-kmstink

Mutual TLS in Python using Google Cloud KMS


Is there a way to make HTTP requests over mTLS with private keys stored in Google Cloud Key Management Service?

In this blog post what we need is done in Go. Is it possible to achieve the same in Python? I was hoping that Tink library provides some ready-made solution, but can't find.


Solution

  • After diving into the topic I've made the following "discoveries":

    So this seems solvable but requires some efforts.

    At the same time I finding that Amazon provides ready-made OpenSSL engine for their AWS CloudHSM, so it should be fairly easy to use for mTLS in Python. But CloudHSM prices are quite high (which is understandable due to custom hardware). Also I found this Rust implementation of OpenSSL engine for AWS KMS, which looks great. And perhaps it's also possible to rework it for Google Cloud KMS... But we may end up switching to AWS KMS or CloudHSM.

    Although this is not a very complete answer, I hope it will help others facing with the issue.