Skip to content

Support optional GCP universe_domain in Vault GCP KMS #31553

New issue
New issue
Open
#31554
Open
Support optional GCP universe_domain in Vault GCP KMS#31553
#31554
Labels
enhancementsecret/gcp
@7sinStone

Description

@7sinStone
7sinStone
opened on Sep 15, 2025

Is your feature request related to a problem? Please describe.
Currently Vault's GCP backends do not expose a way to set the "universe_domain" option that some GCP client libraries support. This is required in environments where the GCP APIs are hosted on a custom domain (sovereign clouds or internal GCP-like endpoints).

Describe the solution you'd like
Add an optional universe_domain configuration field to the Vault GCP KMS configuration so that Vault can connect to a custom universe domain when present. When not set, the default behavior must remain the same (use googleapis.com).

Describe alternatives you've considered
There is no workaround at the moment apart from patching Vault.

Explain any additional use-cases
This feature is critical for organizations operating in sovereign cloud environments, where the GCP KMS is needed but cannot function without universe domain support.

Additional context

  • There is a related PR on go-kms-wrapping that adds WithUniverseDomain support in the wrapper. See: go-kms-wrapping
  • Implementation should be opt-in and additive.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementsecret/gcp

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions