Skip to content

DID Key Management

Auth Service manages DID signing keys through the configured key-management provider. These keys support integrity-backed platform workflows and service-account identity.

Released customer charts support these key-management provider values:

  • azure_key_vault for Azure Key Vault
  • aws_kms for AWS KMS
  • gcp_kms for GCP KMS

The service source includes a mock provider for local development and tests, but customer deployments should not use mock key management.

  • Use a real cloud key-management provider in production.
  • Grant only the key permissions required by Auth Service.
  • Keep provider credentials in secrets, not in checked-in values files.
  • Confirm service-account DID keys are reconciled before enabling automated declarations.

DID-key failures usually indicate missing provider credentials, insufficient key permissions, misconfigured tenant or region values, or skipped service-account bootstrap.