Skip to content

Simplify KMS examples to use auto-detection #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tashian wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Simplify KMS examples to use auto-detection #490

tashian wants to merge 2 commits into from

Conversation

@tashian
Copy link
Contributor

@tashian tashian commented Feb 2, 2026
edited
Loading

Summary

Updates cryptographic-protection.mdx examples to show the simplified syntax where KMS URIs can be used directly without the --kms flag.

The step CLI now auto-detects KMS URIs by their scheme prefix (cloudkms:, awskms:, yubikey:, tpmkms:, pkcs11:), so the --kms flag is optional in many cases.

Changes:

  • Google Cloud KMS: Simplified root and intermediate CA examples
  • AWS KMS: Simplified root and intermediate CA examples
  • PKCS Kubernetes Ingress TLS #11: Added info alert explaining when --kms is beneficial (module-path avoids repetition)
  • TPM 2.0: Simplified intermediate CA example
  • YubiKey PIV: Simplified root and intermediate CA examples (PIN in key URI)
  • Fixed pre-existing syntax error (missing backslash in PKCS Kubernetes Ingress TLS #11 example)

Related: smallstep/cli#1560

Test plan

  • Review examples for correctness
  • Wait for CLI PR #1560 to be merged/released before merging these docs

🤖 Generated with Claude Code

@tashian tashian requested a review from a team as a code owner February 2, 2026 18:29
@tashian @claude
Simplify KMS examples to use auto-detection
053cfe0 
Update cryptographic-protection.mdx examples to show the simplified
syntax where KMS URIs can be used directly without the --kms flag.

The step CLI now auto-detects KMS URIs by their scheme prefix (cloudkms:,
awskms:, yubikey:, tpmkms:, pkcs11:), so the --kms flag is optional in
many cases.

Related: smallstep/cli#1560

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian force-pushed the update-kms-docs-simplified-syntax branch from ed52b93 to 053cfe0 Compare February 2, 2026 18:31
@tashian tashian requested a review from maraino February 2, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maraino maraino Awaiting requested review from maraino

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tashian