Verify your environment meets these requirements.
Supported hardware
- CryptoHub,
7.0.3.x or later.
Required access
- An account on the CryptoHub with administrator permissions to deploy new services.
- A user in Google Cloud assigned the Cloud KMS Admin role.
Important: Use the correct hostname when deployingWhen you run the Deploy Google Cloud EKM service wizard, CryptoHub captures the hostname from your browser’s URL bar and uses it as the audience (aud) for Google ID token validation. If you open CryptoHub by IP (e.g., https://10.0.1.7/...) the audience will be set to that IP. If Google is configured with an FQDN (e.g., ekm.example.com), the aud will not match and requests will fail. Open CryptoHub using the intended FQDN before deploying the service.
Network egress required (Google JWKS)CryptoHub must reach Google’s public JWKS to validate ID tokens:
https://www.googleapis.com/oauth2/v3/certs. Ensure outbound HTTPS egress (or proxy) is allowed from the CryptoHub network. Without this, JWT validation will fail.
