## Why are we doing this work AWS KMS support is a requirement for GitLab Secrets Manager on Dedicated and for GA. OpenBao already supports AWS KMS via the [awskms seal configuration](https://openbao.org/docs/configuration/seal/awskms/), which handles auto-rotation and provides better UX compared to static key management. ## Non-functional requirements - [x] Documentation: Update https://docs.gitlab.com/charts/charts/openbao/ with new awskms parameters - [ ] Feature flag: N/A - [ ] Performance: N/A - [x] Testing: One-time validation in live AWS project before merge; rely on upstream coverage for continuous testing ## Implementation plan **OpenBao Helm Chart:** 1. Add `awskms` unseal support to the [OpenBao chart](https://gitlab.com/gitlab-org/cloud-native/charts/openbao/-/blob/93fe206b6e35cb1c68a14b67ed96215725c2f92f/values.yaml#L211) (currently only supports `static`) 2. Expose configuration parameters for AWS KMS seal 3. Document new parameters in chart documentation 4. Validate functionality in live AWS environment before merge **GitLab Environment Toolkit (GET):** 1. Add variable for passing KMS key ID to the chart 2. Configure `awskms` seal through chart values 3. Ensure Geo compatibility (same KMS key across sites) ## Verification steps 1. Deploy OpenBao with AWS KMS seal configuration 2. Verify unsealing works with IAM service account (no AWS credentials needed) 3. Test key rotation handling