System and method for two way trust between an external key management system and a cloud computing infrastructure

What is claimed is: 1 . One or more non-transitory computer readable media comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising: receiving, by an identity service from a proxy key vault, a token request for a communication credential, wherein the token request is substantiated based at least on a client credential stored in association with the proxy key vault, wherein the proxy key vault is located within a cloud computing environment; verifying, by the identity service, the client credential, wherein verifying the client credential comprises: determining, by the identity service, that the proxy key vault is associated with a client application implemented by the identity service; verifying that the client credential is associated with the client application associated with the proxy key vault; responsive to verifying the client credential, generating, by the identity service, the communication credential, wherein generating the communication credential comprises: identifying, by the identity service, a resource application implemented by the identity service that has a mapping with the client application; retrieving, by the identity service, a private key of a public/private key pair associated with the resource application; signing, by the identity service, the communication credential using the private key; and transmitting, by the identity service to the proxy key vault, the communication credential; wherein the communication credential is used to substantiate cryptographic operation requests to an external key manager mapped to the resource application, wherein the external key manager is located outside of the cloud computing environment. 2 . The non-transitory media of claim 1 , the operations further comprising: creating, by the identity service, the resource application, wherein the resource application is associated with the external key manager wherein configured to access an external hardware device configured to store external cryptographic keys; creating, by the identity service, the client application, wherein the client application is associated with the client credential; creating, by the identity service, a mapping between the resource application and one or more client applications comprising the client application; and creating, by a key management service (KMS), the proxy key vault, wherein creating the proxy key vault comprises storing the client credential in association with the proxy key vault. 3 . The non-transitory media of claim 1 , the operations further comprising: receiving, by the proxy key vault, a first request to perform a cryptographic operation using an external cryptographic key; obtaining, by the proxy key vault, the communication credential generated by the identity service; and transmitting, by the proxy key vault to the external key manager, a second request to perform the cryptographic operation using the external cryptographic key, wherein the second request is substantiated based at least on the communication credential. 4 . The non-transitory media of claim 3 , wherein obtaining the communication credential comprises retrieving, by the proxy key vault, the communication credential from a cache. 5 . The non-transitory media of claim 4 , the operations further comprising: determining at least one of: that the communication credential in the cache is expired or that the cache does not contain a communication credential; and responsive to the determining, requesting, by the proxy key vault, a second communication credential from the identity service. 6 . The non-transitory media of claim 3 , the operations further comprising: receiving, by the identity service from the external key manager, a third request for a public key of the public/private key pair associated with the resource application; responsive to verifying, by the identity service, that the resource application is mapped to the client application, transmitting the public key; and receiving, by the proxy key vault, encrypted or decrypted data based on performance of the cryptographic operation using the external cryptographic key. 7 . The non-transitory media of claim 1 , further comprising a second client application implemented by the identity service and mapped to the resource application; and wherein the client application is mapped to a first vault of a cloud computing entity and the second client application is mapped to a second vault of the cloud computing entity. 8 . The non-transitory media of claim 1 , wherein the client credential comprises at least one of a client application identifier and a client secret. 9 . A method comprising: receiving, by an identity service from a proxy key vault, a token request for a communication credential, wherein the token request is substantiated based at least on a client credential stored in association with the proxy key vault, wherein the proxy key vault is located within a cloud computing environment; verifying, by the identity service, the client credential, wherein verifying the client credential comprises: determining, by the identity service, that the proxy key vault is associated with a client application implemented by the identity service; verifying that the client credential is associated with the client application associated with the proxy key vault; responsive to verifying the client credential, generating, by the identity service, the communication credential, wherein generating the communication credential comprises: identifying, by the identity service, a resource application implemented by the identity service that has a mapping with the client application; retrieving, by the identity service, a private key of a public/private key pair associated with the resource application; signing, by the identity service, the communication credential using the private key; and transmitting, by the identity service to the proxy key vault, the communication credential; wherein the communication credential is used to substantiate cryptographic operation requests to an external key manager mapped to the resource application, wherein the external key manager is located outside of the cloud computing environment; and wherein the method is performed by at least one device including a hardware processor. 10 . The method of claim 9 , further comprising: creating, by the identity service, the resource application, wherein the resource application is associated with the external key manager wherein configured to access an external hardware device configured to store external cryptographic operation keys; creating, by the identity service, the client application, wherein the client application is associated with the client credential; creating, by the identity service, a mapping between the resource application and one or more client applications comprising the client application; and creating, by a key management service (KMS), the proxy key vault, wherein creating the proxy key vault comprises storing the client credential in association with the proxy key vault. 11 . The method of claim 9 , further comprising: receiving, by the proxy key vault, a first request to perform a cryptographic operation using an external cryptographic key; obtaining, by the proxy key vault, the communication credential generated by the identity service; and transmitting, by the proxy key vault to the external key manager, a second request to perform the cryptographic operation using the external cryptographic key, wherein the second request is substantiated based at least on the communication credential.