Introduction
The Google Cloud Vault secrets engine dynamically generates Google Cloud service account keys and OAuth tokens based on IAM policies. This enables users to gain access to Google Cloud resources without needing to create or manage a dedicated service account. Vault can use Google Cloud Vault secrets engine to generates Google Cloud service account keys and OAuth tokens dynamically based on IAM policies.
There are two types of GCP service accounts that can be provided to Vault to generate access tokens or GCP Service Account keys: Static Accounts and Rolesets. Static accounts are GCP service accounts that are created outside of Vault and then provided to Vault to generate access tokens or keys. A roleset consists of a Vault managed GCP Service account along with a set of IAM bindings defined for that service account.
This article will explain the configuration of static account for the GCP secrets engine.
Steps
1. Enable the GCP secrets engine
❯ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/
2. Create a service account credential from the GCP console, please refer to this document from GCP. When using static accounts, Vault must have the following permissions at the service account level. A JSON key file will be downloaded at the end of this process.
To use this secrets engine, the service account must have the following minimum scope(s):
https://www.googleapis.com/auth/cloud-platform
The following scope will also be used later in this article:
token_scopes="https://www.googleapis.com/auth/cloud-platform"
3. Configure the secrets engine with JSON key
❯ vault write gcp/config credentials=@key.json
Success! Data written to: gcp/config
4. Gather the email address for the created service account. Service account emails are in the format <service-account-id>@<project-id>.iam.gserviceaccount.com. Example from the below snapshot, the service account email for account1, will read account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com
5. There are two options to configure a static account, OAuth2 access tokens and GCP Service Account keys. For more information on the differences between them, please refer to this document.
Option 1: Configure a static account that generates OAuth2 access tokens:
❯ vault write gcp/static-account/my-token-account \
service_account_email="account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com" \
secret_type="access_token" \
token_scopes="https://www.googleapis.com/auth/cloud-platform"
bindings=-<<EOF resource "//cloudresourcemanager.googleapis.com/projects/my-project" { roles = ["roles/viewer"] } EOF
Success! Data written to: gcp/static-account/my-token-account
- How to generate OAuth2 tokens:
❯ vault read gcp/static-account/my-token-account/token
Key Value
--- -----
expires_at_seconds 1657658515
token ya29.c ...
token_ttl 59m58s
- Token value can then be used as an HTTP Authorization Bearer token in requests to GCP APIs:
❯ curl -H "Authorization: Bearer ya29.c.b0AXv0zTPKvi..."
Option 2: Configure a static account that generates GCP Service Account keys:
❯ vault write gcp/static-account/my-key-account \
service_account_email="account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com" \
secret_type="service_account_key"
Success! Data written to: gcp/static-account/my-key-account
- How to generate Service Account keys:
❯ vault read gcp/static-account/my-key-account/key
Key Value
--- -----
lease_id gcp/static-account/my-key-account/key/Ul744pACtEqjmZUlDEHkK1xC
lease_duration 768h
lease_renewable true
key_algorithm KEY_ALG_RSA_2048
key_type TYPE_GOOGLE_CREDENTIALS_FILE
private_key_data ewogICJ0eXBlIjogInNlcnZpY2 ...