Vault can use Google Cloud Vault secrets engine to generates Google Cloud service account keys and OAuth tokens dynamically based on IAM policies.
There are two types of GCP service accounts that can be provided to Vault to generate access tokens or GCP Service Account keys: Static Accounts and Rolesets. This knowledge base article is going to mainly cover configuration Vault GCP Secret Engine with static account. For more information on the differences between Static Accounts and Rolesets, please refer to this document.
1. Enable secret engine gcp from Vault
❯ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/
2. Create a service account credential from GCP console, please refer to this document from GCP. When using static accounts, Vault must have the following permissions at the service account level. A JSON key file will be downloaded to your computer at the end of process.
To use this secrets engine, the service account must have the following minimum scope(s):
https://www.googleapis.com/auth/cloud-platform
This minimum scope will be used at the Step4 Option1 from this article under flag
token_scopes="https://www.googleapis.com/auth/cloud-platform"
3. Then configure the Vault secrets engine with JSON key
❯ vault write gcp/config credentials=@key.json
Success! Data written to: gcp/config
4. Write down email address of the service account you have created. Service account emails are of the format <service-account-id>@<project-id>.iam.gserviceaccount.com. For example, taking from the following snapshot of GCP service account page, need to write down the service account email of account1, which is account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com
5. There are two options to configure a static account, OAuth2 access tokens and GCP Service Account keys. For more information on the differences between them, please refer to this document.
- Option 1: Configure a static account that generates OAuth2 access tokens.
❯ vault write gcp/static-account/my-token-account \
service_account_email="account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com" \
secret_type="access_token" \
token_scopes="https://www.googleapis.com/auth/cloud-platform"
bindings=-<<EOF resource "//cloudresourcemanager.googleapis.com/projects/my-project" { roles = ["roles/viewer"] } EOF
Success! Data written to: gcp/static-account/my-token-account
To generate OAuth2 tokens:
❯ vault read gcp/static-account/my-token-account/token
Key Value
--- -----
expires_at_seconds 1657658515
token ya29.c ...
token_ttl 59m58s
The token value then can be used as a HTTP Authorization Bearer token in requests to GCP APIs:
❯ curl -H "Authorization: Bearer ya29.c.b0AXv0zTPKvi..."
- Option 2: Configure a static account that generates GCP Service Account keys.
❯ vault write gcp/static-account/my-key-account \
service_account_email="account1@hc-97a72564b4bb401582a3683465d.iam.gserviceaccount.com" \
secret_type="service_account_key"
Success! Data written to: gcp/static-account/my-key-account
To generate Service Account keys:
❯ vault read gcp/static-account/my-key-account/key
Key Value
--- -----
lease_id gcp/static-account/my-key-account/key/Ul744pACtEqjmZUlDEHkK1xC
lease_duration 768h
lease_renewable true
key_algorithm KEY_ALG_RSA_2048
key_type TYPE_GOOGLE_CREDENTIALS_FILE
private_key_data ewogICJ0eXBlIjogInNlcnZpY2 ...