Vault can use Google Cloud Vault secrets engine to generates Google Cloud service account keys or OAuth tokens dynamically based on IAM policies.
There are two types of GCP service accounts that can be provided to Vault to generate OAuth access tokens or GCP Service Account keys: Static Accounts and Rolesets. This article is going to cover configuration of Vault GCP Secret Engine with Rolesets to generate service account keys. For more information on the differences between Static Accounts and Rolesets, please refer to this document.
1. Enable GCP secrets engine in Vault
$ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/
2. Create a service account credential from GCP console, please refer to this document from GCP. When using static accounts, Vault must have the following permissions when using rolesets at project level. A JSON key file will be downloaded to your computer at the end of process.
To use this secrets engine, the service account must have the following minimum scope(s):
https://www.googleapis.com/auth/cloud-platform
This minimum scope(s) will be used at the Step4 Option1 from this article
token_scopes="https://www.googleapis.com/auth/cloud-platform"
There are many access scopes available to choose from, cloud-platform is considered as best practice access scope, which is an OAuth scope for most Google Cloud services, and then control the service account's access by granting it IAM roles.
3. Then configure the Vault secrets engine with JSON key:
$ vault write gcp/config credentials=@key.json
Success! Data written to: gcp/config
4. Enable API for GCP project from API & Service: Enable the Identity and Access Management (IAM) API and Cloud Resource Manager API.
If API options has been already enabled, there will be MANAGE button instead of ENABLE.
5. Configure a roleset, provide name of project and secret_type, the following example use service account key instead of access token
$ vault write gcp/roleset/my-key-roleset \
project="roleset-test" \
secret_type="service_account_key" \
bindings=@mybindings.hc
mybindings.hc:
resource "//cloudresourcemanager.googleapis.com/projects/roleset-test" {
roles = ["roles/viewer"]
}
For more information on role bindings and sample role bindings, please see the bindings section from GCP secret engine documentation.
* Important Note: If receiving a permission error such as the one below, please use the GCP project ID for the project parameter, as well as in the resource URL in the bindings file (example below).
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset
Code: 400. Errors:
* googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/rolest-test., forbidden
resource "//cloudresourcemanager.googleapis.com/projects/<PROJECT_ID>" {
roles = [
"roles/viewer"
]
}
6. To generate a service account key, run the following command on
$ vault read gcp/roleset/my-key-roleset/key
Output:
Key Value
--- -----
lease_id gcp/key/my-key-roleset/xxxxxx
lease_duration 768h
lease_renewable true
key_algorithm KEY_ALG_RSA_2048
key_type TYPE_GOOGLE_CREDENTIALS_FILE
private_key_data xxxxxx
This generated a new GCP IAM service account key associated with the roleset’s Service Account.
Note: Only 10 keys per Service Account are allowed. For more information about service account keys quota limit, please refer to this part of documentation.