The gcp
auth method allows Google Cloud Platform entities to authenticate against Vault. Vault treats Google Cloud as a trusted third party and verifies authenticating entities against the Google Cloud APIs. This backend allows for authentication of:
- Google Cloud IAM service accounts
- Google Compute Engine (hereon, GCE) instances
This article describes the authentication of Vault using the GCE role type.
Pre-requisites:
- A running GCE VM Instance, like:
- A running Vault server. This article is written after performing these steps in the lab with Vault v1.8.5+ent.
- A GCP Service Account with at least the following permissions:
- Editor -> Default compute service account
- Editor -> Google APIs Service Agent
Setup:
-
Enable the Google Cloud auth method, run:
vault auth enable gcp
-
Configure the auth method credentials, run:
vault write auth/gcp/config credentials=@/home/ubuntu/cred.json
Note: "cred.json" is the service account keys downloaded from the GCP Portal in JSON format.
-
Create a
gce
-type role named my-gce-role, run:
vault write auth/gcp/role/my-gce-role \
type='gce' policies='superuser' \
bound_projects="hc-3df7493fe7364079b5069fbbfd6" \
bound_zones="us-east1-b" \
bound_service_accounts="395240508255-compute@developer.gserviceaccount.com" -
Obtain the JWT token from the
"service-accounts/default/identity"
endpoint from the instance's metadata server, run the following commands inside the GCE Instance that you've created:
export VAULT_ADDR="http://192.168.64.5:8200" #Use your Vault API Address here.
export SERVICE_ACCOUNT="default" #Substitute another service account for the VM instance or use the built-in default. I chose `default`.
export ROLE="my-gce-role"
export AUD="$VAULT_ADDR/vault/$ROLE"
export TOKEN="$(curl --header "Metadata-Flavor: Google" --get --data-urlencode "audience=${AUD}" --data-urlencode "format=full" "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity")" - After running the export TOKEN, you'll get your JWT token stored in the GCE instance as an environment variable. You can run env and copy the value of TOKEN from there. Afterward, on the Vault server, or from a remote location from where you can curl Vault, run:
curl -k --request POST --data @payload.json \
http://your_vault_address/v1/auth/gcp/login | jqthe payload.json will look like this:
{
"role": "my-gce-role",
"jwt": "THE_JWT_TOKEN_VALUE_TO_BE_PASTED_HERE"
}the output will be:
{
"request_id": "2409f6e7-257f-51aa-cd56-fbd62f4ce106",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "s.KEReJF1VDAdOxlM736ms021G",
"accessor": "IPth3SyI8AYGA9tEBSJtbYSY",
"policies": [
"default",
"superuser"
],
"token_policies": [
"default",
"superuser"
],
"metadata": {
"instance_creation_timestamp": "1658391691",
"instance_id": "3291279153423495783",
"instance_name": "instance-1",
"project_id": "hc-3df7493fe7364079b5069fbbfd6",
"project_number": "395240508255",
"role": "my-gce-role",
"service_account_email": "395240508255-compute@developer.gserviceaccount.com",
"service_account_id": "113508078220987864601",
"zone": "us-east1-b"
},
"lease_duration": 2764800,
"renewable": true,
"entity_id": "d3757b67-1490-3f1a-9190-1a6359cb10e6",
"token_type": "service",
"orphan": true
}
} -
Verify the token generated, run:
$ vault token lookup s.KEReJF1VDAdOxlM736ms021G
Key Value
--- -----
accessor IPth3SyI8AYGA9tEBSJtbYSY
creation_time 1658468727
creation_ttl 768h
display_name gcp-instance-1
entity_id d3757b67-1490-3f1a-9190-1a6359cb10e6
expire_time 2022-08-23T11:15:27.561749768+05:30
explicit_max_ttl 0s
id s.KEReJF1VDAdOxlM736ms021G
issue_time 2022-07-22T11:15:27.561788185+05:30
meta map[instance_creation_timestamp:1658391691 instance_id:3291279153423495783 instance_name:instance-1 project_id:hc-3df7493fe7364079b5069fbbfd6 project_number:395240508255 role:my-gce-role service_account_email:395240508255-compute@developer.gserviceaccount.com service_account_id:113508078220987864601 zone:us-east1-b]
num_uses 0
orphan true
path auth/gcp/login
policies [default superuser]
renewable true
ttl 760h44m54s
type service
Reference Articles:
- Vault Documentation: Google Cloud Auth Method
- Google Cloud Documentation: GCP - How to authenticate as a service account
- Google Cloud Documentation: Verifying the identity of instances
- Vault API: Google Cloud Auth Method (API)