Thegcpauth method allows Google Cloud Platform entities to authenticate to Vault. Vault treats Google Cloud as a trusted third party and verifies authenticating entities against the Google Cloud APIs. This article describes the authentication of Vault using the Google Cloud IAM service accounts
Pre-requisites:
- The vault should be installed
- Need a GCP account
- Need a project in the GCP account, if we already have then we can select the existing project & start the Cloud Shell which will load the virtual machine with all the development tools that we need.
Setup:
Note:- Run all these commands in the Cloud Shell
1) Make sure the Google Cloud IAM API is enabled.
gcloud services enable iam.googleapis.com
2) We will create two service accounts. One is for Vault so that it can communicate with GCP as by default it has no such permission. We can create a service account with the name "vaultgcpadmin" service account. The Vault will use this account for verification calls to GCP.
Create the vaultgcpadmin service account and a JSON key file:
gcloud iam service-accounts create vaultgcpadmin
export GOOGLE_CLOUD_PROJECT="mentioned the project id"
export VAULTGCPADMIN_SA_EMAIL="vaultgcpadmin@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
gcloud iam service-accounts keys create vaultgcpadmin-key.json --iam-account=${VAULTGCPADMIN_SA_EMAIL}
Next, grant this account the appropriate permissions so that Vault can verify service accounts:
gcloud iam roles create vaultGcpAdmin --permissions="iam.serviceAccounts.get,iam.serviceAccountKeys.get" --project=${GOOGLE_CLOUD_PROJECT}
Assigning the service account vaultgcpadmin to role vaultGcpAdmin
gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} --member="serviceAccount:${VAULTGCPADMIN_SA_EMAIL}" --role="projects/${GOOGLE_CLOUD_PROJECT}/roles/vaultGcpAdmin"
Let's create the user service account with a less privileged, acting as a user who can only get specific secrets from. Suppose a user is a bobbob.
gcloud iam service-accounts create bobbob
export BOBBOB_SA_EMAIL="bobbob@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
gcloud iam service-accounts keys create bobbob-key.json --iam-account=${BOBBOB_SA_EMAIL}
Vault expects this account to give a signed JWT as proof of identity. As such, we need to grant this service account the ability to use the GCP IAM API method to sign Jwt on itself.
gcloud iam service-accounts add-iam-policy-binding ${BOBBOB_SA_EMAIL} --member="serviceAccount:${BOBBOB_SA_EMAIL}" --role="roles/iam.serviceAccountTokenCreator"
Note:- Run the below commands on the Vault server
export GOOGLE_CLOUD_PROJECT="mentioned the project id"
export BOBBOB_SA_EMAIL="bobbob@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
vault secrets enable kv
vault kv put kv/test/secret key=test
#creating the policy with name test
vault policy write test - <<EOF
# Policy content goes here
path "kv/data/test/*" {
capabilities = ["read"]
}
path "kv/metadata/test/*" {
capabilities = ["read"]
}
EOF
#Enable GCP auth method
vault auth enable gcp
vault write auth/gcp/config credentials=@vaultadmin-key.json
vault write auth/gcp/role/gcp-role type="iam" project_id=${GOOGLE_CLOUD_PROJECT} policies="test" bound_service_accounts=${BOBBOB_SA_EMAIL}
vault login -method=gcp role="gcp-role" service_account=${BOBBOB_SA_EMAIL} jwt_exp="15m" credentials=@bobbob-key.json
VAULT_TOKEN=PassTokenGotFromAboveCommand vault kv get kv/test/secret