101. GCP-GCE authentication

The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP GCE (Google Compute Engine) authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance is obtained from the GCE metadata service using Instance identification. This API creates a JSON Web Token that can be used to confirm the instance identity.

Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats GCP as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each GCP service account.

Example 101.1. bootstrap.yml with required GCP-GCE Authentication properties

    authentication: GCP_GCE
        role: my-dev-role

Example 101.2. bootstrap.yml with all GCP-GCE Authentication properties

    authentication: GCP_GCE
        gcp-path: gcp
        role: my-dev-role
        service-account: [email protected]

See also: