The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.
GCP GCE (Google Compute Engine) authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance is obtained from the GCE metadata service using Instance identification. This API creates a JSON Web Token that can be used to confirm the instance identity.
Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats GCP as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each GCP service account.
Example 4.1. bootstrap.yml with required GCP-GCE Authentication properties
spring.cloud.vault: authentication: GCP_GCE gcp-gce: role: my-dev-role
Example 4.2. bootstrap.yml with all GCP-GCE Authentication properties
spring.cloud.vault: authentication: GCP_GCE gcp-gce: gcp-path: gcp role: my-dev-role service-account: [email protected]
role
sets the name of the role against which the login is being attempted.gcp-path
sets the path of the GCP mount to useservice-account
allows overriding the service account Id to a specific value. Defaults to the default
service account.See also: