The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.
GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT)
for a service account. A JWT for a service account is obtained by
calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM
and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.
IAM credentials can be obtained from either the runtime environment
, specifically the GOOGLE_APPLICATION_CREDENTIALS
environment variable, the Google Compute metadata service,
or supplied externally as e.g. JSON or base64 encoded.
JSON is the preferred form as it carries the project id and
service account identifier required for calling projects.serviceAccounts.signJwt.
Example 5.1. bootstrap.yml with required GCP-IAM Authentication properties
spring.cloud.vault: authentication: GCP_IAM gcp-iam: role: my-dev-role
Example 5.2. bootstrap.yml with all GCP-IAM Authentication properties
spring.cloud.vault: authentication: GCP_IAM gcp-iam: credentials: location: classpath:credentials.json encoded-key: e+KApn0= gcp-path: gcp jwt-validity: 15m project-id: my-project-id role: my-dev-role service-account: [email protected]
rolesets the name of the role against which the login is being attempted.credentials.locationpath to the credentials resource that contains Google credentials in JSON format.credentials.encoded-keythe base64 encoded contents of an OAuth2 account private key in the JSON format.gcp-pathsets the path of the GCP mount to usejwt-validityconfigures the JWT token validity. Defaults to 15 minutes.project-idallows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.service-accountallows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.
GCP IAM authentication requires the Google Cloud Java SDK dependency
(com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http)
as the authentication implementation uses Google APIs for credentials and JWT signing.
![[Note]](images/note.png) | Note |
|---|---|
Google credentials require an OAuth 2 token maintaining the token lifecycle. All API
is synchronous therefore, |
See also:
Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. The authentication is role based and the role is bound to a service account name and a namespace.
A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.
Example 5.3. bootstrap.yml with all Kubernetes authentication properties
spring.cloud.vault: authentication: KUBERNETES kubernetes: role: my-dev-role kubernetes-path: kubernetes service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
rolesets the Role.kubernetes-pathsets the path of the Kubernetes mount to use.service-account-token-filesets the location of the file containing the Kubernetes Service Account Token. Defaults to/var/run/secrets/kubernetes.io/serviceaccount/token.
See also: