vault-env: Support JWT-based auth methods outside of K8s clusters #1321
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's in this PR?
This PR enables
vault-env
to use JWT-based authentication methods while running outside a Kubernetes cluster (and even from outside cloud providers). It just removes an unnecessary check for running in an Kubernetes environment, that made it impossible to usevault-env
elsewhere.Why?
Attempts to use a self-signed GCP SA JWT token (not signed by the metadata server as with
gcp-iam
) withVAULT_AUTH_METHOD=jwt
resulted in:With this PR you can do:
Additional context
To use the above, download the GCP SA private key JSON file (set path in
GOOGLE_APPLICATION_CREDENTIALS
) and use the following Bash function (roughly based on https://gist.github.com/jtbonhomme/d41efed3946a400bf5f93d7ccad4283c):Because the JWT token creation is independent of the GCP metadata server, this also works outside GCP.
Checklist