layout | page_title | description |
---|---|---|
docs |
GCP auth support for Vault Secrets Operator |
Learn how GCP authentication works for Vault Secrets Operator |
The Vault Secrets Operator (VSO) supports authenticating to Vault's GCP auth method, using Google's Kubernetes Engine (GKE) workload identity.
-
Follow Google's Use Workload Identity guide to enable workload identity on a GKE cluster so your Kubernetes service account can impersonate a Google IAM service account.
-
Create an appropriate authentication role in your Vault instance:
$ vault write auth/gcp/role/<VAULT_GCP_ROLE> \
type="iam" \
policies="default" \
max_jwt_exp=3600 \
bound_service_accounts="<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com"
resource "vault_gcp_auth_backend_role" "gcp_role" {
backend = "auth/gcp"
role = <VAULT_GCP_ROLE>
type = "iam"
token_policies = "default"
max_jwt_exp = 3600
bound_service_accounts = [
"<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com",
]
}
`max_jwt_exp` needs to be greater than or equal to 1 hour (3600)
- Create the corresponding authentication object for VSO:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vaultauth-gcp-example
namespace: <K8S_NAMESPACE>
spec:
vaultConnectionRef: <VAULT_CONNECTION_NAME>
mount: gcp
method: gcp
gcp:
role: <VAULT_GCP_ROLE>
workloadIdentityServiceAccount: <K8S_SERVICE_ACCOUNT>
If you use Terraform to manage your GKE cluster, the GKE module includes workload identity support through the workload identity submodule.
See the full list of GCP VaultAuth options on the VSO API page.