Skip to content

planetscale/vault-gcp-creds-buildkite-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

.buildkite

.buildkite

 
 

.github

.github

 
 

hooks

hooks

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

plugin.yml

plugin.yml

 
 

renovate.json

renovate.json

 
 

Repository files navigation

Vault GCP Credentials Buildkite Plugin

Retrieve time-limited oauth2 access token for an impersonated account from a Hashicorp Vault GCP Secrets Backend

The plugin expects a VAULT_TOKEN is already set in the environment. The vault-oidc-auth plugin is an ideal companion to use with this plugin.

Example

Add the following to your pipeline.yml:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-gcp-creds#v1.1.1:
          vault_addr: "https://my-vault-server"   # required
          path: "gcp"                             # optional. default "gcp"
          account_name: "my-pipeline"             # optional. default "bk-$BUILDKITE_PIPELINE_SLUG"
          env_var: "CLOUDSDK_AUTH_ACCESS_TOKEN"   # optional. default "CLOUDSDK_AUTH_ACCESS_TOKEN"

If authentication is successful the environment variables will be added to the environment:

  • CLOUDSDK_AUTH_ACCESS_TOKEN

Set the env_var parameter to change the name of the environment variable, eg: GOOGLE_OAUTH_ACCESS_TOKEN for use with Terraform's Google Cloud provider.

Ephemeral Credentials with vault-oidc-auth

This plugin works best when combined with the vault-oidc-auth plugin to provide short-lived credentials for accessing Vault and GCP. Example:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-oidc-auth#v1.0.0:
          vault_addr: "https://my-vault-server"
      - planetscale/vault-gcp-creds#v1.1.1:
          vault_addr: "https://my-vault-server"

First, the vault-oidc-auth plugin uses a short-lived Buildkite OIDC token to authenticate to Vault and fetch a VAULT_TOKEN.

Next, vault-gcp-creds uses the VAULT_TOKEN to fetch time-limited GCP oauth2 token from Vault.

Vault Configuration

First, enable the GCP Secrets Backend. A minimal configuration using environmental GCP credentials might look like the following. See the docs for full details on configuring the root GCP credentials.

vault secrets enable -path=gcp gcp

Then, create a GSA for your pipeline to impersonate through your favorite method and make it available from Vault by creating and assigning it to account name "bk-my-pipeline":

vault write gcp/impersonated-account/bk-my-pipeline \
    service_account_email="projectAdmin@my-project.iam.gserviceaccount.com" \
    token_scopes="https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/compute" \
    ttl="6h"

Developing

To run the linters:

docker-compose run --rm lint-shellcheck
docker-compose run --rm lint-plugin

To run the tests:

docker-compose run --rm tests

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

About

Retrieve time-limited oauth2 access token for an impersonated account from a Hashicorp Vault GCP Secrets Backend

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

5 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages