The Vault Secrets Operator (VSO) supports authenticating to Vault's GCP auth method, using Google's Kubernetes Engine (GKE) workload identity.

1. Follow Google's Use Workload Identity guide to enable workload identity on a GKE cluster so your Kubernetes service account can impersonate a Google IAM service account.

2. Create an appropriate authentication role in your Vault instance:

   ShellHCL

   $ vault write auth/gcp/role/<VAULT_GCP_ROLE> \
       type="iam" \
       policies="default" \
       max_jwt_exp=3600 \
       bound_service_accounts="<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com"
   

   resource "vault_gcp_auth_backend_role" "gcp_role" {
     backend                = "auth/gcp"
     role                   = <VAULT_GCP_ROLE>
     type                   = "iam"
     token_policies         = "default"
     max_jwt_exp            = 3600
     bound_service_accounts = [
       "<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com",
     ]
   }
   

   Note

   max_jwt_exp needs to be greater than or equal to 1 hour (3600)

3. Create the corresponding authentication object for VSO:

   apiVersion: secrets.hashicorp.com/v1beta1
   kind: VaultAuth
   metadata:
     name: vaultauth-gcp-example
     namespace: <K8S_NAMESPACE>
   spec:
     vaultConnectionRef: <VAULT_CONNECTION_NAME>
     mount: gcp
     method: gcp
     gcp:
       role: <VAULT_GCP_ROLE>
       workloadIdentityServiceAccount: <K8S_SERVICE_ACCOUNT>
   

API

See the full list of GCP VaultAuth options on the VSO API page.