GCP auth support for Vault Secrets Operator

The Vault Secrets Operator (VSO) supports authenticating to Vault's GCP auth method, using Google's Kubernetes Engine (GKE) workload identity.

Follow Google's Use Workload Identity guide to enable workload identity on a GKE cluster so your Kubernetes service account can impersonate a Google IAM service account.

Create an appropriate authentication role in your Vault instance:

$ vault write auth/gcp/role/<VAULT_GCP_ROLE> \
    type="iam" \
    policies="default" \
    max_jwt_exp=3600 \
    bound_service_accounts="<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com"

resource "vault_gcp_auth_backend_role" "gcp_role" {
  backend                = "auth/gcp"
  role                   = <VAULT_GCP_ROLE>
  type                   = "iam"
  token_policies         = "default"
  max_jwt_exp            = 3600
  bound_service_accounts = [
    "<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com",
  ]
}

Note

max_jwt_exp needs to be greater than or equal to 1 hour (3600)

Create the corresponding authentication object for VSO:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vaultauth-gcp-example
  namespace: <K8S_NAMESPACE>
spec:
  vaultConnectionRef: <VAULT_CONNECTION_NAME>
  mount: gcp
  method: gcp
  gcp:
    role: <VAULT_GCP_ROLE>
    workloadIdentityServiceAccount: <K8S_SERVICE_ACCOUNT>

Terraform has workload identity support

If you use Terraform to manage your GKE cluster, the GKE module includes workload identity support through the workload identity submodule.

API

See the full list of GCP VaultAuth options on the VSO API page.