Feature Request > Ability to use GCP OAuth2 token as credentials

[kuwas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

We use the Vault GCP secret engine to handle Terraform access, currently we're using the service account key, but this has a limit of 10 keys to be active at a time per roleset. According to the Vault GCP secret engine documentation, it is recommended to just use the OAuth2 token method of authentication for our use case.
https://www.vaultproject.io/docs/secrets/gcp/index.html#access-tokens
https://www.vaultproject.io/docs/secrets/gcp/index.html#access-tokens-vs-service-account-keys

New or Affected Resource(s)

• google provider
• google-beta provider

Potential Terraform Configuration

provider "google" {
  oauth2_token = "${file("token")}"
}

Also would be great if the token can be specified as a default environment variable.

export GOOGLE_APPLICATION_OAUTH2_TOKEN="( some token )"

References

• N/A

[emilymye]

As the person who wrote the Vault secrets GCP engine, thanks for using it! I'm looking into this issue. It seems feasible but there are a couple of points I'd want to get your feedback on.

• The way we have it, explicit credentials are passed in as a file. Would you be opposed to instead providing the token in a file and providing the filename as the token instead? This could also be made easier by adding a way to output the token in credential JSON format from Vault.

• The way the current environment variables work are based on Google standard env variables for Application Default Credentials, so we'd have to do some separate logic to check for a specific env variable. Instead, I feel like it might be better to just use the current logic for importing environment Variables as variables in Terraform (i.e. just have TF_VAR_google_access_token). Would that work for you?

As a side note, if you're blocked on this, you could always create another roleset with the same set of permissions in Vault and just use a service account key still.

[kuwas]

@emilymye Thanks for all your work on this secret engine, we found it to be useful for our GCP rollout, and also thanks for answering all my silly questions on the secret engine issues page. In regards to these questions:

• Passing the token through a file works fine for us, we only use these 1 hour OAuth2 tokens for our Terraform and gcloud cli CI and CD process. The mechanism for input really isnt a problem for us, since we have "glue" in our CI and CD pipelines already that does the heavy lifting, adding a line to output a file instead is not a problem.
• I was not aware of this feature of default importing env vars with the suffix in Terraform, TIL. But yes, that sounds perfectly fine for us.

We're not blocked yet, however, it might start to become a problem during our rollout, as we increase the number of projects on the platform. But I can think of some temporary ways to increase the amount of CI and CD service accounts we use.

Thanks again!

@alexandarp

[emilymye]

Added! Use access_token in provider config or environment var GOOGLE_OAUTH_ACCESS_TOKEN

[kuwas]

@emilymye Wow! That was quick 😁. I'll try it out tomorrow. Thanks a lot!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!