-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add automatic GCE identity token login
- Loading branch information
Showing
1 changed file
with
29 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -75,7 +75,7 @@ management tool. | |
|
||
1. Enable the Google Cloud auth method: | ||
|
||
```text | ||
```shell-session | ||
$ vault auth enable gcp | ||
``` | ||
|
||
|
@@ -94,7 +94,7 @@ management tool. | |
|
||
For an `iam`-type role: | ||
|
||
```text | ||
```shell-session | ||
$ vault write auth/gcp/role/my-iam-role \ | ||
type="iam" \ | ||
policies="dev,prod" \ | ||
|
@@ -103,7 +103,7 @@ management tool. | |
|
||
For a `gce`-type role: | ||
|
||
```text | ||
```shell-session | ||
$ vault write auth/gcp/role/my-gce-role \ | ||
type="gce" \ | ||
policies="dev,prod" \ | ||
|
@@ -312,14 +312,14 @@ role. This defaults to 15 minutes and cannot be more than 1 hour. | |
One you have all this information, the JWT token can be signed using curl and | ||
[oauth2l](https://github.com/google/oauth2l): | ||
|
||
```text | ||
```shell-session | ||
ROLE="my-role" | ||
SERVICE_ACCOUNT="[email protected]" | ||
OAUTH_TOKEN="$(oauth2l header cloud-platform)" | ||
EXPIRATION="<your_token_expiration>" | ||
JWT_CLAIM="{\\\"aud\\\":\\\"vault/${ROLE}\\\", \\\"sub\\\": \\\"${SERVICE_ACCOUNT}\\\", \\\"exp\\\": ${EXPIRATION}}" | ||
curl \ | ||
$ curl \ | ||
--header "${OAUTH_TOKEN}" \ | ||
--header "Content-Type: application/json" \ | ||
--request POST \ | ||
|
@@ -346,22 +346,32 @@ Read more on the | |
|
||
### GCE | ||
|
||
GCE tokens **can only be generated from a GCE instance**. The JWT token can be | ||
obtained from the `service-accounts/default/identity` endpoint for a | ||
instance's metadata server. | ||
GCE tokens **can only be generated from a GCE instance**. | ||
|
||
#### curl Example | ||
1. Vault can automatically discover the identity token on a GCE/GKE instance. This simplifies | ||
authenticating to Vault like so: | ||
|
||
```text | ||
ROLE="my-gce-role" | ||
curl \ | ||
--header "Metadata-Flavor: Google" \ | ||
--get \ | ||
--data-urlencode "audience=http://vault/${ROLE}" \ | ||
--data-urlencode "format=full" \ | ||
"http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" | ||
``` | ||
```shell-session | ||
$ vault login \ | ||
-method=gcp \ | ||
role="my-gce-role" | ||
``` | ||
|
||
1. The JWT token can also be obtained from the `"service-accounts/default/identity"` endpoint for a | ||
instance's metadata server. | ||
|
||
#### Curl example | ||
|
||
```shell-session | ||
ROLE="my-gce-role" | ||
$ curl \ | ||
--header "Metadata-Flavor: Google" \ | ||
--get \ | ||
--data-urlencode "audience=http://vault/${ROLE}" \ | ||
--data-urlencode "format=full" \ | ||
"http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" | ||
``` | ||
|
||
## API | ||
|
||
|