Skip to content

Commit

Permalink
Update GCP auth docs (#15855)
Browse files Browse the repository at this point in the history
* Add automatic GCE identity token login
  • Loading branch information
robmonte authored Jun 7, 2022
1 parent 55bc402 commit 8eff5a1
Showing 1 changed file with 29 additions and 19 deletions.
48 changes: 29 additions & 19 deletions website/content/docs/auth/gcp.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ management tool.

1. Enable the Google Cloud auth method:

```text
```shell-session
$ vault auth enable gcp
```

Expand All @@ -94,7 +94,7 @@ management tool.

For an `iam`-type role:

```text
```shell-session
$ vault write auth/gcp/role/my-iam-role \
type="iam" \
policies="dev,prod" \
Expand All @@ -103,7 +103,7 @@ management tool.

For a `gce`-type role:

```text
```shell-session
$ vault write auth/gcp/role/my-gce-role \
type="gce" \
policies="dev,prod" \
Expand Down Expand Up @@ -312,14 +312,14 @@ role. This defaults to 15 minutes and cannot be more than 1 hour.
One you have all this information, the JWT token can be signed using curl and
[oauth2l](https://github.com/google/oauth2l):

```text
```shell-session
ROLE="my-role"
SERVICE_ACCOUNT="[email protected]"
OAUTH_TOKEN="$(oauth2l header cloud-platform)"
EXPIRATION="<your_token_expiration>"
JWT_CLAIM="{\\\"aud\\\":\\\"vault/${ROLE}\\\", \\\"sub\\\": \\\"${SERVICE_ACCOUNT}\\\", \\\"exp\\\": ${EXPIRATION}}"
curl \
$ curl \
--header "${OAUTH_TOKEN}" \
--header "Content-Type: application/json" \
--request POST \
Expand All @@ -346,22 +346,32 @@ Read more on the

### GCE

GCE tokens **can only be generated from a GCE instance**. The JWT token can be
obtained from the `service-accounts/default/identity` endpoint for a
instance's metadata server.
GCE tokens **can only be generated from a GCE instance**.

#### curl Example
1. Vault can automatically discover the identity token on a GCE/GKE instance. This simplifies
authenticating to Vault like so:

```text
ROLE="my-gce-role"
curl \
--header "Metadata-Flavor: Google" \
--get \
--data-urlencode "audience=http://vault/${ROLE}" \
--data-urlencode "format=full" \
"http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
```
```shell-session
$ vault login \
-method=gcp \
role="my-gce-role"
```

1. The JWT token can also be obtained from the `"service-accounts/default/identity"` endpoint for a
instance's metadata server.

#### Curl example

```shell-session
ROLE="my-gce-role"
$ curl \
--header "Metadata-Flavor: Google" \
--get \
--data-urlencode "audience=http://vault/${ROLE}" \
--data-urlencode "format=full" \
"http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
```

## API

Expand Down

0 comments on commit 8eff5a1

Please sign in to comment.