upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-11 01:42:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

docs/vault-secrets-operator: GKE workload identity auth (#23684)

Browse source 
Adding overview docs for using GKE workload identity with Vault
Secrets Operator under Secret Sources/Vault/Auth Methods/. Updates the
Vault Auth method section in the Vault/Auth Methods overview page with
links to the VSO API sections for the other supported auth methods
(until they have their own pages).
---------
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
Theron Voran 2023-11-17 13:06:10 -06:00 committed by GitHub
parent f951fe5429
commit 5415d3c8a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 102 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
website/content/docs/platform/k8s/vso/sources/vault/gcp-auth.mdx Normal file
View file

@ -0,0 +1,80 @@
---
layout: docs
page_title: GCP auth support for Vault Secrets Operator
description: >-
Learn how GCP authentication works for Vault Secrets Operator
---
# GCP auth support for Vault Secrets Operator
The Vault Secrets Operator (VSO) supports authenticating to Vault's [GCP auth](/vault/docs/auth/gcp) method, using Google's Kubernetes Engine (GKE) workload identity.
1. Follow Google's [Use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) guide to enable workload identity on a GKE cluster so your Kubernetes service account can impersonate a Google IAM service account.
1. Create an appropriate authentication role in your Vault instance:
<CodeTabs>
<CodeBlockConfig>
```shell-session
$ vault write auth/gcp/role/<VAULT_GCP_ROLE> \
type="iam" \
policies="default" \
max_jwt_exp=3600 \
bound_service_accounts="<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com"
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
resource "vault_gcp_auth_backend_role" "gcp_role" {
backend = "auth/gcp"
role = <VAULT_GCP_ROLE>
type = "iam"
token_policies = "default"
max_jwt_exp = 3600
bound_service_accounts = [
"<SERVICE_ACCOUNT>@<GCP_PROJECT>.iam.gserviceaccount.com",
]
}
```
</CodeBlockConfig>
</CodeTabs>
<Note>
`max_jwt_exp` needs to be greater than or equal to 1 hour (3600)
</Note>
1. Create the corresponding authentication object for VSO:
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vaultauth-gcp-example
namespace: <K8S_NAMESPACE>
spec:
vaultConnectionRef: <VAULT_CONNECTION_NAME>
mount: gcp
method: gcp
gcp:
role: <VAULT_GCP_ROLE>
workloadIdentityServiceAccount: <K8S_SERVICE_ACCOUNT>
```
<Tip title="Terraform has workload identity support">
If you use Terraform to manage your GKE cluster, the
[GKE module](https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest)
includes workload identity support through the
[workload identity submodule](https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/workload-identity).
</Tip>
# API
See the full list of GCP VaultAuth options on the [VSO API page](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfiggcp).

13
website/content/docs/platform/k8s/vso/sources/vault.mdx → website/content/docs/platform/k8s/vso/sources/vault/index.mdx
View file

@ -30,12 +30,13 @@ during drift remediation.
### Supported Vault authentication methods
| Backend | Description |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------|
| [Kubernetes](/vault/docs/auth/kubernetes) | Relies on short-lived Kubernetes ServiceAccount tokens for Vault authentication |
| [JWT](/vault/docs/auth/jwt) | Relies on either static JWT tokens or short-lived Kubernetes ServiceAccount tokens for Vault authentication |
| [AppRole](/vault/docs/auth/approle) | Relies on static AppRole credentials for Vault authentication |
| [AWS](/vault/docs/auth/aws) | Relies on AWS credentials for Vault authentication |
| Backend | Description |
|------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
| [Kubernetes](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigkubernetes) | Relies on short-lived Kubernetes ServiceAccount tokens for Vault authentication |
| [JWT](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigjwt) | Relies on either static JWT tokens or short-lived Kubernetes ServiceAccount tokens for Vault authentication |
| [AppRole](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigapprole) | Relies on static AppRole credentials for Vault authentication |
| [AWS](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigaws) | Relies on AWS credentials for Vault authentication |
| [GCP](/vault/docs/platform/k8s/vso/sources/vault/gcp-auth) | Relies on GCP credentials for Vault authentication |
## Vault access and custom resource definitions

16
website/data/docs-nav-data.json
View file

@ -1984,7 +1984,21 @@
},
{
"title": "Vault",
"path": "platform/k8s/vso/sources/vault"
"routes": [
{
"title": "Overview",
"path": "platform/k8s/vso/sources/vault"
},
{
"title": "Auth Methods",
"routes": [
{
"title": "GCP",
"path": "platform/k8s/vso/sources/vault/gcp-auth"
}
]
}
]
},
{
"title": "HCP Vault Secrets",