diff --git a/website/content/docs/secrets/gcp.mdx b/website/content/docs/secrets/gcp.mdx index 985f4113c6..739c325514 100644 --- a/website/content/docs/secrets/gcp.mdx +++ b/website/content/docs/secrets/gcp.mdx @@ -453,14 +453,16 @@ Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault configuration, you can also get configuration from the following values **on the Vault server**: -1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified +1. The `GOOGLE_APPLICATION_CREDENTIALS` environment variable. This is specified as the **path** to a Google Cloud credentials file, typically for a service account. If this environment variable is present, the resulting credentials are used. If the credentials are invalid, an error is returned. -1. Default instance credentials. When no environment variable is present, the - default service account credentials are used. This is useful when running Vault - on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke] +1. The identity of a Google Cloud [workload][workloads-ids]. When Vault server is running + on a Google workload like [Google Compute Engine][gce] or [Google Kubernetes Engine][gke], + identity associated with the workload is automatically used. To configure Google Compute + Engine with an identity, see [attached service accounts][attached-service-accounts]. To + configure Google Kubernetes Engine with an identity, see [GKE workload identity][gke-workload-ids]. For more information on service accounts, please see the [Google Cloud Service Accounts documentation][service-accounts]. @@ -692,6 +694,9 @@ for more details. [resource-name-relative]: https://cloud.google.com/apis/design/resource_names#relative_resource_name [quotas]: https://cloud.google.com/compute/quotas [service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts +[workloads-ids]: https://cloud.google.com/iam/docs/workload-identities +[attached-service-accounts]: https://cloud.google.com/iam/docs/workload-identities#attached-service-accounts +[gke-workload-ids]: https://cloud.google.com/iam/docs/workload-identities#kubernetes-workload-identity ## Upgrade guides