2018-03-21 19:02:38 +00:00
---
2020-01-18 00:18:09 +00:00
layout: api
page_title: Google Cloud - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Google Cloud secrets engine.
2018-03-21 19:02:38 +00:00
---
2018-07-11 19:52:22 +00:00
# Google Cloud Secrets Engine (API)
2018-03-21 19:02:38 +00:00
2018-07-11 19:52:22 +00:00
This is the API documentation for the Vault Google Cloud Platform (GCP)
2018-05-10 20:58:22 +00:00
secrets engine. For general information about the usage and operation of
2020-01-22 20:05:41 +00:00
the GCP secrets engine, please see [these docs](/docs/secrets/gcp).
2018-03-21 19:02:38 +00:00
This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Write Config
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :------------ |
| `POST` | `/gcp/config` |
2018-03-21 19:02:38 +00:00
2018-05-10 20:58:22 +00:00
This endpoint configures shared information for the secrets engine.
2018-03-21 19:02:38 +00:00
### Parameters
- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
2020-03-31 19:21:16 +00:00
See docs for [alternative ways](/docs/secrets/gcp#setup)
2020-01-18 00:18:09 +00:00
to pass in to this parameter, as well as the
2020-01-22 20:05:41 +00:00
[required permissions](/docs/secrets/gcp#required-permissions).
2018-03-21 19:02:38 +00:00
- `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
2020-01-18 00:18:09 +00:00
(i.e. service account keys). Accepts integer number of seconds or Go duration format string.
2018-03-21 19:02:38 +00:00
2018-05-17 15:54:25 +00:00
- `max_ttl` (`int: 0 || string:"0s"`)– Specifies the maximum config TTL for long-lived credentials
2020-01-18 00:18:09 +00:00
(i.e. service account keys). Accepts integer number of seconds or Go duration format string.\*\*
2018-05-10 20:58:22 +00:00
2018-03-21 19:02:38 +00:00
### Sample Payload
```json
{
"credentials": "<JSON string>",
"ttl": 3600,
"max_ttl": 14400
}
```
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-07-10 14:47:30 +00:00
https://127.0.0.1:8200/v1/gcp/config
2018-03-21 19:02:38 +00:00
```
2020-03-09 20:09:03 +00:00
## Rotate Root Credentials
Request to rotate the GCP service account credentials used by Vault
for this mount. A new key will be generated for the service account,
replacing the internal value, and then a deletion of the old service
account key is scheduled. Note that this does not create a new service
account, only a new version of the service account key.
This path is only valid if Vault has been configured to use GCP credentials via
the `config/` endpoint where "credentials" were specified. Additionally, the
provided service account must have permissions to create and delete service
account keys.
| Method | Path |
| :----- | :------------------------ |
| `POST` | `/gcp/config/rotate-root` |
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2020-03-09 20:09:03 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://127.0.0.1:8200/v1/gcp/config/rotate-root
```
2018-03-21 19:02:38 +00:00
## Read Config
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :------------ |
| `GET` | `/gcp/config` |
2018-03-21 19:02:38 +00:00
2018-05-10 20:58:22 +00:00
Credentials will be omitted from returned data.
2018-03-21 19:02:38 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
2018-07-10 14:47:30 +00:00
https://127.0.0.1:8200/v1/gcp/config
2018-03-21 19:02:38 +00:00
```
### Sample Response
```json
{
"data": {
"ttl": "1h",
"max_ttl": "4h"
}
}
```
## Create/Update Roleset
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :------------------- |
| `POST` | `/gcp/roleset/:name` |
2018-03-21 19:02:38 +00:00
2021-07-13 16:36:05 +00:00
This method allows you to create a roleset or update an existing roleset. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
2018-05-10 20:58:22 +00:00
to learn more about what happens when you create or update a roleset.
**If you update a roleset's bindings, this will effectively revoke any secrets
generated under this roleset.**
2018-03-21 19:02:38 +00:00
### Parameters
- `name` (`string: <required>`): Required. Name of the role. Cannot be updated.
- `secret_type` (`string: "access_token"`): Type of secret generated for this role set. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
2018-05-10 20:58:22 +00:00
- `project` (`string: <required>`): Name of the GCP project that this roleset's service account will belong to. Cannot be updated.
2018-03-21 19:02:38 +00:00
- `bindings` (`string: <required>`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
### Sample Payload
```json
{
"secret_type": "access_token",
"project": "mygcpproject",
"bindings": "...",
2018-05-10 20:58:22 +00:00
"token_scopes": [
"https://www.googleapis.com/auth/cloud-platform",
2018-03-21 19:02:38 +00:00
"https://www.googleapis.com/auth/bigquery"
]
}
```
#### Sample Bindings:
2020-01-18 00:18:09 +00:00
2021-07-13 16:36:05 +00:00
See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
2018-03-21 19:02:38 +00:00
```hcl
2018-12-18 00:22:02 +00:00
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
2018-03-21 19:02:38 +00:00
roles = [
"roles/viewer"
2018-05-10 20:58:22 +00:00
],
2018-03-21 19:02:38 +00:00
}
2020-04-16 21:57:50 +00:00
resource "//bigquery.googleapis.com/projects/my-project/datasets/mydataset" {
roles = [
"roles/bigquery.dataViewer"
],
}
2018-03-21 19:02:38 +00:00
resource "https://selflink/to/my/resource" {
roles = [
"project/mygcpproject/roles/projcustomrole",
"organizations/myorg/roles/orgcustomrole"
2018-05-10 20:58:22 +00:00
],
2018-03-21 19:02:38 +00:00
}
```
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-07-10 14:47:30 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
2018-03-21 19:02:38 +00:00
```
## Rotate Roleset Account
2021-07-13 16:36:05 +00:00
| Method | Path | |
| :----- | :-------------------------- | ------------------ |
| `POST` | `/gcp/roleset/:name/rotate` | `204 (empty body)` |
2018-03-21 19:02:38 +00:00
2018-05-10 20:58:22 +00:00
This will rotate the service account this roleset uses to generate secrets.
2018-03-21 19:02:38 +00:00
(this also replaces the key `access_token` roleset). This can be used to invalidate
old secrets generated by the roleset or fix issues if a roleset's service account
2018-05-10 20:58:22 +00:00
(and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
2018-03-21 19:02:38 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate
2018-03-21 19:02:38 +00:00
```
## Rotate Roleset Account Key (`access_token` Roleset Only)
2021-07-13 16:36:05 +00:00
| Method | Path | |
| :----- | :------------------------------ | ------------------ |
| `POST` | `/gcp/roleset/:name/rotate-key` | `204 (empty body)` |
2018-03-21 19:02:38 +00:00
This will rotate the service account key this roleset uses to generate
access tokens. This does not recreate the roleset service account.
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate-key
2018-03-21 19:02:38 +00:00
```
## Read Roleset
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :------------------- |
| `GET` | `/gcp/roleset/:name` |
2018-03-21 19:02:38 +00:00
2019-04-26 17:52:52 +00:00
### Parameters
2020-05-13 19:13:34 +00:00
- `name` (`string:<required>`): Name of the roleset to read.
2019-04-26 17:52:52 +00:00
2018-03-21 19:02:38 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
2018-03-21 19:02:38 +00:00
```
### Sample Response
```json
{
"data": {
"secret_type": "access_token",
"service_account_email": "vault-myroleset-XXXXXXXXXX@myproject.gserviceaccounts.com",
2018-09-21 17:31:49 +00:00
"service_account_project": "service-account-project",
2018-03-21 19:02:38 +00:00
"bindings": {
2020-01-18 00:18:09 +00:00
"project/mygcpproject": ["roles/viewer"],
2018-03-21 19:02:38 +00:00
"https://selflink/to/my/resource": [
"project/mygcpproject/roles/projcustomrole",
"organizations/myorg/roles/orgcustomrole"
]
},
2020-01-18 00:18:09 +00:00
"token_scopes": ["https://www.googleapis.com/auth/cloud-platform"]
2018-03-21 19:02:38 +00:00
}
}
```
## List Rolesets
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :-------------- |
| `LIST` | `/gcp/rolesets` |
2018-03-21 19:02:38 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
2018-07-10 14:47:30 +00:00
https://127.0.0.1:8200/v1/gcp/rolesets
2018-03-21 19:02:38 +00:00
```
### Sample Response
```json
{
"data": {
2020-01-18 00:18:09 +00:00
"keys": ["my-token-roleset", "my-sakey-roleset"]
}
}
2018-03-21 19:02:38 +00:00
```
2019-04-26 17:48:34 +00:00
## Delete Roleset
This endpoint deletes an existing roleset by the given name.
2020-01-18 00:18:09 +00:00
| Method | Path |
| :------- | :------------------- |
| `DELETE` | `/gcp/roleset/:name` |
2019-04-26 17:48:34 +00:00
2019-04-26 17:52:52 +00:00
### Parameters
- `name` (`string:<required>`): Name of the roleset to delete.
2019-04-26 17:48:34 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2019-04-26 17:48:34 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
```
2021-07-13 16:36:05 +00:00
## Create/Update Static Account
| Method | Path |
| :----- | :-------------------------- |
| `POST` | `/gcp/static-account/:name` |
This method allows you to create a static account or update an existing static account. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
to learn more about what happens when you create or update a static account.
**If you update a static account's bindings, this will effectively revoke any secrets
generated under this static account.**
### Parameters
- `name` (`string: <required>`): Name of the static account. Cannot be updated.
- `secret_type` (`string: "access_token"`): Type of secret generated for this static account. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
- `service_account_email` (`string: <required>`): Email of the GCP service account to manage. Cannot be updated.
- `bindings` (`string`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string). Optional.
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
### Sample Payload
```json
{
"secret_type": "access_token",
"service_account_email": "example@mygcpproject.iam.gserviceaccount.com",
"bindings": "...",
"token_scopes": [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/bigquery"
]
}
```
#### Sample Bindings:
See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
```hcl
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
roles = [
"roles/viewer"
],
}
resource "//bigquery.googleapis.com/projects/my-project/datasets/mydataset" {
roles = [
"roles/bigquery.dataViewer"
],
}
resource "https://selflink/to/my/resource" {
roles = [
"project/mygcpproject/roles/projcustomrole",
"organizations/myorg/roles/orgcustomrole"
],
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
## Rotate Static Account Key (`access_token` Static Account Only)
| Method | Path | |
| :----- | :------------------------------ | ------------------------- |
| `POST` | `/gcp/static-account/:name/rotate-key` | `204 (empty body)` |
This will rotate the service account key this static account uses to generate
access tokens. This does not recreate the service account.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account/rotate-key
```
## Read Static Account
| Method | Path |
| :----- | :-------------------------- |
| `GET` | `/gcp/static-account/:name` |
### Parameters
- `name` (`string:<required>`): Name of the static account to read.
This endpoint will only return bindings that are managed through the secrets engine. Bindings
manually managed outside of Vault will not be returned.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
### Sample Response
```json
{
"data": {
"secret_type": "access_token",
"service_account_email": "example@mygcpproject.iam.gserviceaccount.com",
"service_account_project": "mygcpproject",
"bindings": {
"project/mygcpproject": ["roles/viewer"],
"https://selflink/to/my/resource": [
"project/mygcpproject/roles/projcustomrole",
"organizations/myorg/roles/orgcustomrole"
]
},
"token_scopes": ["https://www.googleapis.com/auth/cloud-platform"]
}
}
```
## List Static Accounts
| Method | Path |
| :----- | :--------------------- |
| `LIST` | `/gcp/static-accounts` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://127.0.0.1:8200/v1/gcp/static-accounts
```
### Sample Response
```json
{
"data": {
"keys": ["my-token-account", "my-sakey-account"]
}
}
```
## Delete Static Account
This endpoint deletes an existing static account by the given name.
| Method | Path |
| :------- | :-------------------------- |
| `DELETE` | `/gcp/static-account/:name` |
### Parameters
- `name` (`string:<required>`): Name of the static account to delete.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
2018-03-21 19:02:38 +00:00
## Generate Secret (IAM Service Account Creds): OAuth2 Access Token
2021-07-13 16:36:05 +00:00
| Method | Path |
| :------------- | :------------------------------------------ |
| `GET` / `POST` | `/gcp/roleset/:roleset/token` |
| `GET` / `POST` | `/gcp/static-account/:static-account/token` |
| `GET` / `POST` | `/gcp/token/:roleset` (deprecated) |
2018-03-21 19:02:38 +00:00
2021-07-13 16:36:05 +00:00
Generates an OAuth2 token with the scopes defined on the roleset or static account. This OAuth access token can
2018-05-10 20:58:22 +00:00
be used in GCP API calls, e.g. `curl -H "Authorization: Bearer $TOKEN" ...`
2018-03-21 19:02:38 +00:00
2018-09-21 17:31:49 +00:00
Tokens are non-revocable and non-renewable and have a static TTL of an hour. The TTL configured
for the backend (either through the default system TTLs or through the `config/` endpoint)
do not apply.
2018-03-21 19:02:38 +00:00
### Parameters
- `roleset` (`string:<required>`): Name of an roleset with secret type `access_token` to generate access_token under.
2021-07-13 16:36:05 +00:00
- `static-account` (`string:<required>`): Name of the static account with secret type `access_token` to generate access_token under.
2018-03-21 19:02:38 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/token
2018-03-21 19:02:38 +00:00
```
### Sample Response
```json
{
2020-01-18 00:18:09 +00:00
"request_id": "<uuid>",
2018-03-21 19:02:38 +00:00
"data": {
2020-01-18 00:18:09 +00:00
"token": "ya29.c.Elp5Be3ga87...",
2018-09-21 17:31:49 +00:00
"expires_at_seconds": 1537400046,
"token_ttl": 3599
2018-03-21 19:02:38 +00:00
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Generate Secret (IAM Service Account Creds): Service Account Key
2021-07-13 16:36:05 +00:00
| Method | Path |
| :------------- | :---------------------------------------- |
| `GET` / `POST` | `/gcp/roleset/:roleset/key` |
| `GET` / `POST` | `/gcp/static-account/:static-account/key` |
| `GET` / `POST` | `/gcp/key/:roleset` (deprecated) |
2018-03-21 19:02:38 +00:00
2020-01-18 00:18:09 +00:00
If using `GET` ('read'), the optional parameters will be set to their defaults. Use `POST` if you
2018-03-21 19:02:38 +00:00
want to specify different values for these params.
These keys are renewable and have TTL/max TTL as defined by either the backend config
2018-05-10 20:58:22 +00:00
or the system default if config was not defined.
2018-03-21 19:02:38 +00:00
### Parameters
- `roleset` (`string:<required>`): Name of an roleset with secret type `service_account_key` to generate key under.
2021-07-13 16:36:05 +00:00
- `static-account` (`string:<required>`): Name of an static account with secret type `service_account_key` to generate key under.
2018-05-10 20:58:22 +00:00
- `key_algorithm` (`string:"KEY_ALG_RSA_2048"`): Key algorithm used to generate key. Defaults to 2k RSA key
2020-01-18 00:18:09 +00:00
You probably should not choose other values (i.e. 1k), but accepted values are
`enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
2018-03-21 19:02:38 +00:00
- `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
2020-01-18 00:18:09 +00:00
Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
2020-01-24 01:54:28 +00:00
- `ttl` (`string: ""`): Specifies the Time To Live value provided as a string duration with time suffix. If not set, uses the system default value.
2018-03-21 19:02:38 +00:00
2018-05-10 20:58:22 +00:00
### Sample Payload
2020-01-18 00:18:09 +00:00
2018-03-21 19:02:38 +00:00
```json
{
"key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
"key_type": "KEY_ALG_RSA_2048"
}
```
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset/key
2018-03-21 19:02:38 +00:00
```
2020-05-21 17:18:17 +00:00
```shell-session
2018-03-21 19:02:38 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2021-07-13 16:36:05 +00:00
https://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset/key
2018-03-21 19:02:38 +00:00
```
### Sample Response
```json
{
2020-01-18 00:18:09 +00:00
"request_id": "<uuid>",
2021-07-13 16:36:05 +00:00
"lease_id": "gcp/roleset/my-key-roleset/key/<uuid>",
2020-01-18 00:18:09 +00:00
"renewable": true,
"lease_duration": 3600,
2018-03-21 19:02:38 +00:00
"data": {
2020-01-18 00:18:09 +00:00
"private_key_data": "<base64-encoded private key data>",
2018-03-21 19:02:38 +00:00
"key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
2018-05-10 20:58:22 +00:00
"key_type": "KEY_ALG_RSA_2048"
2018-03-21 19:02:38 +00:00
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Revoking/Renewing Secrets
2020-01-22 20:05:41 +00:00
See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases.
2018-09-21 17:31:49 +00:00
Note this only applies to service account keys.