luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Docs: GCP SA clarity. Resolved merge conflict. Closes: #12231. (#16787)

This commit is contained in:
aphorise 2022-09-06 14:11:34 +02:00 committed by GitHub
parent aab9c50577
commit e2805311be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
website/content/docs/auth/gcp.mdx
View File

@ -31,9 +31,10 @@ repository.
### Via the CLI Helper
Vault includes a CLI helper that obtains a signed JWT locally and sends the
request to Vault. This helper is only available for IAM-type roles.
request to Vault.
```shell-session
# Authentication to vault outside of Google Cloud
$ vault login -method=gcp \
role="my-role" \
service_account="authenticating-account@my-project.iam.gserviceaccount.com" \
@ -41,8 +42,16 @@ $ vault login -method=gcp \
credentials=@path/to/signer/credentials.json
```
```shell-session
# Authentication to vault inside of Google Cloud
$ vault login -method=gcp role="my-role"
```
For more usage information, run `vault auth help gcp`.
-> **Note:** The `project` parameter has been removed in Vault 1.5.9+, 1.6.5+, and 1.7.2+.
It is no longer needed for configuration and will be ignored if provided.
### Via the CLI
```shell-session
@ -76,7 +85,7 @@ management tool.
$ vault auth enable gcp
```
1. Configure the auth method credentials:
1. Configure the auth method credentials if Vault is not running on Google Cloud:
```text
$ vault write auth/gcp/config \
@ -197,6 +206,10 @@ If you are using Group Aliases as described below, you will also need to add the
#### Permissions For Authenticating Against Vault
If you are authenticating to Vault from Google Cloud, you can skip the following step as
Vault will generate and present the identity token of the service account configured
on the instance or the pod.
Note that the previously mentioned permissions are given to the _Vault servers_.
The IAM service account or GCE instance that is **authenticating against Vault**
must have the following role:
@ -262,8 +275,8 @@ for IAM service accounts looks like this:
### GCE Login
GCE login only applies to roles of type `gce` and **must be completed on an
instance running in GCE**. These steps will not work from your local laptop or
another cloud provider.
infrastructure running on Google Cloud**. These steps will not work from your
local laptop or another cloud provider.
[![Vault Google Cloud GCE Login Workflow](/img/vault-gcp-gce-auth-workflow.svg)](/img/vault-gcp-gce-auth-workflow.svg)
@ -349,6 +362,8 @@ Read more on the
### GCE
You can autogenerate this token in Vault versions 1.8.2 or higher.
GCE tokens **can only be generated from a GCE instance**.
1. Vault can automatically discover the identity token on a GCE/GKE instance. This simplifies