HashiCorp Vault GCP Secrets Engine

This is a hands-on tutorial on how to enable Google’s GCP Secrets engine in HashiCorp Vault.

HashiCorp Vault and GCP

Requirements:

• Download and install HashiCorp Vault, link here.
• A GCP account.

GCP: Setting Up a Service Account

1. Go to the GCP Dashboard
2. Create or select an existing project. For this example, I created a project named Medium-Vault-GCP.

Note: Make sure to select your target project after its created.

Take note of the Project ID, which will be used in the next section

3. In the left sidebar of your project, click IAM & Admin followed by Service Accounts.

Project Sidebar IAM & Admin options

4. In the horizontal navigation bar, click Create Service Account. Provide a Service account name, a Service account description (optional) and click create.

5. In step number 2, assign the following Roles to the service account and click Continue.

6. Click on Create Key, then leave the Key type as JSON and click Create. This will trigger a pop-up and a download with the credentials, store them in a secure location, close the pop-up and click the DONE button below Create Key.

Note: Rename the output file to my-credentials.json

Enabling APIs

1. Replace <project-id> with yours, see the text in bold above of step 3 from the previous section. Go to the website and Enable the Identity and Access Management (IAM) API. Wait a few seconds to let the changes finish propagating.

https://console.developers.google.com/apis/library/iam.googleapis.com?project=<project-id>

2. Let’s repeat the same steps as above and replace our <project-id> in the following URL to enable the Cloud Resource Manager API. Wait a few seconds to let the changes finish propagating.

https://console.developers.google.com/apis/library/cloudresourcemanager.googleapis.com?project=<project-id>&pli=1

Note: The steps from this section are mandatory; otherwise, some errors will show up in the next section.

HashiCorp Vault: GCP Secrets Engine

1. Start your Vault Server and assign the correct API address.
2. Once started the vault server, in another terminal, enable the Google Cloud secrets engine with the following command:

vault secrets enable gcp

Output:

Success! Enabled the gcp secrets engine at: gcp/

If you sign in to your Vault UI, usually located at http://127.0.0.1:8200, you should look at something like this. Notice at the bottom the GCP secrets engine enabled.

Notice the GCP secrets engine is grayed out, it’s UI is not supported yet.

3. In the last step of the previous section, we renamed our output file to my-credentials.json, which we will use in this step.

vault write gcp/config credentials=@my-credentials.json

Output:

Success! Data written to: gcp/config

4. To determine the permissions that the Service accounts credentials generated by Vault will have on GCP we have to configure a roleset. To do this we have to rename the value of project and resource with the name of our Project ID from the first section. In this case “medium-vault-gcp”.

Code of the roleset to generate OAuth2 Access Tokens:

vault write gcp/roleset/my-token-roleset \
project="medium-vault-gcp" \
secret_type="access_token"  \
token_scopes="https://www.googleapis.com/auth/cloud-platform" \
bindings=-<<EOF
resource "//cloudresourcemanager.googleapis.com/projects/medium-vault-gcp" 
{
roles = ["roles/viewer"]
}
EOF

Output:

Success! Data written to: gcp/roleset/my-token-roleset

5. To configure a roleset that generates GCP Service Account keys. Rename the value of project and resource with the name of our Project ID from the first section. In this case “medium-vault-gcp”.

Code of the roleset to generate GCP Service Account Keys:

vault write gcp/roleset/my-key-roleset \
project="medium-vault-gcp" \
secret_type="service_account_key"  \
bindings=-<<EOF
resource "//cloudresourcemanager.googleapis.com/projects/medium-vault-gcp" {
roles = ["roles/viewer"]
}
EOF

Output:

Success! Data written to: gcp/roleset/my-key-roleset

Generating Access Tokens

To generate an access token run the following code.

vault read gcp/token/my-token-roleset

Output:

Key                 Value
 — —                — — -
expires_at_seconds  1583441370
token               ya29.c.Ko8BwQc…
token_ttl           59m58s

• The expires_at_second key is in Unix Time Stamp.
• The token_ttl (Time to Live) is given in minutes and seconds.
• The Token can be used as a HTTP Authorization Bearer in a request to GCP API:

Theoretical example:

curl -H "Authorization: Bearer ya29.c.Ko8BwQc…"

Generating Service Account Keys

To Generate a service account key run the following code:

vault read gcp/key/my-key-roleset

Output:

Key                 Value
---                 -----
lease_id            gcp/key/my-key-roleset/q9YDn...
lease_duration      768h
lease_renewable     true
key_algorithm       KEY_ALG_RSA_2048
key_type            TYPE_GOOGLE_CREDENTIALS_FILE
private_key_data    ewogICJ0eXBlIjogInNlcnZf....

This generated a new GCP IAM service account key associated with the roleset’s Service Account. The service account will be deleted when the lease is expired or revoked.

Note: Only 10 keys per Service Account are allowed.

Additional notes:

For some reason, the GCP secrets engine is grayed out in the Vault UI. I will come back later with an answer when I can figure it out.

A: Currently the UI only supports a limited number of secret engines and GCP has not made it to the list yet.

https://github.com/hashicorp/vault/blob/master/ui/app/helpers/supported-secret-backends.js#L3

Finally, If you liked the article, please hit the follow button and leave lots of claps!

Resources:

Install Vault

Google Cloud - Secrets Engines | Vault by HashiCorp

Create a service account