• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

.github/H07-Jul-2021-

plugin/H07-Jul-2021-

scripts/H07-Jul-2021-

vendor/H03-May-2022-

.gitignoreH A D07-Jul-2021800

LICENSEH A D07-Jul-202115.5 KiB

MakefileH A D07-Jul-20211.8 KiB

README.mdH A D07-Jul-20216.3 KiB

go.modH A D07-Jul-2021815

go.sumH A D07-Jul-202125.8 KiB

main.goH A D07-Jul-2021580

README.md

1# Vault Plugin: Google Cloud Platform Auth Backend
2
3This is a standalone backend plugin for use with [HashiCorp Vault](https://www.github.com/hashicorp/vault).
4This plugin allows for various GCP entities to authenticate with Vault.
5This is currently included in Vault distributions.
6
7Currently, this plugin supports login for:
8
9- IAM service accounts
10- GCE Instances
11
12**Please note**: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
13
14## Quick Links
15
16- [Vault Website](https://www.vaultproject.io)
17- [GCP Auth BE Docs](https://www.vaultproject.io/docs/auth/gcp.html)
18- [Vault Github](https://www.github.com/hashicorp/vault)
19- [General Announcement List](https://groups.google.com/forum/#!forum/hashicorp-announce)
20- [Discussion List](https://groups.google.com/forum/#!forum/vault-tool)
21
22
23## Getting Started
24
25This is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)
26and is meant to work with Vault. This guide assumes you have already installed Vault
27and have a basic understanding of how Vault works.
28
29Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).
30
31To learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).
32
33### Usage
34
35Please see [documentation for the plugin](https://www.vaultproject.io/docs/auth/gcp.html)
36on the Vault website.
37
38This plugin is currently built into Vault and by default is accessed
39at `auth/gcp`. To enable this in a running Vault server:
40
41```sh
42$ vault auth enable gcp
43Success! Enabled gcp auth method at: gcp/
44```
45
46To see all the supported paths, see the [GCP auth backend docs](https://www.vaultproject.io/docs/auth/gcp.html).
47
48## Developing
49
50Please note that local development is only required if you plan to contribute or
51compile this plugin yourself. This plugin is automatically bundled in Vault
52installations and is available by default. You do not need to compile it
53yourself unless you intend to modify it.
54
55If you wish to work on this plugin, you'll first need
56[Go](https://www.golang.org) installed on your machine (version 1.10+ is
57*required*).
58
59For local dev first make sure Go is properly installed, including
60setting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).
61Next, clone this repository into your `GOPATH`:
62
63```sh
64$ mkdir -p $GOPATH/src/github.com/hashicorp
65$ git clone https://github.com/hashicorp/vault-plugin-auth-gcp $GOPATH/src/github.com/hashicorp/
66$ cd vault-plugin-auth-gcp
67```
68
69You can then download any required build tools by bootstrapping your
70environment:
71
72```sh
73$ make bootstrap
74```
75
76To compile a development version of this plugin, run `make` or `make dev`.
77This will put the plugin binary in the `bin` and `$GOPATH/bin` folders. `dev`
78mode will only generate the binary for your platform and is faster:
79
80```sh
81$ make
82$ make dev
83```
84
85For local development, use Vault's "dev" mode for fast setup:
86
87```sh
88$ vault server -dev -dev-plugin-dir="$(pwd)/bin"
89```
90
91The plugin will automatically be added to the catalog with the name
92"vault-plugin-auth-gcp". Run the following command to enable this new auth
93method as a plugin:
94
95```sh
96$ vault auth enable -plugin-name="vault-plugin-auth-gcp" -path="gcp" plugin
97Success! Enabled vault-plugin-auth-gcp plugin at: gcp/
98```
99
100#### Tests
101
102This plugin has comprehensive [acceptance tests](https://en.wikipedia.org/wiki/Acceptance_testing)
103covering most of the features of this auth backend.
104
105If you are developing this plugin and want to verify it is still
106functioning (and you haven't broken anything else), we recommend
107running the acceptance tests.
108
109Acceptance tests typically require other environment variables to be set for
110things such as access keys. The test itself should error early and tell
111you what to set, so it is not documented here.
112
113**Warning:** The acceptance tests create/destroy/modify *real resources*,
114which may incur real costs in some cases. In the presence of a bug,
115it is technically possible that broken backends could leave dangling
116data behind. Therefore, please run the acceptance tests at your own risk.
117At the very least, we recommend running them in their own private
118account for whatever backend you're testing.
119
120To run the acceptance tests, you will need a GCP IAM service account with the
121permissions listed below. The following steps assume you have
122[gcloud][install-gcloud] installed.
123
1241. Save the name of your project as an environment variable for reference:
125
126    ```text
127    $ export GOOGLE_CLOUD_PROJECT=my-project # replace with your project ID
128    ```
129
1301. Enable the IAM service on the project:
131
132    ```text
133    $ gcloud services enable --project "${GOOGLE_CLOUD_PROJECT}" \
134        cloudresourcemanager.googleapis.com \
135        iam.googleapis.com
136    ```
137
1381. Create the service account:
139
140    ```text
141    $ gcloud iam service-accounts create vault-tester \
142        --display-name vault-tester \
143        --project "${GOOGLE_CLOUD_PROJECT}"
144    ```
145
1461. Grant `project.viewer` and `serviceaccount.admin` permissions:
147
148    ```text
149    $ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
150        --member "serviceAccount:vault-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
151        --role "roles/viewer"
152
153    $ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
154        --member "serviceAccount:vault-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
155        --role "roles/iam.serviceAccountKeyAdmin"
156
157    $ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
158        --member "serviceAccount:vault-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
159        --role "roles/iam.serviceAccountTokenCreator"
160    ```
161
1621. Download the service account key file to local disk:
163
164    ```text
165    $ gcloud iam service-accounts keys create vault-tester.json \
166        --iam-account "vault-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
167    ```
168
1691. Export the credentials to an environment variable:
170
171    ```text
172    $ export GOOGLE_CREDENTIALS="$(cat vault-tester.json)"
173    ```
174
175To run the acceptance tests, invoke `make test`:
176
177```sh
178$ make test
179```
180
181You can also specify a `TESTARGS` variable to filter tests like so:
182
183```sh
184$ make test TESTARGS='--run=TestConfig'
185```
186
187[install-gcloud]: https://cloud.google.com/sdk
188