Downloading and installing HashiCorp Vault. See how here.
- Start the dev server
vault server -dev
Export the server location as an env var
export VAULT_ADDR='http://127.0.0.1:8200'
-
Generate a Service Account key Vault can use. It needs these permissions.
-
Configure GCP credentials on Vault
vault secrets enable gcp
vault write gcp/config [email protected]
-
Create a bindings file. The credentials generated by Vault will have these permissions. Check bindings.hcl.
-
Create a roleset with those permissions that generate shortlived OAuth2 access tokens:
vault write gcp/roleset/project-factory-roleset \
project=helical-theater-274414 \
secret-type="access_token" \
token_scopes="https://www.googleapis.com/auth/cloud-platform" \
[email protected]
The above will create a new Service Account on your GCP Project with the following roles:
- Compute Admin
- Kubernetes Engine Admin
- Service Account User
- You can now access shortlived (1h) OAuth2 tokens:
vault read gcp/token/project-factory-roleset