Skip to content

Instantly share code, notes, and snippets.

@crizstian
Created May 28, 2020 21:14
Show Gist options
  • Save crizstian/5c60a8d8aec06aecb46fef09fd0558ec to your computer and use it in GitHub Desktop.
Save crizstian/5c60a8d8aec06aecb46fef09fd0558ec to your computer and use it in GitHub Desktop.
example of dynamic secrets with vault gcp engine
resource "vault_gcp_secret_roleset" "roleset" {
count = var.enable_gcp_dynamic_secret ? 1 : 0
backend = vault_gcp_secret_backend.gcp.0.path
roleset = "devops"
secret_type = "access_token"
project = "gcp-vault-admin"
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
# to be done to set the appropiate bindings
binding {
resource = "//cloudresourcemanager.googleapis.com/projects/gcp-vault-admin"
# to be done to set the appropiate roles
roles = [
"roles/billing.projectManager",
"roles/cloudfunctions.developer",
"roles/cloudkms.admin",
"roles/cloudsql.admin",
"roles/compute.admin",
"roles/container.admin",
"roles/container.clusterAdmin",
"roles/datalabeling.admin",
"roles/dns.reader",
"roles/gkehub.admin",
"roles/iam.roleViewer",
"roles/networkmanagement.admin",
"roles/orgpolicy.policyViewer",
"roles/recommender.computeAdmin",
"roles/recommender.firewallAdmin",
"roles/run.admin",
"roles/servicenetworking.networksAdmin",
"roles/storage.admin",
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment