Skip to content

Instantly share code, notes, and snippets.

@gitrgoliveira

gitrgoliveira/gcp_demo.sh

Created November 8, 2019 12:53
Show Gist options
  • Save gitrgoliveira/9840bc801807d1d9b4ac62300674466e to your computer and use it in GitHub Desktop.
Save gitrgoliveira/9840bc801807d1d9b4ac62300674466e to your computer and use it in GitHub Desktop.
Download ZIP
setting up Vault and GCP auth and secrets backend
Raw
gcp_demo.sh
#! /bin/bash
#
# based on https://medium.com/google-cloud/vault-auth-and-secrets-on-gcp-51bd7bbaceb
#
################################################################
# setup GCP
################################################################
PROJECT_ID=`gcloud config get-value core/project`
PROJECT_NUMBER=`gcloud projects describe \
$PROJECT_ID --format="value(projectNumber)"`
VAULT_SERVICE_ACCOUNT=vault-svc-account@$PROJECT_ID.iam.gserviceaccount.com
gcloud iam service-accounts create vault-svc-account \
--display-name "Vault Service Account"
gcloud iam service-accounts keys create vault-svc.json \
--iam-account=$VAULT_SERVICE_ACCOUNT
# https://www.vaultproject.io/docs/auth/gcp.html#required-gcp-permissions
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
--role=roles/iam.serviceAccountAdmin
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
--role=roles/iam.serviceAccountKeyAdmin
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
--role=roles/compute.viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
--role=roles/storage.admin
################################################################
# Setup vault AUTH
################################################################
GENERIC_SERVICE_ACCOUNT=generic-svc-account@$PROJECT_ID.iam.gserviceaccount.com
gcloud iam service-accounts create generic-svc-account \
--display-name "Generic Service Account"
gcloud iam service-accounts keys create ./generic-svc.json \
--iam-account=$GENERIC_SERVICE_ACCOUNT
# https://www.vaultproject.io/docs/auth/gcp.html#permissions-for-authenticating-against-vault
gcloud iam service-accounts \
add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT \
--member=serviceAccount:$GENERIC_SERVICE_ACCOUNT \
--role=roles/iam.serviceAccountTokenCreator
vault auth enable gcp
vault write auth/gcp/config credentials=@vault-svc.json
vault write auth/gcp/role/my-iam-role \
type="iam" \
policies="superuser" max_jwt_exp=60m \
bound_service_accounts="$GENERIC_SERVICE_ACCOUNT"
vault login -method=gcp \
role="my-iam-role" \
service_account="$GENERIC_SERVICE_ACCOUNT" \
project="$PROJECT_ID" \
jwt_exp="15m" \
credentials=@generic-svc.json
################################################################
# Setup vault Secrets
################################################################
# ##### setup vault
vault secrets enable gcp
vault write gcp/config credentials=@vault-svc.json
export BUCKET=$PROJECT_ID-bucket
gsutil mb gs://$BUCKET
cat <<EOF > gcs.hcl
resource "buckets/$BUCKET" {
roles = ["roles/storage.objectViewer"]
}
EOF
vault write gcp/roleset/my-token-roleset \
project="$PROJECT_ID" \
secret_type="access_token" \
token_scopes="https://www.googleapis.com/auth/cloud-platform" \
bindings=@gcs.hcl
vault read gcp/token/my-token-roleset
## to view svc accounts
# gcloud iam service-accounts list --format="value(email)"
vault write gcp/roleset/my-key-roleset \
project="rgoliveira-test-project" \
secret_type="service_account_key" \
bindings=@gcs.hcl
vault read gcp/key/my-key-roleset
## to view svc accounts
## gcloud iam service-accounts list --format="value(email)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment