Hashicorp Vault for GCP Service Accounts
Hashicorp Vault has two cool products that work alongside Vault. A Vault Agent that can talk to the Vault. And a secrets engine.
Google Cloud Vault secrets engine
- This engine can dynamically generate Google Cloud service account keys (as well as OAuth tokens) based on IAM policies.
- This enables users to gain access to Google Cloud resources without needing to create or manage long running service accounts.
The benefits of using this secrets engine to manage Google Cloud IAM service accounts are:
-
Automatic cleanup of GCP IAM service account keys - each Service Account key is associated with a Vault lease. When the lease expires (either during normal revocation or through early revocation), the service account key is automatically revoked.
-
Quick, short-term access - users do not need to create new GCP Service Accounts for short-term or one-off access (such as batch jobs or quick introspection).
-
Multi-cloud and hybrid cloud applications - users authenticate to Vault using a central identity service (such as LDAP) and generate GCP credentials without the need to create or manage a new Service Account for that user.
Leave a Reply