Experience Center
Storing Your Secret Credentials in HashiCorp Vault for Google Cloud Platform-Based Cloud Connectors
HashiCorp Vault is a cloud-agnostic method for storing and maintaining secret credentials. This article describes how to use HashiCorp IAM authentication to integrate a HashiCorp Vault with a new Cloud Connector based on the Google Cloud Platform (GCP).
You cannot migrate an existing Cloud Connector from GCP Secret Manager to HashiCorp Vault. You must deploy a new Cloud Connector using the Terrarform wizard.
Prerequisites
Make sure the following prerequisites are met:
- A HashiCorp Vault and Vault cluster have already been created.
- The Vault CLI is downloaded to your local machine.
For information, refer to the HashiCorp Vault documentation.
Integration
Perform the following procedures to integrate a new GCP-based Cloud Connector with a dedicated public HashiCorp Vault.
This article describes how to configure a dedicated public HashiCorp Vault. The procedures may differ for self-managed Vault deployments. For example, for self-managed deployments, instead of logging in to the HashiCorp Cloud Portal, log in to your self-managed Vault FQDN or IP address.
- 1. Set up the HashiCorp Vault and secrets.
To set up the Vault and secrets, perform the following procedure in the HashiCorp Cloud Portal:
- Log in to the HashiCorp Cloud Portal.
- Navigate to your Vault (Vault Dedicated > <Vault Cluster Name> > Launch web ui).
At the bottom of the left-side navigation, set admin as the current namespace.
- From the left-side navigation, select Secrets Engines.
- On the Secrets Engines page, click Enable new engine. The Enable a Secrets Engine page appears.
In the Generic section, click KV.
- Another Enable a Secrets Engine page appears. In the Path field, enter the path (for example,
secretKV
). Click Enable engine. The secrets engine page appears (in this example, the secretKV page).
- Click Create secret. The Create Secret page appears. In the Path for this secret field, enter your path (for example,
secretKV
). In the Secret data section fields:
- Enter
username
. For the corresponding value, enter your dedicated Cloud Connector deployment username. Click Add. - Enter
password
. For the corresponding value, enter your dedicated Cloud Connector deployment password. Click Add. - Enter
api_key
. For the corresponding value, enter the value you copied from the API Keys page in the Admin Portal.
- Enter
- Click Save.
- 2. Enable Vault to authenticate with GCP.
To enable Vault to authenticate with GCP, perform the following procedures in the GCP Console:
- a. Create a service account for Vault to authenticate with GCP.
Instead of using the predefined role as described in this procedure, you can create a custom role and assign the following 5 required permissions: compute.instanceGroups.list, compute.instances.get, iam.serviceAccountKeys.get, iam.serviceAccounts.get, and iamService.signJwt. (The predefined role has additional roles assigned to it.)
- Log in to the GCP Console.
- From the left-side navigation, select IAM & Admin > Service Accounts.
- Click Create Service Account.
- In the Service account details section:
Service account name: Enter a unique display name for the service account.
GCP generates a service account ID based on this name.
Service account ID: If necessary, change the ID.
You cannot change the ID after the service account is created.
Service account description: (Optional) Enter a description of the service account's purpose.
- Click Create and Continue.
On the Grant this service account access to project page, from the Role drop-down menu, select Service Account Key Admin.
- Click Done to create the service account.
- b. Create a service account key credential file.
- Navigate to IAM & Admin > Service Accounts.
- Select the Vault service account and then click Keys.
- From the Keys page, click Add Key > Create new key.
Select JSON as the Key type, then click Create. The private key downloads to your computer.
- Copy the JSON file to a secure location. You will need this file in the next section.
- a. Create a service account for Vault to authenticate with GCP.
- 3. Configure HashiCorp to enable GCP to authenticate with Vault.
To enable GCP to authenticate with Vault, perform the following procedures in the HashiCorp Cloud Portal:
- a. Enable the GCP secrets engine.
- Log in to the HashiCorp Cloud portal and navigate to your Vault (Vault Dedicated > <Vault Cluster Name> > Launch web UI).
- From the left-side navigation, select Secrets Engines.
- On the Secrets Engines page, click Enable new engine. The Enable a Secrets Engine page appears.
In the Cloud section, click Google Cloud.
- Another Enable a Secrets Engine page appears. In the Path field, enter the path (for example,
gcp
). - Click Enable engine.
- b. Configure the GCP authentication method to use the Vault service account credentials.
- From the left-side navigation, select Access > Authentication methods.
- Select gcp. The gcp page opens.
- On the Configuration tab, click Configure. The Configure Google Cloud page appears.
Under Credentials, click Choose File.
- Navigate to and select the VaultServiceAccountKey.json file you created in the previous section.
- c. Create a policy file and policy.
You must create a policy that grants read and list capabilities to access your secrets path.
- From the left-side navigation, select Policies > ACL Policies.
- Click Create ACL policy. In the Create ACL Policy dialog box:
- Name. Enter a name for the new policy (for example,
gcp-policy
). Policy: Enter the ACL policy rules as shown below:
# Read permission on the k/v secrets path "/secretKV/*" capabilities = ["read", "list"] }
where
path
is the Path for this secret value you provided in Set up the HashiCorp Vault and secrets (in this example,secretKV
), and thecapabilities
areread
andlist
.- Click Create policy.
- Name. Enter a name for the new policy (for example,
- d. Create an access role for an IAM service account.
You must use the Vault CLI to create this role.
- Open the Vault cluster overview page (<Vault Cluster Name> > Overview).
- Under Quick actions, select How to access via > Command Line (CLI).
Enter the following:
vault write auth/gcp/role/"<Name of Role>" \ type="iam" \ policies="<Name of Policy You Created>" \ bound_service_accounts="<GCP Service Email for Cloud Connector Service Account>" max_jwt_exp="60m"
where
bound_service_accounts
is the email address associated with the VM service account you created previously.For example:
vault write Auth/gcp/role/cc-vm-service-account \ type="iam" \ policies="gcp_policy" \ bound_service_accounts="cc-vm-service-account@cc-abc-123456.iam.gserviceaccount.com" \ max_jwt_exp="60m"
- a. Enable the GCP secrets engine.
- 4. Gather information for the Terraform deployment wizard.
Gather the following information to respond to Terraform deployment wizard prompts.
- From the HashiCorp Cloud Portal:
Cluster Public URL. Navigate to your Vault cluster page, and in the Cluster URLs section, click Public.
Full API path for the secret. Navigate to your secret page. The API path is displayed in the Paths section.
- Name of the access role you created for an IAM service account.
- From the Google Cloud Portal (if you answered that you already have a service account when prompted by the Terraform wizard):
- Service Account email from Vault service account details. You must have access to the service account to see this information.
- From the HashiCorp Cloud Portal: