icon-unified.svg
Experience Center

Storing Your Secret Credentials in HashiCorp Vault for Google Cloud Platform-Based Cloud Connectors

HashiCorp Vault is a cloud-agnostic method for storing and maintaining secret credentials. This article describes how to use HashiCorp IAM authentication to integrate a HashiCorp Vault with a new Cloud Connector based on the Google Cloud Platform (GCP).

You cannot migrate an existing Cloud Connector from GCP Secret Manager to HashiCorp Vault. You must deploy a new Cloud Connector using the Terrarform wizard.

Prerequisites

Make sure the following prerequisites are met:

  • A HashiCorp Vault and Vault cluster have already been created.
  • The Vault CLI is downloaded to your local machine.

For information, refer to the HashiCorp Vault documentation.

Integration

Perform the following procedures to integrate a new GCP-based Cloud Connector with a dedicated public HashiCorp Vault.

This article describes how to configure a dedicated public HashiCorp Vault. The procedures may differ for self-managed Vault deployments. For example, for self-managed deployments, instead of logging in to the HashiCorp Cloud Portal, log in to your self-managed Vault FQDN or IP address.

  • To set up the Vault and secrets, perform the following procedure in the HashiCorp Cloud Portal:

    1. Log in to the HashiCorp Cloud Portal.
    2. Navigate to your Vault (Vault Dedicated > <Vault Cluster Name> > Launch web ui).
    3. At the bottom of the left-side navigation, set admin as the current namespace.

    4. From the left-side navigation, select Secrets Engines.
    5. On the Secrets Engines page, click Enable new engine. The Enable a Secrets Engine page appears.
    6. In the Generic section, click KV.

    7. Another Enable a Secrets Engine page appears. In the Path field, enter the path (for example, secretKV).
    8. Click Enable engine. The secrets engine page appears (in this example, the secretKV page).

    9. Click Create secret. The Create Secret page appears. In the Path for this secret field, enter your path (for example, secretKV).
    10. In the Secret data section fields:

      1. Enter username. For the corresponding value, enter your dedicated Cloud Connector deployment username. Click Add.
      2. Enter password. For the corresponding value, enter your dedicated Cloud Connector deployment password. Click Add.
      3. Enter api_key. For the corresponding value, enter the value you copied from the API Keys page in the Admin Portal.

    11. Click Save.
    Close
  • To enable Vault to authenticate with GCP, perform the following procedures in the GCP Console:

    • Instead of using the predefined role as described in this procedure, you can create a custom role and assign the following 5 required permissions: compute.instanceGroups.list, compute.instances.get, iam.serviceAccountKeys.get, iam.serviceAccounts.get, and iamService.signJwt. (The predefined role has additional roles assigned to it.)

      1. Log in to the GCP Console.
      2. From the left-side navigation, select IAM & Admin > Service Accounts.
      3. Click Create Service Account.
      4. In the Service account details section:
        • Service account name: Enter a unique display name for the service account.

          GCP generates a service account ID based on this name.

        • Service account ID: If necessary, change the ID.

          You cannot change the ID after the service account is created.

        • Service account description: (Optional) Enter a description of the service account's purpose.

      5. Click Create and Continue.
      6. On the Grant this service account access to project page, from the Role drop-down menu, select Service Account Key Admin.

      7. Click Done to create the service account.
      Close
      1. Navigate to IAM & Admin > Service Accounts.
      2. Select the Vault service account and then click Keys.
      3. From the Keys page, click Add Key > Create new key.
      4. Select JSON as the Key type, then click Create. The private key downloads to your computer.

      5. Copy the JSON file to a secure location. You will need this file in the next section.
      Close
    Close
  • To enable GCP to authenticate with Vault, perform the following procedures in the HashiCorp Cloud Portal:

      1. Log in to the HashiCorp Cloud portal and navigate to your Vault (Vault Dedicated > <Vault Cluster Name> > Launch web UI).
      2. From the left-side navigation, select Secrets Engines.
      3. On the Secrets Engines page, click Enable new engine. The Enable a Secrets Engine page appears.
      4. In the Cloud section, click Google Cloud.

      5. Another Enable a Secrets Engine page appears. In the Path field, enter the path (for example, gcp).
      6. Click Enable engine.
      Close
      1. From the left-side navigation, select Access > Authentication methods.
      2. Select gcp. The gcp page opens.
      3. On the Configuration tab, click Configure. The Configure Google Cloud page appears.
      4. Under Credentials, click Choose File.

      5. Navigate to and select the VaultServiceAccountKey.json file you created in the previous section.
      Close
    • You must create a policy that grants read and list capabilities to access your secrets path.

      1. From the left-side navigation, select Policies > ACL Policies.
      2. Click Create ACL policy. In the Create ACL Policy dialog box:
        1. Name. Enter a name for the new policy (for example, gcp-policy).
        2. Policy: Enter the ACL policy rules as shown below:

          # Read permission on the k/v secrets
          path "/secretKV/*"  
              capabilities = ["read", "list"]
              }

          where path is the Path for this secret value you provided in Set up the HashiCorp Vault and secrets (in this example, secretKV), and the capabilities are read and list.

        3. Click Create policy.
      Close
    • You must use the Vault CLI to create this role.

      1. Open the Vault cluster overview page (<Vault Cluster Name> > Overview).
      2. Under Quick actions, select How to access via > Command Line (CLI).
      3. Enter the following:

        vault write auth/gcp/role/"<Name of Role>" \
           type="iam" \
           policies="<Name of Policy You Created>" \
           bound_service_accounts="<GCP Service Email for Cloud Connector Service Account>" 
           max_jwt_exp="60m"

        where bound_service_accounts is the email address associated with the VM service account you created previously.

        For example:

        vault write Auth/gcp/role/cc-vm-service-account \
           type="iam" \
           policies="gcp_policy" \
           bound_service_accounts="cc-vm-service-account@cc-abc-123456.iam.gserviceaccount.com" \
           max_jwt_exp="60m"
      Close
    Close
  • Gather the following information to respond to Terraform deployment wizard prompts.

    Close
Related Articles
Deployment Templates for Zscaler Cloud ConnectorConfiguring Advanced Settings for Cloud ConnectorIdentifying the Zscaler Cloud Connector VersionNetworking Flows for Cloud ConnectorUnderstanding High Availability and FailoverHandling DNS Resolutions for Zscaler Cloud ConnectorStoring Your Secret Credentials in HashiCorp Vault for Google Cloud Platform-Based Cloud ConnectorsDeploying Zscaler Cloud Connector with Amazon Web ServicesDeploying Zscaler Cloud Connector with Microsoft AzureDeploying Zscaler Cloud Connector on the Google Cloud Platform