Skip to content

Retrieve time-limited oauth2 access token for an impersonated account from a Hashicorp Vault GCP Secrets Backend

License

Notifications You must be signed in to change notification settings

planetscale/vault-gcp-creds-buildkite-plugin

Repository files navigation

Vault GCP Credentials Buildkite Plugin

Retrieve time-limited oauth2 access token for an impersonated account from a Hashicorp Vault GCP Secrets Backend

The plugin expects a VAULT_TOKEN is already set in the environment. The vault-oidc-auth plugin is an ideal companion to use with this plugin.

Example

Add the following to your pipeline.yml:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-gcp-creds#v1.1.1:
          vault_addr: "https://my-vault-server"   # required
          path: "gcp"                             # optional. default "gcp"
          account_name: "my-pipeline"             # optional. default "bk-$BUILDKITE_PIPELINE_SLUG"
          env_var: "CLOUDSDK_AUTH_ACCESS_TOKEN"   # optional. default "CLOUDSDK_AUTH_ACCESS_TOKEN"

If authentication is successful the environment variables will be added to the environment:

  • CLOUDSDK_AUTH_ACCESS_TOKEN

Set the env_var parameter to change the name of the environment variable, eg: GOOGLE_OAUTH_ACCESS_TOKEN for use with Terraform's Google Cloud provider.

Ephemeral Credentials with vault-oidc-auth

This plugin works best when combined with the vault-oidc-auth plugin to provide short-lived credentials for accessing Vault and GCP. Example:

steps:
  - command: ./run_build.sh
    plugins:
      - planetscale/vault-oidc-auth#v1.0.0:
          vault_addr: "https://my-vault-server"
      - planetscale/vault-gcp-creds#v1.1.1:
          vault_addr: "https://my-vault-server"

First, the vault-oidc-auth plugin uses a short-lived Buildkite OIDC token to authenticate to Vault and fetch a VAULT_TOKEN.

Next, vault-gcp-creds uses the VAULT_TOKEN to fetch time-limited GCP oauth2 token from Vault.

Vault Configuration

First, enable the GCP Secrets Backend. A minimal configuration using environmental GCP credentials might look like the following. See the docs for full details on configuring the root GCP credentials.

vault secrets enable -path=gcp gcp

Then, create a GSA for your pipeline to impersonate through your favorite method and make it available from Vault by creating and assigning it to account name "bk-my-pipeline":

vault write gcp/impersonated-account/bk-my-pipeline \
    service_account_email="[email protected]" \
    token_scopes="https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/compute" \
    ttl="6h"

Developing

To run the linters:

docker-compose run --rm lint-shellcheck
docker-compose run --rm lint-plugin

To run the tests:

docker-compose run --rm tests

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

About

Retrieve time-limited oauth2 access token for an impersonated account from a Hashicorp Vault GCP Secrets Backend

Resources

License

Stars

Watchers

Forks

Packages

No packages published