What's the best way to use Hashicorp Vault in Google Cloud Functions?

2
votes

I want to access secrets stored in Hashicorp Vault in Google Cloud Functions, and am wondering about the best way to authenticate and retrieve a token.

I think ideally I would use the default service account credentials inside the cloud function. Is it possible to use Vault's GCP auth backend and create a signed JWT from the default service account? I'm trying to avoid uploading any kind of credentials as part of the function source.

1
google-cloud-platformgoogle-cloud-functionsgoogle-authenticationhashicorp-vault
I am not sure I understand your question, but that might be because I am not acquainted with Hashicorp Vault. Are you asking if JWT can be generated in Cloud Functions using the default service account?A.Queue
Just in case: the whole process of generating JWT tokens is described here.A.Queue
In theory the signJwt process should only work if you are inside and compute engine managed by google (like GAE, GCF or a vm with a gcloud authentication) . That said I've been trying to use the docs google provides on how to generated a signed request, but cannot do it myself.Cristóvão Trevisan

1 Answers

-1
votes

I think this project could give you good hints on what you want to do: https://github.com/kelseyhightower/vault-on-google-kubernetes-engine

Tell me if it helps.