How to get GCP credentials in terraform from vault's gcp secrets engine

I’m fairly new to Vault, and I must be missing something obvious here, but I can’t figure out how to get creds for GCP from Vault in Terraform. I have this working fine with the AWS secrets engine; there I use…

data "vault_aws_access_credentials" "creds" {
  backend = "aws"
  role    = "foouser"
}

provider "aws" {
  access_key = data.vault_aws_access_credentials.creds.access_key
  secret_key = data.vault_aws_access_credentials.creds.secret_key
}

What’s the equivalent incantation for the GCP secrets engine? I have it configured and can get a token for GCP from the vault CLI, but neither the terraform nor vault docs give me a clue how to do this directly from a terraform .tf file.

– pita

What, does nobody know the answer to this? Or is this not implemented?

I’ve used the data source vault_generic_secret as there isn’t a gcp specific one, see below.

provider "google" {

  access_token = data.vault_generic_secret.gcp.data["token"]
}

data "vault_generic_secret" "gcp" {
  path = "gcp/token/${var.roleset}"
}
1 Like

Ah, thank you so much @silentmac, now I get it! The kept looking for a GCP-secret-engine specific data source (as there is for the AWS one), thinking that vault_generic_secret was for static secrets. Of course, once a dynamic secret engine is configured, getting a token from it uses the same API calls as for static secrets, so it makes sense that terraform can get secrets from the GCP secret engine using the vault_generic_secret data source.

Thanks again.