I am getting more familiar with Vault every day. It is not such a big deal but have managed to properly integrate Vault with Gitlab-CI JWT authentication. In this model I am creating policy and JWT role which is later on assigned for particular CICD job so it can access properly secrets engine.
Currently I am digging into GCP and terraform integration. My knowledge base is: Google Cloud - Secrets Engines | Vault by HashiCorp
I would appreciate feedback because I am afraid I am lost.
What I would like to achieve:
- to be able to link proper GCP service account with vault, so vault will be able to create SA keys/tokens on it behalf (it is clearly described in manual)
- Create roleset with permissions on proper level for particular access type (it is clearly described in manual)
- Generate service account OAuth token from Gitlab-CI using JWT authorization for proper roleset
- Use obtained OAuth token to run terraform apply
I want to make sure that only specific project from gitlab-ci would be able to generate OAuth tokens for specific roleset.
Before making some experiments I would like to verify my approach. Is it possible to:
- Create policy to access “gcp/roleset/X”
- Create JWT role with policy created in 1., and linked to particular Gitlab-CI project
- Create roleset X with proper roles and permissions
- Run Gitlab-CI job with “vault read gcp/token/X”
Goal is to X’s CICD to generate OAuth for roleset X, and Y’s CICD to generate OAuth for roleset Y
Once again - I would appreciate any feedback