Idea behind Vault, GCP, Terraform and GitLab-CI integration

I am getting more familiar with Vault every day. It is not such a big deal but have managed to properly integrate Vault with Gitlab-CI JWT authentication. In this model I am creating policy and JWT role which is later on assigned for particular CICD job so it can access properly secrets engine.

Currently I am digging into GCP and terraform integration. My knowledge base is: Google Cloud - Secrets Engines | Vault by HashiCorp

I would appreciate feedback because I am afraid I am lost.

What I would like to achieve:

  1. to be able to link proper GCP service account with vault, so vault will be able to create SA keys/tokens on it behalf (it is clearly described in manual)
  2. Create roleset with permissions on proper level for particular access type (it is clearly described in manual)
  3. Generate service account OAuth token from Gitlab-CI using JWT authorization for proper roleset
  4. Use obtained OAuth token to run terraform apply

I want to make sure that only specific project from gitlab-ci would be able to generate OAuth tokens for specific roleset.

Before making some experiments I would like to verify my approach. Is it possible to:

  1. Create policy to access “gcp/roleset/X”
  2. Create JWT role with policy created in 1., and linked to particular Gitlab-CI project
  3. Create roleset X with proper roles and permissions
  4. Run Gitlab-CI job with “vault read gcp/token/X”

Goal is to X’s CICD to generate OAuth for roleset X, and Y’s CICD to generate OAuth for roleset Y

Once again - I would appreciate any feedback

Your approach seems to make sense to me. I do something very similar but with AWS instead of GCP.