Local Dev vs k8 access

I’m working on a library that will make pulling secrets easier for consumers of the library. In our live environments, we may be trying to access a secret from either AWS or GCP via the service account that is tied to the container. This is straightforward based on the service account role, but I’m also looking to make this easier for developers to work within this context on their local machine.

Each developer has their own credential with either AWS or GCP that I was hoping to use as a means to access Vault and obtain a particular secret if their user account has permissions for that secret.

Everything I’ve seen so far implies that to use the IAM mechanism, you need a service account, however, when running in something like GCP, the user would then need to authenticate while impersonating that service account, which I want to avoid as its a manual step for the user. I was hoping the library I’m building can use the default ADC and use that to authenticate properly with Vault. Is that type of experience even valid?

Right now I’m running everything locally with a local Vault container that I’ve setup for GCP and AWS authentication. I also have a service account setup that allows Vault to access AWSS / GCP. I’m entirely new to Vault, so please help me if my understanding of how this should work is completely wrong.

Warning - plugin development is outside of my experience, but if the use case is something I can help with would be happy to.

When you said for developers to work within this context on their local machine do you mean access your Vault cluster in AWS/GCP, or be able to run Vault locally on their machine? I think the former based on a means to access Vault and obtain a particular secret if their user account has permissions for that secret. but wanted to verify.

The GCP auth method does require referencing a service account when they log in, however AWS does not so you could set up the AWS auth method to authenticate IAM users, or any other auth method which your organization supports (GitHub, OIDC, etc). Even if you have a Vault cluster running in GCP, you could still set up the AWS auth method on that cluster.

Thanks. In our particular case, we have user auth via GCP, while still running workloads in both GCP and AWS. I suppose I could use the vault CLI to do this, so long as its only a single auth to do this, similar to gcloud CLI, otherwise users would need to be doing this all the time.

Would the Vault CLI require the service account still? If so, then that is likely going to be problematic for us.

I have not tried user auth with GCP before, looking over the docs looks like they need to at least reference it to handle the JWT work?

Its not clear to me if service_account="authenticating-account@my-project.iam.gserviceaccount.com" is a service account, or literally the “authenticating-account” which I would interpret as my user account.