SOLVED: Configuring Google OIDC Authentication

As a new user of HashiCorp Vault, I recently struggled to configure Google OIDC authentication. After some trial and error, I wrote two scripts to simplify the process.

The first script, vault-oidc-google-secrets.sh, writes GCP credentials to Vault using the vault kv put command. The second script, vault-oidc-google-config.sh, configures OIDC authentication with Google.

These scripts are based on the official documentation and should work with any Vault installation. However, please note that they come with no warranty and you should always review and modify them to suit your specific use case and security requirements.

Hopefully, these scripts and tips will save someone else some headaches when setting up Google OIDC authentication in Vault.

One thing that tripped me up was setting the gsuite_service_account in provider_config. Vault unmarshals the JSON once, then Google JWT config from string will unmarshal it again, so you have to wrap the JSON string:

GSUITE_SERVICE_ACCOUNT=$(vault kv get -format=json secret/gcloud/${PROJECT}/gsuite_service_account | \
  jq -c '.data.data' | jq -c '. |= @json')