Vault Agent, GCP auto_auth, GKE & Workload Identity

I’m attempting to use Vault in agent mode with GCP authentication. The config looks something like this:

vault {
    address = "https://our-vault-address:1234"
}
auto_auth {
    method "gcp" {
        mount_path = "auth/gcp/our-gcp-path"
        config = {
            type = "iam"
            role = "flux"
        }
    }
    sink "file" {
        config = {
            path = "/tmp/token"
        }
    }
}

What’s novel is that this is inside a Kubernetes pod, specifically, GKE and is associated with the Google Service Account via a Workload Identity binding.

The above config fails, as it tries to sign a JWT with the a GSA by the name of “default”.

However, if I fetch the proper name by this:

curl -sk --header 'Metadata-Flavor: Google' \
  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email

And I reconfigure the auth with service_account = "my-real-gsa@project.iam.gserviceaccount.com" then the agent kicks up and works properly.

Am I doing something wrong here in not configuring the agent correctly? Or is this a “bug” in the sense that the agent just doesn’t understand this niche(?) ecosystem so it doesn’t know how to fetch the “right” service account automatically?

Hey Jeff,
I’m running into the same issue. Did you get around this some way ?

Thanks,
Mahesh

I’ve got this to work by adding the optional fields like service_account and project. If right permissions are assigned, This seems to work. But again this doesn’t work via the annotations way as the annotations aren’t supported