Hello everyone ,
I am currently working on setting up HashiCorp Vault as an intermidiary between GCP workload identity federation and our external IoT devices to elminate the problem with long-lived service account tokens . All while using x509 certificates to ensure secure traffic.
What service does Vault offer to answer to this setup ?
To restate your use case to make sure I am understanding it,
You have IoT devices running outside of GCP but need to access some service in GCP, and you want the IoT device to use Vault to gain access to that GCP service?
Yes exactly , ensuring that we dont use the long-living service account tokens.
And using x509 certs for authentication instead
I don’t work with GCP often (now or in the past so apologies if I am missing some GCP concepts/knowledge) but I think the GCP secrets engine does what you are looking for. When you create the roleset make sure to specify it as service_account_key
instead of access_token
. The generated key is base64 encoded.