setting up Vault and GCP auth and secrets backend

gcp_demo.sh

#! /bin/bash
#
# based on https://medium.com/google-cloud/vault-auth-and-secrets-on-gcp-51bd7bbaceb
#


################################################################
# setup GCP
################################################################
PROJECT_ID=`gcloud config get-value core/project`
PROJECT_NUMBER=`gcloud projects describe \
   $PROJECT_ID --format="value(projectNumber)"`
VAULT_SERVICE_ACCOUNT=vault-svc-account@$PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts create vault-svc-account \
    --display-name "Vault Service Account"
gcloud iam service-accounts keys create vault-svc.json \
    --iam-account=$VAULT_SERVICE_ACCOUNT

# https://www.vaultproject.io/docs/auth/gcp.html#required-gcp-permissions
gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
   --role=roles/iam.serviceAccountAdmin
gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
   --role=roles/iam.serviceAccountKeyAdmin
gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
   --role=roles/compute.viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member=serviceAccount:$VAULT_SERVICE_ACCOUNT \
   --role=roles/storage.admin


################################################################
# Setup vault AUTH
################################################################

GENERIC_SERVICE_ACCOUNT=generic-svc-account@$PROJECT_ID.iam.gserviceaccount.com
gcloud iam service-accounts create generic-svc-account \
   --display-name "Generic Service Account"
gcloud iam service-accounts keys create ./generic-svc.json \
   --iam-account=$GENERIC_SERVICE_ACCOUNT

# https://www.vaultproject.io/docs/auth/gcp.html#permissions-for-authenticating-against-vault
gcloud iam service-accounts  \
    add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT   \
    --member=serviceAccount:$GENERIC_SERVICE_ACCOUNT \
    --role=roles/iam.serviceAccountTokenCreator

vault auth enable gcp
vault write auth/gcp/config [email protected]

vault write auth/gcp/role/my-iam-role \
    type="iam" \
    policies="superuser" max_jwt_exp=60m \
    bound_service_accounts="$GENERIC_SERVICE_ACCOUNT"

vault login -method=gcp \
    role="my-iam-role" \
    service_account="$GENERIC_SERVICE_ACCOUNT" \
    project="$PROJECT_ID" \
    jwt_exp="15m" \
    [email protected]


################################################################
# Setup vault Secrets
################################################################

# ##### setup vault
vault secrets enable gcp
vault write gcp/config [email protected]

export BUCKET=$PROJECT_ID-bucket
gsutil mb gs://$BUCKET

cat <<EOF > gcs.hcl
resource "buckets/$BUCKET" {
        roles = ["roles/storage.objectViewer"]
}
EOF
vault write gcp/roleset/my-token-roleset   \
    project="$PROJECT_ID"   \
    secret_type="access_token" \
    token_scopes="https://www.googleapis.com/auth/cloud-platform"   \
    [email protected]

vault read gcp/token/my-token-roleset
## to view svc accounts
# gcloud iam service-accounts list --format="value(email)"

vault write gcp/roleset/my-key-roleset \
    project="rgoliveira-test-project" \
    secret_type="service_account_key"  \
    [email protected]

vault read gcp/key/my-key-roleset

## to view svc accounts
## gcloud iam service-accounts list --format="value(email)"