HashiCorp Cloud Platform
GCP dynamic secrets
Plus tier
This feature is available in HCP Vault Secrets Plus tier.
Public beta available!
Dynamic secrets are available for public beta by upgrading to the plus tier.
HCP Vault Secrets can create short-lived GCP credentials on demand.
Prerequisites
- Ability to create GCP IAM identity pools, identity providers, and service accounts
- Your GCP principal may use the predefined IAM Workload Identity Pool Admin, and Service Account Admin, and Service Account Key Admin roles for authorization
- Ability to create HCP Vault Secrets integrations, apps, and secrets
Set up GCP
HCP Vault Secrets is able to authenticate with your GCP project using two different methods. Each method requires GCP resources to provision dynamic credentials:
- Workload Identity Federation (Recommended)
- Workload identity pool
- Workload identity provider
- IAM service account that HCP can impersonate through its web identity
- IAM service account with the permissions to grant to the generated dynamic credentials
- Service Account Keys
- IAM service account with a key
- IAM service account with the permissions to grant to the generated dynamic credentials
Configure your GCP project using either the Google Cloud console or Terraform.
Add identity provider
Navigate to the New workload provider and pool section in the Google Cloud IAM & Admin service.
Provide a name and optionally a description then click Continue.
Select the OpenID connect (OIDC) provider type.
Provide a descriptive name such as
hcp-dynamic-secrets-<project-name>
.Use
https://idp.hashicorp.com/oidc/organization/<org-id>
as the issuer URL, replacing the placeholder with your HCP organization ID.Note
You can navigate to the GCP integration creation page on the HCP portal and select GCP service account credentials from the list to easily find the appropriate Issuer URL.
Note the default audience for the next steps then click Continue.
Enter
assertion.sub
in the OIDC 1 input field to map the provider attributes then click Save.
Create Service Account for integration
Click + Grant Access by the top navigation bar.
Select Grant access using Service Account Impersonation.
Click the drop-down menu for Select service account, then New Service Account.
Provide a descriptive name such as
hvs-dynamic-secrets-integration
and optionally a description, then click Create and Continue.Select the Service Account Token Creator role, then click Continue.
Do not grant users access to this service account, simply click Done.
Navigate back to the Grant Access panel and select the service account we just created.
Use
project:<project-id>:geo:us:service:vault-secrets:type:integration:name:<integration-name>
as the attribute value, replacing the placeholders with your HCP project ID and HCP integration name.Note
You can navigate to the GCP integration creation page on the HCP portal and select GCP service account credentials from the list to easily find the appropriate Service Account subject.
Dismiss the Configure your application modal.
Click to Service Accounts in the left navigation bar, and note the email for the service account you just created for the next steps.
Create Service Account for dynamic secret
Navigate to the Create Service Account section in the Google Cloud IAM & Admin service.
Give the service account a name and optionally a description, then click Create and Continue.
Attach or create a new role with the permissions to grant to the dynamic credentials HCP Vault Secrets will provision, then click Done.
Click on Service Accounts in the left navigation bar, and note the service account email you just created for the next steps.
Configure dynamic secrets
Navigate to the Vault Secrets app panel and select an app where you want to create a dynamic secret.
Click Create new secret and select Dynamic secret.
Select the GCP option from the pull down menu.
Select an existing integration or select Add new integration.
Select an Authentication method and follow the appropriate steps below.
Provide a unique Integration Name for this integration.
Use the integration service account email configured during the previous steps.
Use the GCP workload identity provider audience configured during the previous steps. The format is
https://iam.googleapis.com/projects/<project>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>
.Click Add new integration to return to the new secret form.
Note
If you encounter an error, make sure the service account subject and audience matches between HCP and GCP.
Add new dynamic secret
Provide a unique Secret Name for this secret.
Use the dynamic secret service account email configured during the previous steps.
Select a Time to live (TTL) for the generated dynamic credentials between 1 minute and 12 hours. The upper bound varies depending on your organization's policy constraints, for most use cases the TTL should not be above 1 hour.
Accessing dynamic credentials
A dynamic secret is a template to generate dynamic credentials on demand. Each time a dynamic secret is accessed, a new credentials set is generated and shared exclusively with the requesting client. Dynamic credentials can be generated using:
curl \ --location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/apps/${APP_NAME}/secrets/${SECRET_NAME}:open" \ --request GET \ --header "Authorization: Bearer ${HCP_API_TOKEN}" | jq
hcp vault-secrets secrets open ${SECRET_NAME}
data "hcp_vault_secrets_dynamic_secret" "my_dynamic_secret" { app_name = "my-app" secret_name = "my_dynamic_secret" }