Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support default compute metadata service account JWTs lacking GCE metadata #113

Open
mbrancato opened this issue May 12, 2021 · 1 comment
Open

Support default compute metadata service account JWTs lacking GCE metadata #113

mbrancato opened this issue May 12, 2021 · 1 comment

Comments

@mbrancato
Copy link

The GKE metadata service (and I think Cloud Run) does not implement the GCE metadata fields but is obtained using the standard method as a gce identity would be using http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity. This makes it easy to obtain the JWT for a service identity using the GCP auto-auth method in Vault Agent. The problem is that when authenticating to a role with type="gce", the GCP auth method complains:

[ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT https://vault.vault.svc:8200/v1/auth/gcp/login
Code: 400. Errors:

* expected JWT to have claims with GCE metadata" backoff=1s

Here, the Vault agent successfully obtained a JWT for the assigned service account, but the auth method couldn't accept it. The service account does NOT need the iam.serviceAccounts.signJwt permission or any assigned roles really to obtain this JWT.

Switching to a role with type="iam" means that with auto-auth in Vault Agent, we must specify the project and service account instead of simply asking for the default identity. This requires the iam.serviceAccounts.signJwt permission but doesn't really provide any benefit to the identity validation process.

It would be nice if with type="gce" roles, that if bound_service_accounts is set, the GCE metadata is not needed unless there is a bound_projects, bound_zones, etc. on the role.

A workaround for this right now is to mix the two. Use Vault Agent auto-auth with type="gce" and configure the GCP auth role with type="iam" and the proper bound_service_accounts. This will result in an error: role requires that service account JWTs expire within 900 seconds. This is because the GCE default assigned identities get a JWT valid for 1 hour. The "fix" is to set jwt_exp="3600" on the role.

Related to #85
@L-u-k-e
Copy link

L-u-k-e commented Jun 10, 2022

🙌 Thank you for this workaround! FYI the correct name of the parameter is actually: max_jwt_exp https://www.vaultproject.io/api-docs/auth/gcp#iam-only-parameters

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbrancato @L-u-k-e