search

hashicorp / vault-plugin-auth-gcp

GCP Authentication Plugin for Vault
Mozilla Public License 2.0
53 stars 23 forks source link

Cloudrun auto auth token #190

Open ntang86 opened 10 months ago

ntang86 commented 10 months ago

Hello,

I used to use the GCE metadata to auto auth to vault with the jwt but I noticed that it does not work with cloud run. I get the following 

expected JWT to have claims with GCE metadata

I saw that apparently this PR solved the authentication issue https://github.com/hashicorp/vault-plugin-auth-gcp/pull/115, but I can't make it work. Do we have an example? I can get an ID token through "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" but when I try to authenticate, it shows the above error.

Checking the jwt produced on Cloud Run by the same code, on cloud run I'm missing some data. Hence, the error message. Would it be possible to use "gce" auth with cloudrun? 

  "google": {
    "compute_engine": {
      "instance_creation_timestamp":,
      "instance_id": "",
      "instance_name": "",
      "project_id": "",
      "project_number":,
      "zone": ""
    }
austingebauer commented 8 months ago

Hi @ntang86 - The instance_id claim needs to be populated in this case. You can see the condition in the code at https://github.com/hashicorp/vault-plugin-auth-gcp/blob/main/plugin/path_login.go#L234. Do you know if it's possible to have that populated in cloud run?

Otherwise, it's going to take a pull request with some changes here to support it for cloud run.