Closed nicoche closed 2 years ago
nicoche
commented
2 years ago Note: we could keep the current implementation and apply a fix like this one https://github.com/ricoberger/vault-secrets-operator/commit/58284c91fa319afe18eba6c420738b903ee384be
ricoberger
commented
2 years ago HI @nicoche, feel free to create a PR for your changes they are looking good 🙂.
nicoche
commented
2 years ago Cool! I've just opened a PR https://github.com/ricoberger/vault-secrets-operator/pull/166
Hey there!
First of all, thanks for your work on this project.
I'm trying to get the operator to authenticate agains Vault using GCP IAM auth. It seems that the service account used is deduced from GOOGLE_APPLICATION_CREDENTIALS (https://github.com/ricoberger/vault-secrets-operator/blob/main/vault/vault.go#L614) but the email of the service account we use is deduced from GCP metadata server (https://github.com/ricoberger/vault-secrets-operator/blob/main/vault/vault.go#L620).
This breaks in my case where they are not the same. I believe it also breaks in the case where the operator runs in a non-google compute environment because there is no metadata server to contact there.
There is now a GCP Auth package owned by Hashicorp: https://pkg.go.dev/github.com/hashicorp/vault/api/auth/gcp@v0.2.0. Using it should fix the problem. wdyt? I'm happy to provide a PR.