vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard
verified publisher icon hashicorp

Call signJwt endpoint rather than generateIdToken for GCP JWT's

Open jameshartig opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. Currently VSO generates JWTs that are 1 hour long using the generateIdToken endpoint, which is longer than the default max_jwt_exp on the Vault side leading to errors unless you manually increase max_jwt_exp.

Describe the solution you'd like Instead, the signJwt endpoint could be used and exp could be set to a shorter value. I believe the existing iamcredentials package has a SignJwt method that could be used instead and the response includes a SignedJwt string that I believe is the same format as the existing token response.

Describe alternatives you've considered Alternatively we can just increase the max_jwt_exp but it would be good if vault-secrets-operator worked with the defaults and the change seems small.

Additional context

jameshartig avatar Aug 14 '24 20:08 jameshartig

Hi @jameshartig, I'm fairly sure we tried the signJwt endpoint at first, but it wasn't working correctly for this auth flow. The people we talked with at Google recommended generateIdToken instead. Perhaps something's changed in the meantime?

tvoran avatar Aug 30 '24 06:08 tvoran

@tvoran I appreciate the context. I'll work on an MR and test it in our environment. Let me also see if I can get someone from Google to confirm either way.

jameshartig avatar Aug 31 '24 14:08 jameshartig