hashicorp
vault oidc "gsuite_service_account" does not support GCP workload identity
Is your feature request related to a problem? Please describe.
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/path/to/service-account.json",
"gsuite_admin_impersonate": "[email protected]",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"user_custom_schemas": "Education,Preferences",
"impersonate_principal": "[email protected]"
}
}
EOF
Most of vault configs support workload identity by know, but that is not the case work oidc, it would be nice for oidc to config to also support workload identity.
Describe the solution you'd like support workload identity for oidc config
Can you describe your use case? I make it successfully work on GKE workload identity without DWDoA. It requires to not provide gsuite_service_account as it forces whole plugin to use ADC. My only problem was that I had to provide domain parameter to provider_config.
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"domain": "my-domain.org"
}
Are you still having an issue with this @nia-potato? You might take a look at https://github.com/hashicorp/vault/issues/24190 with details on using workload identity.
I was able to get this working using workload identity.
You don't need to specify any fields for impersonation.
Instead of using domain wide delegation, authorize the service account as a group reader in Google Workspace.
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "$OIDC_CLIENT_ID",
"oidc_client_secret": "$OIDC_CLIENT_SECRET",
"default_role": "default",
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"domain": "MY_ORGS_DOMAIN"
}
}
