You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeVault? Please start here.
GCPRole
What is GCPRole
A GCPRole
is a Kubernetes CustomResourceDefinition
(CRD) which allows a user to create a GCP secret engine role in a Kubernetes native way.
When a GCPRole
is created, the KubeVault operator configures a Vault roleset.
The rolesets determine the permissions that Service Account credentials generated by Vault will have on GCP resources. If the user deletes the GCPRole
CRD, then the respective role will also be deleted from Vault.
For maintaining similarity with other secret engines we will refer roleset as role in the following description.
GCPRole CRD Specification
Like any official Kubernetes resource, a GCPRole
object has TypeMeta
, ObjectMeta
, Spec
and Status
sections.
A sample GCPRole
object is shown below:
apiVersion: engine.kubevault.com/v1alpha1
kind: GCPRole
metadata:
name: gcp-role
namespace: demo
spec:
secretEngineRef:
name: gcp-secret-engine
secretType: access_token
project: ackube
bindings: 'resource "//cloudresourcemanager.googleapis.com/projects/ackube" {
roles = ["roles/viewer"]
}'
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"]
status:
observedGeneration: 1
phase: Success
Note: To resolve the naming conflict, name of the role in Vault will follow this format:
k8s.{clusterName}.{metadata.namespace}.{metadata.name}
Here, we are going to describe the various sections of the GCPRole
crd.
GCPRole Spec
GCPRole spec
contains the necessary information required to create a GCP secret engine role.
spec:
secretEngineRef:
name: <gcp-secret-engine>
path: <gcp-secret-engine-path>
secretType: <generated-secret-type>
project: <svc-ac-owner-project>
bindings: <bindings>
tokenScopes: <OAuth-scopes>
GCPRole spec has the following fields:
spec.secretEngineRef
spec.secretEngineRef
is a required
field that specifies the name of an AppBinding reference which is used to connect with a Vault server. AppBinding must be on the same namespace with the GCPRole object.
spec:
secretEngineRef:
name: gcp-secret-engine
spec.path
spec.path
is an optional
field that specifies the path where the secret engine is enabled. The default path value is gcp
.
spec:
path: my-gcp-path
spec.secretType
spec.secretType
is a required
field that specifies the type of secret generated for this roleset. Accepted values: access_token
, service_account_key
.
spec:
secretType: access_token
spec.project
spec.project
is a required
field that specifies the name of the GCP project where roleset’s service account belongs to.
spec:
project: ackube
spec.bindings
spec.bindings
is a required
field that specifies the bindings configuration string.
spec:
bindings: 'resource "//cloudresourcemanager.googleapis.com/projects/ackube" {
roles = ["roles/viewer"]
}'
spec.tokenScopes
spec.tokenScopes
is an optional
field that specifies the list of
OAuth scopes to assign to access_token
secrets generated under this role
set (access_token
role sets only)
spec:
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"]
GCPRole Status
status
shows the status of the GCPRole. It is managed by the KubeVault operator. It contains the following fields:
observedGeneration
: Specifies the most recent generation observed for this resource. It corresponds to the resource’s generation, which is updated on mutation by the API Server.phase
: Indicates whether the role successfully applied to Vault or not.conditions
: Represent observations of a GCPRole.