You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
In order to configure Google OIDC for authentication, the GCP service account JSON file path is required, and the file to exist on the host. In a K8S deployment, this poses particular problems, as it would then require a manually created/configured secret/configmap/persistantvolume, and for that to be mounted as an extra volume before calling the auth configuration endpoint. The file then persists in a not-so-secret manner.
Describe the solution you'd like
Following the docs (https://www.vaultproject.io/docs/auth/jwt_oidc_providers#gsuite_service_account), an additional param of gsuite_service_account_contents or gsuite_service_account_json or something that allows the writing of the service account config without requiring a file to exist on the file system.
Describe alternatives you've considered
Potentially I might be able to use the vault-agent to pull the JSON object from a kv store in Vault itself, and output that to a file on a shared volume before vault itself starts up. It's a convoluted workaround, but I'll have to attempt it now anyway.
The text was updated successfully, but these errors were encountered:
It appears this has been fixed and addressed in a recent change: #11388
You are now able to provide either a path or the contents of the JSON service account to the gsuite_service_account parameter and achieve your desired outcome.
Is your feature request related to a problem? Please describe.
In order to configure Google OIDC for authentication, the GCP service account JSON file path is required, and the file to exist on the host. In a K8S deployment, this poses particular problems, as it would then require a manually created/configured secret/configmap/persistantvolume, and for that to be mounted as an extra volume before calling the auth configuration endpoint. The file then persists in a not-so-secret manner.
Describe the solution you'd like
Following the docs (https://www.vaultproject.io/docs/auth/jwt_oidc_providers#gsuite_service_account), an additional param of
gsuite_service_account_contents
orgsuite_service_account_json
or something that allows the writing of the service account config without requiring a file to exist on the file system.Describe alternatives you've considered
Potentially I might be able to use the vault-agent to pull the JSON object from a kv store in Vault itself, and output that to a file on a shared volume before vault itself starts up. It's a convoluted workaround, but I'll have to attempt it now anyway.
The text was updated successfully, but these errors were encountered: