103. GCP-IAM authentication

The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a service account is obtained by calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.

IAM credentials can be obtained from either the runtime environment , specifically the GOOGLE_APPLICATION_CREDENTIALS environment variable, the Google Compute metadata service, or supplied externally as e.g. JSON or base64 encoded. JSON is the preferred form as it carries the project id and service account identifier required for calling projects.serviceAccounts.signJwt.

Example 103.1. bootstrap.yml with required GCP-IAM Authentication properties

    authentication: GCP_IAM
        role: my-dev-role

Example 103.2. bootstrap.yml with all GCP-IAM Authentication properties

    authentication: GCP_IAM
            location: classpath:credentials.json
            encoded-key: e+KApn0=
        gcp-path: gcp
        jwt-validity: 15m
        project-id: my-project-id
        role: my-dev-role
        service-account: [email protected] 

  • role sets the name of the role against which the login is being attempted.
  • credentials.location path to the credentials resource that contains Google credentials in JSON format.
  • credentials.encoded-key the base64 encoded contents of an OAuth2 account private key in the JSON format.
  • gcp-path sets the path of the GCP mount to use
  • jwt-validity configures the JWT token validity. Defaults to 15 minutes.
  • project-id allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.
  • service-account allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.

GCP IAM authentication requires the Google Cloud Java SDK dependency (com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http) as the authentication implementation uses Google APIs for credentials and JWT signing.


Google credentials require an OAuth 2 token maintaining the token lifecycle. All API is synchronous therefore, GcpIamAuthentication does not support AuthenticationSteps which is required for reactive usage.

See also:

103.1 Kubernetes authentication

Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. The authentication is role based and the role is bound to a service account name and a namespace.

A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.

Example 103.3. bootstrap.yml with all Kubernetes authentication properties

    authentication: KUBERNETES
        role: my-dev-role
        kubernetes-path: kubernetes
        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token

  • role sets the Role.
  • kubernetes-path sets the path of the Kubernetes mount to use.
  • service-account-token-file sets the location of the file containing the Kubernetes Service Account Token. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.

See also:
