The GCP authentication method enables Google Cloud Platform entities to authenticate to the Akeyless Vault Platform. Akeyless treats Google Cloud as a trusted third party and verifies entities requesting to authenticate against the Google Cloud APIs. It supports both Google Cloud Identity and Access Management (IAM) service accounts and Google Compute Engine (GCE) instances for authentication.

Prerequisites

  • A GCP Service Account with the following permissions:
iam.serviceAccounts.get
iam.serviceAccountKeys.get
compute.instances.get
compute.instanceGroups.list

👍

GKE Workloads Authentication

When authenticating from a pod inside a Google Kubernetes Engine (GKE) cluster using GKE Workload Identity enabled, any bounded rules other than Bound Service Accounts will not apply. GKE Workload Identity conceals metadata information about the running instance.

To work with the GKE Workload Identity with bounded rules, please configure only the Bound Service Accounts rule.

Be sure to follow the GKE Guide when configuring the GKE Workload Identity.

Create a GCP Authentication Method from the CLI

Let's create a new GCP authentication method using the Akeyless CLI. (You can do this also from the Akeyless Console.)

To create a GCP authentication method from the CLI, run the following command:

akeyless create-auth-method-gcp \
--name <authentication method name> \
--type <iam|gce> \
--service-account-creds-file </path/to/service account creds.json> \
--audience <audience to verify in the JWT received by the client>

Where:

  • name: A unique name for the authentication method. The name can include the path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  • type: The authentication method type. It should be either iam or gce.

  • audience: The audience to verify in the JWT received by the client. By default, akeyless.io.

Parameters

You could find the complete list of parameters for this command in the CLI Reference - Authentication section.

Configure Akeyless CLI with the GCP authentication method

To configure your CLI to work with GCP authentication, run the following command from a GCP resource:

akeyless configure --profile default --access-id <Your GCP Auth AccessID>  --access-type gcp --gcp-audience akeyless.io
akeyless get-cloud-identity

Create a GCP Authentication Method in the Akeyless Console

  1. Log in to the Akeyless Console and go to Auth Methods > New > GCP.

  2. Define a Name for the authentication method, and specify the Location as a path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  3. Define the remaining parameters as follows:

    • Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.

    • Allowed Client IPs: Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc. This parameter is optional. Leave it empty for unrestricted access.

    • Allowed Trusted Gateway IPs: Enter a comma-separated list of CIDR blocks from which Gateway calls will be accepted. This parameter is optional. Leave it empty for unrestricted access.

    • GCP Type: Select the type of GCP authentication method to create, either IAM or GCE.

    • Service Account Credentials: Enter a Base64-encoded string of the service account credentials or upload a JSON file with the service account credentials.

    • Audience: Enter the audience to verify in the JWT received by the client. By default, the Audience is akeyless.io.

    • Bound Projects: Enter a comma-separated list of GCP project IDs. The client must belong to one of these projects to authenticate. By "client," we mean CURL, SDK, etc. This parameter is optional. Leave it empty for unrestricted access.

    • Bound Service Accounts: Enter a valid Service Account. This parameter is only relevant for IAM authentication methods. Leave it empty for unrestricted access.

    • Bound Zones: Enter a comma-separated list of zones. The GCE instance must belong to one of these zones to authenticate. This parameter is only relevant for GCE authentication methods. Leave it empty for unrestricted access.

    • Bound Regions: Enter a comma-separated list of regions. The GCE instance must belong to one of these regions to authenticate. This parameter is only relevant for GCE authentication methods. Leave it empty for unrestricted access.

    • Bound Labels: Enter a key:value list of GCP labels. The GCE instance must have one of these labels to authenticate. This parameter is only relevant for GCE authentication methods. Leave it empty for unrestricted access.

  4. Click Save.

👍

What's next?

Make sure to associate your new Authentication Method with an Access Role to grant the relevant permissions within Akeyless


Did this page help you?