The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

GCP Authentication Method

The GCP authentication method enables Google Cloud Platform entities to authenticate to the Akeyless Vault Platform. Akeyless treats Google Cloud as a trusted third-party and verifies entities requesting to authenticate against the Google Cloud APIs. It supports both Google Cloud Identity and Access Management (IAM) service account and Google Compute Engine (GCE) instances for authentication.

👍

You can create a GCP authentication method from the Akeyless CLI or from the Akeyless Console.

Create a GCP Authentication Method from the CLI

Let's create a new GCP authentication method using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

The CLI command to create a GCP authentication method is:

$ akeyless create-auth-method-gce /
--name <authentication method name> /
--type <iam|gce> /
--audience <audience to verify in the JWT received by the client>

where:

  • name: A unique name for the authentication method. The name can include the path to the virtual folder in which you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.
  • type: The authentication method type, either iam or gce.
  • audience: The audience to verify in the JWT received by the client. By default, akeyless.io.

Options

The full list of options for this command is:

-n, --name                        *Auth Method name
      --access-expires[=0]           Access expiration date in Unix timestamp (select 0 for access without expiry date)
      --bound-ips                    A CIDR whitelist of the IPs that the access is restricted to
      --service-account-creds-file   Service Account creds key file path
      --service-account-creds-data   Service Account creds data, base64 encoded
  -t, --type                        *The type of the GCP Auth Method (iam/gce)
      --audience[=akeyless.io]      *The audience to verify in the JWT received by the client
      --bound-projects               A list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag.
      --bound-service-accounts       IAM only. A list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticat. For multiple values repeat this flag.e
      --bound-zones                  GCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag.
      --bound-regions                GCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag.
      --bound-labels                 GCE only. A list of GCP labels formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag.
      --force-sub-claims             enforce role-association must include sub claims
      --profile                      Use a specific profile from your akeyless/profiles/ folder
      --username                     Optional username for various authentication flows
      --password                     Optional password for various authentication flows
      --uid-token                    The universal identity token, Required only for universal_identity authentication
  -h, --help                         display help information
      --json[=false]                 Set output format to JSON
      --no-creds-cleanup[=false]     Do not clean local temporary expired creds

👍

For details about these options, see the CLI Command Reference.

Create a GCP Authentication Method from the Akeyless Console

Let’s create a GCP authentication method using the Akeyless Console. If you’d prefer, see how to do this from the Akeyless CLI instead.

  1. Log in to the Akeyless Console and go to Auth Methods > New > GCP.

  2. Define a Name for the authentication method, and specify the Location as a path to the virtual folder in which you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  3. Define the remaining parameters as follows:

    • Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
    • Restricted IPs: Enter a list of the IPs to which access is restricted. This parameter is optional. Leave it empty for unrestricted access.
    • GCP Type: Select the type of GCP authentication method to create, either IAM or GCE.
    • Service Account Credentials: Enter a Base64-encoded string of the service account credentials, or upload a JSON file with the service account credentials.
    • Audience: Enter the audience to verify in the JWT received by the client. By default, the Audience is akeyless.io.
    • Bound Projects: Enter a comma-separated list of GCP project IDs. The client must belong to one of these projects to authenticate.
    • Bound Service Accounts: Enter a key:value pair list of GCP labels. The instance must have one of these labels set to authenticate. This parameter is only relevant for IAM authentication methods.
    • Bound Zones: Enter a comma-separated list of zones. The GCE instance must belong to one of these zones to authenticate. This parameter is only relevant for GCE authentication methods.
    • Bound Regions: Enter a comma-separated list of regions. The GCE instance must belong to one of these regions to authenticate. This parameter is only relevant for GCE authentication methods.
    • Bound Labels: Enter a key:value pair list of GCP labels. The GCE instance must have one of these labels set to authenticate. This parameter is only relevant for GCE authentication methods.
  4. Select Save.

Updated 3 months ago

GCP Authentication Method


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.