github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21002 Commits
1702 Branches
457 Tags
697 MiB
 
 
 
 
 
 
Tree: 76b5de5039
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '76b5de5039'
${ noResults }
consul/agent/connect/ca/provider_vault_auth_gcp.go

47 lines
1.4 KiB
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package ca
import (
"fmt"
"github.com/hashicorp/vault/api/auth/gcp"
"github.com/hashicorp/consul/agent/structs"
)
var _ VaultAuthenticator = (*gcp.GCPAuth)(nil)
// NewGCPAuthClient returns a VaultAuthenticator that can log into Vault using the GCP auth method.
func NewGCPAuthClient(authMethod *structs.VaultAuthMethod) (VaultAuthenticator, error) {
// Check if the configuration already contains a JWT auth token. If so we want to
// perform a direct request to the login API with the config that is provided.
// This supports the Vault CA config in a backwards compatible way so that we don't
// break existing configurations.
if legacyCheck(authMethod.Params, "jwt") {
return NewVaultAPIAuthClient(authMethod, ""), nil
}
// Create a GCPAuth client from the CA config
params, err := toMapStringString(authMethod.Params)
if err != nil {
return nil, fmt.Errorf("misconfiguration of GCP auth parameters: %w", err)
}
opts := []gcp.LoginOption{gcp.WithMountPath(authMethod.MountPath)}
// Handle the login type explicitly.
switch params["type"] {
case "gce":
opts = append(opts, gcp.WithGCEAuth())
default:
opts = append(opts, gcp.WithIAMAuth(params["service_account_email"]))
}
auth, err := gcp.NewGCPAuth(params["role"], opts...)
if err != nil {
return nil, fmt.Errorf("failed to create a new Vault GCP auth client: %w", err)
}
return auth, nil
}