✨ Add vault_gkms_copy_sa var, auto-unseal uses default instance SA …

…credentials (#298)

README.md

@@ -1355,6 +1355,11 @@ This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterpr
 - GCP Project where the key reside.
 - Default value: ''
 
+### `vault_gkms_copy_sa`
+
+- Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gkms_credentials_src_file`, the default instance service account credentials are used.
+- Default value: `"true"`
+
 ### `vault_gkms_credentials_src_file`
 
 - User-specified source directory for GCP Credential on Ansible control node.

defaults/main.yml

@@ -345,6 +345,7 @@ vault_gkms_credentials: '/home/vault/vault-kms.json'
 vault_gkms_region: 'global'
 vault_gkms_key_ring: 'vault'
 vault_gkms_crypto_key: 'vault_key'
+vault_gkms_copy_sa: true
 
 # pkcs11 seal
 vault_enterprise_premium_hsm: false

tasks/main.yml

@@ -151,7 +151,8 @@
     mode: "0600"
   when:
     - vault_gkms | bool
-    - vault_gkms_credentials_content | length > 0
+    - vault_gkms_credentials_content | length > 0 or
+      vault_gkms_copy_sa | bool
 
 - name: "Copy GCP Credentials for gcs backend"
   copy:

templates/vault_seal_gcpkms.j2

@@ -1,5 +1,7 @@
 seal "gcpckms" {
+  {% if vault_gkms_copy_sa and vault_gkms_credentials_src_file is defined and vault_gkms_credentials|length -%}
   credentials = "{{ vault_gkms_credentials }}"
+  {% endif -%}
   project     = "{{ vault_gkms_project }}"
   region      = "{{ vault_gkms_region }}"
   key_ring    = "{{ vault_gkms_key_ring }}"