From 623d40acf3e04fc5977d1d598fcee6b034e112ed Mon Sep 17 00:00:00 2001 From: Leo Dias Date: Wed, 7 Dec 2022 23:30:21 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Add=20`vault=5Fgkms=5Fcopy=5Fsa`=20?= =?UTF-8?q?var,=20auto-unseal=20uses=20default=20instance=20SA=20credentia?= =?UTF-8?q?ls=20(#298)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 5 +++++ defaults/main.yml | 1 + tasks/main.yml | 3 ++- templates/vault_seal_gcpkms.j2 | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5343b7b9..6efb0656 100644 --- a/README.md +++ b/README.md @@ -1355,6 +1355,11 @@ This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterpr - GCP Project where the key reside. - Default value: '' +### `vault_gkms_copy_sa` + +- Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gkms_credentials_src_file`, the default instance service account credentials are used. +- Default value: `"true"` + ### `vault_gkms_credentials_src_file` - User-specified source directory for GCP Credential on Ansible control node. diff --git a/defaults/main.yml b/defaults/main.yml index e0bb85df..789c1b9a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -345,6 +345,7 @@ vault_gkms_credentials: '/home/vault/vault-kms.json' vault_gkms_region: 'global' vault_gkms_key_ring: 'vault' vault_gkms_crypto_key: 'vault_key' +vault_gkms_copy_sa: true # pkcs11 seal vault_enterprise_premium_hsm: false diff --git a/tasks/main.yml b/tasks/main.yml index d63a26df..e2a1aed1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -151,7 +151,8 @@ mode: "0600" when: - vault_gkms | bool - - vault_gkms_credentials_content | length > 0 + - vault_gkms_credentials_content | length > 0 or + vault_gkms_copy_sa | bool - name: "Copy GCP Credentials for gcs backend" copy: diff --git a/templates/vault_seal_gcpkms.j2 b/templates/vault_seal_gcpkms.j2 index f276430b..c8a6ee3c 100644 --- a/templates/vault_seal_gcpkms.j2 +++ b/templates/vault_seal_gcpkms.j2 @@ -1,5 +1,7 @@ seal "gcpckms" { + {% if vault_gkms_copy_sa and vault_gkms_credentials_src_file is defined and vault_gkms_credentials|length -%} credentials = "{{ vault_gkms_credentials }}" + {% endif -%} project = "{{ vault_gkms_project }}" region = "{{ vault_gkms_region }}" key_ring = "{{ vault_gkms_key_ring }}"