Add a sign JWT resource

[lbordowitz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

The signJwt command is used to provide the stamp of approval by a service account of some JSON payload. In particular, it is used as part of Hashicorp Vault's GCP authentication in IAM-type roles.

This resource could be used in conjunction with the Vault provider; in other words, the google provider could bootstrap the authentication of a Vault provider using credentials provided in the environment variables. This would tremendously improve the usability of Vault.

New or Affected Resource(s)

One of the following:

• google_service_account_sign
• google_service_account_jwt
• google_service_account_sign_jwt

Potential Terraform Configuration

data "google_service_account" "myaccount" {
  account_id = "myaccount-id"
}

resource "google_service_account_sign" "vault_access" {
  service_account = data.google_service_account.myaccount.email
  payload = <<EOT
{
  "sub": "${data.google_service_account.myaccount.email}",
  "aud": "vault/vault_admin"
}
EOT
}

provider "vault" {
  address         = "https://127.0.0.1:8200/"
  skip_tls_verify = true
  auth_login {
    path = "auth/gcp/login"
    parameters = {
      jwt = google_service_account_sign.vault_access.jwt
      role = "vault_admin"
    }
  }
}

[rwblokzijl]

Does anyone have a workaround to get the JWT in terraform? Otherwise i dont see a way of using GCP auth for the vault provider.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.