{"id":15222301,"url":"https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca","last_synced_at":"2026-01-14T19:25:15.093Z","repository":{"id":37738183,"uuid":"285899510","full_name":"GoogleCloudPlatform/vault-plugin-secrets-gcppca","owner":"GoogleCloudPlatform","description":"Vault Plugin:  Google Cloud Platform CA Service","archived":true,"fork":false,"pushed_at":"2021-07-20T10:42:34.000Z","size":245,"stargazers_count":17,"open_issues_count":2,"forks_count":10,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-10-03T15:41:59.476Z","etag":null,"topics":["google-cloud","google-cloud-platform","vault-plugin"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-08-07T18:48:44.000Z","updated_at":"2024-09-21T08:09:38.000Z","dependencies_parsed_at":"2022-08-24T16:20:35.349Z","dependency_job_id":null,"html_url":"https://github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/GoogleCloudPlatform/vault-plugin-secrets-gcppca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fvault-plugin-secrets-gcppca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fvault-plugin-secrets-gcppca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fvault-plugin-secrets-gcppca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fvault-plugin-secrets-gcppca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fvault-plugin-secrets-gcppca/sbom","scorecard":{"id":58518,"data":{"date":"2025-08-11","repo":{"name":"github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca","commit":"16eb69c09a0b9cf84a4d6bf1d53469f1dbbfeca5"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/6 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/46465491","Warn: release artifact v1.0.2 not signed: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/32614574","Warn: release artifact v1.0.1 not signed: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/31254226","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/29461434","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/46465491","Warn: release artifact v1.0.2 does not have provenance: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/32614574","Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/31254226","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/29461434"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 5 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T01:13:33.133Z","repository_id":37738183,"created_at":"2025-08-15T01:13:33.133Z","updated_at":"2025-08-15T01:13:33.133Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432592,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["google-cloud","google-cloud-platform","vault-plugin"],"created_at":"2024-09-28T15:11:30.656Z","updated_at":"2026-01-14T19:25:15.073Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Vault Plugin:  Google Cloud Platform CA Service\n\nThis is a backend plugin to be used with [Hashicorp Vault](https://www.github.com/hashicorp/vault) to provide certificates issued by [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs)\n\n\n\u003e This is not an officially supported Google product\n\n## Usage\n\nThis guide assumes you have already installed Vault and have a basic understanding of how Vault works as well as basics of GCP Certificate Authority Service. Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html) as well as [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs).\n\nThis plugin will issue certificates through Vault where either the privateKey and Certificate Signing Request (CSR) gets generated by the plugin or where the CSR is provided _to_ the plugin.  Plugin will not manage the CA or Subordinate CA lifecycle (create/delete CA, etc) for GCP CA Service. \n\n\u003e This plugin is *not* packaged with Vault and must be added in manually.\n\n### QuickStart\n\nFor quick-start, you can either use the pre-built plugin binary or build and run Vault in \"dev\" mode:\n\n### Dev\n\nTo compile the plugin and run the dev server, you will need `go 1.11+` and `make`\n\n```bash\nexport GOBIN=`pwd`/bin\nmake fmt\nmake dev\n\nvault server -dev -dev-plugin-dir=./bin --log-level=debug\n```\n\nMake sure you have setup a private CA with a Certificate Authority and your user or serviceAccount Vault runs as has access to generate and/or revoke certificates.  By default, Vault will use `Application Default Credentials` but you can override that per mount path.\n\nIt is recommended to create a IAM Custom Role to the Vault ServiceAccount with the minimum permission it would need to operate.  For more information on how to setup this custom role, see relevant section below.\n\nIn a new window in the same directory, configure Vault to use the plugin and enable/mount it at a path.\n\n```bash\nexport VAULT_ADDR='http://localhost:8200'\nexport SHASUM=$(shasum -a 256 \"bin/vault-plugin-secrets-gcppca\" | cut -d \" \" -f1)\n\nvault plugin register \\\n    -sha256=\"${SHASUM}\" \\\n    -command=\"vault-plugin-secrets-gcppca\" \\\n    secret vault-plugin-secrets-gcppca\n\nvault secrets enable -path=\"gcppca\" \\\n   --description='Vault CA Service Plugin' \\\n   --plugin-name='vault-plugin-secrets-gcppca' plugin\n```\n\nNote, `scripts.dev.sh` script runs the above commands and runs vault in the background.\n\nTo issue certificates, you need to first define a profile (config) for the mount path and then define and use a Vault policy.\n\n1. Define a config profile\n\nA profile dictates the specifications of the CA a specific Vault mount will use.  In the example used here, the mount path is `gcppca` with the CAPool of `my-pool`\n\n```bash\nvault write gcppca/config \\\n\tpool=\"my-pool\" \\\n\tlocation=\"us-central1\" \\\n\tproject=\"your-project-id\"  \n```\n\n2. Generate and use Vault policy\n\nOnce the config has been defined, this plugin can be used in two modes:\n\na) `Generated`: a key-pair and CSR is generated within `Vault` and the CSR signed by `CA Service` \n\nor\n\nb) `Provided`: Certificate Request `CSR` is provided to the plugin.\n\nUnder no circumstance does this plugin retain the private key for any certificate.\n\n- The sub-path under `\u003cmount\u003e/issue-with-genkey/` is intended for Vault generated keys.\n\n- The sub-path under `\u003cmount\u003e/issue-with-csr/` is intended for user-provided CSR\n\nThis plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path.  For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/caPools/my-pool/certificates/my_tls_cert_rsa_1`.  This is the actual CA Service unique name for the certificate and cannot be reused once created.\n\nDeleting the key in Vault will revoke the certificate in CA Service which also means the same name cannot be reused.\n\nThe examples below uses a default certificate authority pool with a CA.  That is, you should have a set pre-generated\n\n```\n```bash\n$ gcloud privateca pools create my-pool-1 --location=us-central1\n$ gcloud privateca roots create ca-1 --location=us-central1 --pool my-pool-1 \\\n   --subject \"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"\n```\n\n### Vault Generated\n\nTo generate a certificate keypair on vault, first apply a configuration that allows Vault to reference which CA to sign against \n\nThe configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined separately. \n\nApply the config and acquire a `VAULT_TOKEN` based off of those policies.\n\n```bash\nvault policy write genkey-policy -\u003c\u003cEOF\npath \"gcppca/issue-with-genkey/my_tls_cert_rsa_1\" {\n    capabilities = [\"update\", \"delete\"]\n    allowed_parameters = {    \n      \"key_type\" = [\"rsa\"]\n      \"validity\"= [\"P30D\"]\n      \"dns_san\" = [\"client.domain.com,client2.domain.com\"]        \n      \"subject\" = [\"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"]\n  }\n}\nEOF\n```\n\nAn end-user will use their existing credentials to acquire a new VAULT_TOKEN authorized for that policy\n\n```bash\nexport VAULT_ADDR='http://localhost:8200'\nvault token create -policy=genkey-policy\n\nexport VAULT_TOKEN=s.vs2D...\n\nvault write gcppca/issue-with-genkey/my_tls_cert_rsa_1 \\\n\tkey_type=\"rsa\" \\\n\tvalidity=\"P30D\" \\\n\tdns_san=\"client.domain.com,client2.domain.com\" \\\n\tsubject=\"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"\n```\n\nThe output will be Public Certificate and PrivateKey\n\n```\nKey        Value\n---        -----\nprivkey    -----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAA...\npubcert    -----BEGIN CERTIFICATE-----\nMIIEHTCCA8...\n```\n\n### Provided CSR\n\nFor user-provided CSR, first apply a configuration that allows Vault to use a CSR that is provided.  This is done by using the `\u003cmount\u003e/issue-with-csr/`  path\n\nAs before, the CA configuration was defined earlier at the root mount path (eg, `gcppca/`)\n\nApply the config and acquire a `VAULT_TOKEN` based off of those policies\n\n```bash\nvault policy write csr-policy -\u003c\u003cEOF\npath \"gcppca/issue-with-csr/my_csr_cert_1\" {\n    capabilities = [\"update\", \"delete\"]\n    allowed_parameters = {    \n      \"validity\"= [\"P30D\"]\n      \"pem_csr\" = []  \n  }\n}\nEOF\n```\n\nUse the appropriate token to create a certificate given a CSR (`my_csr.pem`)\n\n```bash\nopenssl req  \\\n    -out my_csr.pem \\\n    -newkey rsa:2048 \\\n    -keyout my_key.pem \\\n    -nodes \\\n    -new -sha256 \\\n    -subj \"/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=some.domain.com\"\n openssl req -in my_csr.pem -noout -text\n```\n\n```bash\nvault token create -policy=csr-policy\nexport VAULT_TOKEN=...\n\nvault write gcppca/issue-with-csr/my_csr_cert_1 \\\n\tvalidity=\"P30D\" \\\n\tpem_csr=@my_csr.pem\n```\n\nThe output would be just the Public Key\n\n```\nKey        Value\n---        -----\npubcert    -----BEGIN CERTIFICATE-----\nMIID2DCCA36gA\n```\n\n### Options\n\nPlugin configuration supports various options that are common and mode-specific options\n\n#### Common Options\n\n| Option | Description |\n|:------------|-------------|\n| **`validity`** | `string` validity of the issued certificate (default: `P30d`) |\n| **`labels`** | `[]string` list of GCP labels to apply to the certificate (format `k1=v1,k2=v2`) |\n| **`issuing_certificate_authority`** | `string` Optional. The resource ID of the CertificateAuthority that should issue the certificate. By default, the certificate will be issued from any of the active CAs in the CA Pool. |\n\n#### Generated (/issue-with-genkey/) Options\n\n| Option | Description |\n|:------------|-------------|\n| **`key_type`** | `string` what type of key to generate (default: `rsa`; either `rsa` or `ecdsa`; cannot be specified if `csr` is set) |\n| **`key_usage`** | `[]string` what are the `key_usage` settings (default: `[]`) |\n| **`extended_key_usage`** | `[]string` what are the `extended_key_usage` settings (default: `[]`)   |\n| **`certificate_template`** | `string` certificate_template to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |\n| **`subject`** | `string` subject field value (must be in canonical format `C=,ST=,L=,O=,CN=`)|\n| **`dns_san`** | `[]string` list of `dns_san` to use |\n| **`email_san`** | `[]string` list of `email_san` to use |\n| **`ip_san`** | `[]string` list of `ip_san` to use |\n| **`uri_san`** | `[]string` list of `uri_san` to use |\n| **`is_ca_cert`** | `bool` whether this certificate is for a CA or not. |\n| **`max_chain_length`** | `int` Maximum depth of subordinate CAs allowed under this CA for a CA certificate.|\n\nNote,  if you use `certificate_template`, specify the fully qualified name:\n   `\"certificate_template\" = [\"projects/your_project_id/locations/your_location/certificateTemplates/your_template\"]`\n#### CSR (/issue-with-csr/) Options\n\n| Option | Description |\n|:------------|-------------|\n| **`pem_csr`** | `string` contents of the CSR in PEM format |\n\nSample usage \n\nThe following policies describe usage of `certificate_template` and `key_usage` options.  \n\n`certificate_template` options:\n\n```bash\nvault policy write genkey-reusable-policy -\u003c\u003cEOF\npath \"gcppca/issue-with-genkey/my_tls_cert_ecdsa_1\" {\n    capabilities = [\"create\", \"update\", \"delete\"]\n    allowed_parameters = {    \n      \"key_type\" = [\"ecdsa\"]\n      \"validity\"= [\"P30D\"]\n      \"dns_san\" = [\"client.domain.com,client2.domain.com\"]        \n      \"subject\" = [\"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"]\n  }\n}\nEOF\n```\n\n`key_usages` option:\n\n```bash\nvault policy write genkey-usage-policy -\u003c\u003cEOF\npath \"gcppca/issue-with-genkey/my_tls_cert_encipher_1\" {\n    capabilities = [\"create\", \"update\", \"delete\"]\n    allowed_parameters = {    \n      \"validity\"= [\"P30D\"]\n      \"dns_san\" = [\"client.domain.com,client2.domain.com\"]        \n      \"subject\" = [\"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"]\n      \"key_usages\" = [\"encipher_only\"]\n  }\n}\nEOF\n```\n\nWhen a derived VAULT_TOKEN is used with `vault write gcppca/issue-with-genkey/..` operations, you must provide the _exact_ parameters defined in the policy.  For example\n\n```bash\nvault write gcppca/issue-with-genkey/my_tls_cert_encipher_1 \\\n\tvalidity=\"P30D\" \\\n\tdns_san=\"client.domain.com,client2.domain.com\" \\\n\tsubject=\"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com\"  \\\n\tkey_usages=\"encipher_only\"\n```\n\n### Revoke Certificates\n\nSimply run the inverse function `vault delete ..` to revoke a certificate with the exact same parameters as the `vault write ..` operation.\n\n### Prebuilt binary\n\nTo install, download `vault-plugin-secrets-gcpca` from the \"Releases\" page on github.  You can compare the SHA provided there against reference in the upstream repository at anytime.\n\n- Copy to the [Vault plugin directory](https://www.vaultproject.io/docs/configuration#plugin_directory)\n\n- Register the Plugin (remember to update `path/to/vault/plugins/`). \n\n```bash\nexport VERSION=v1.0.3\nexport SHASUM=`curl -L -s https://github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/download/$VERSION/checksum.sha256`\n\nvault plugin register \\\n    -sha256=\"${SHASUM}\" \\\n    -command=\"vault-plugin-secrets-gcppca\" \\\n    secret vault-plugin-secrets-gcppca  \n\nvault secrets enable -path=\"gcppca\" \\\n --description='Vault CA Service Plugin' \\\n --plugin-name='vault-plugin-secrets-gcppca' plugin\n```\n\nNote, the \"Release\" pages in this repo contains the `sha256` images\n\nIf you are running Vault in production and use your own TLS certificate for client connections to vault, you must register the plugin and configure it to use the TLS CA you use. For example,if your vault `server.conf` shows:\n\n```hcl\nlistener \"tcp\" {\n  address = \"vault.domain.com:8200\"\n  tls_cert_file = \"/path/to/tls_crt_vault.pem\"\n  tls_key_file = \"/path/to/tls_key_vault.pem\"\n}\napi_addr = \"https://vault.domain.com:8200\"\nplugin_directory = \"/path/to/vault/plugins\"\n```\n\nThen register the plugin and specify the the path to the TLS CA certificate Vault server was configured to use.\n\nIn the following, if Vault Server's TLS Certificate (`/path/to/tls_crt_vault.pem`) was signed by (`/path/to/tls_cacert.pem`), specify a path to that using the (`-args=\"-ca-cert=...\"`) option\n\n\n```bash\nexport VAULT_CACERT=/path/to/tls_cacert.pem\n\nvault plugin register \\\n    -sha256=\"${SHASUM}\" \\\n    -command=\"vault-plugin-secrets-gcppca\" \\\n    -args=\"-ca-cert=$VAULT_CACERT\" secret vault-plugin-secrets-gcppca\n```\n\n### Specify credentials per mount\n\nBy default, the plugin will use `Application Default Credentials` to access GCP CA.  If you need different credentials per mount, you can specify that using the `config/` path of the mount point.  For example, to specify a credential file JSON certificate for the `gcppca` mount:\n\n```\nvault write gcppca/config \\\n  credentials=@/path/to/svc_account.json \n```\n\n### Custom IAM Role for Vault\n\nThe following custom role will set the equired permissions this plugin uses:\n\nCreate a file `vault-custom-role.yaml` (remember to replace the `$PROJECT_ID` variable)\n\n```yaml\nincludedPermissions:\n- privateca.certificates.create\n- privateca.certificates.update\nname: projects/$PROJECT_ID/roles/VaultCAServiceRole\nstage: GA\ntitle: VaultCAServiceRole\n```\n\nCreate a custom role:\n\n```bash\ngcloud iam roles create vaultCAServiceRole --project=$PROJECT_ID \\\n  --file=ocsp-custom-role.yaml\n```\n\nFinally assign this role to the Vault ServiceAccount.\n\n### Future Enhancements\n\n- Vault plugin to Create and Manage CA Policy ([CertificateAuthorityPolicy](https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1alpha1/projects.locations.certificateAuthorities#certificateauthoritypolicy)).\n\n### Vault Acceptance Tests\n\n`TODO`\n\n### Other Docs\n\n- [Building a Vault Secure Plugin](https://www.hashicorp.com/blog/building-a-vault-secure-plugin/)\n- [Building Plugin Backends](https://learn.hashicorp.com/vault/secrets-management/plugin-backends)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fvault-plugin-secrets-gcppca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Fvault-plugin-secrets-gcppca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fvault-plugin-secrets-gcppca/lists"}