Passing in the vault host/token in environment variables show in plain text in the GCP console (for cloud functions at least, I think this is true across all their products though).

It looks like there are other ways to pass in the config outside of environment variables, but have you all considered including berglas and using Google KMS + a GCS bucket for storing the encrypted host/token? It allows for easy rotation of the auth token and avoids insecure environment variables.

I tried checking out the cloud function example to see how you were handling that but I'm pretty new to golang and struggled to tell how you were dealing with it, it looked like env vars though.

I have an example of how to handle Vault with berglas in cloud functions if you haven't already decided against it, I'd be happy to share some code.

Thanks!

since most (if not all?) gcp services are now being run within infrastructure that has a colocated metadata server, there are two things that can change here that make this faster:

1. not using the IAM server to sign JWTs but use the JWTs the metadata server can make you special for vault
2. by doing (1) you no longer need to figure out the service account email so you can skip a call to the metadata server for the email (if you've been using that)

simply doing (1) should also speed things up because it's the difference between going somewhere to get something and having it next to you.

https://godoc.org/github.com/NYTimes/gcp-vault#Config documentation is a little misleading.

AuthPath mentions that it

// Defaults to 'auth/gcp'.

However, that's only if the client uses envconfig.Process which the docs don't mention that anywhere at all besides seeing the envconfig tags which only if you know the envconfig library, you know need to use this.

We should either mention that "defaults only work if you use envconfig" or remove the default tag and just manually write defaults.

FYI, when AuthPath is an empty string, the error that comes back is this:

unable to login to vault: unable to make login request: Error making API request

Which is unhelpful

This issue is made in response to the announcement of Vault Throttling.

Internal discussion, internal doc with more info.

Docs:

• Token Type Comparison
• Token Type Param

Ideally, we could make a way for gcp-vault to use batch tokens.

Currently when connecting to the IAM API this library reuses the transport from the already initialized HTTP client. Is there a reason for this? This breaks connecting to the IAM API if we set VAULT_CACERT to something that does not include the google root certificate (which is usually the case).

My suggestion would just be to not reuse hc.Transport there.