How to generate short-lived GCP Service Account Keys or OAuth2 tokens with Vault

Sometimes we prefer to store the GCP Service Account key directly in a Vault path. With this approach, doing some things like Key rotation, Offboarding the users who had access to a Vault path, and basically, Access management could be extremely hard! The benefits of using this secrets engine to manage the Google Cloud IAM service accounts are:

• Automatic cleanup of GCP IAM service account keys — each Service Account key is associated with a Vault lease. When the lease expires (either during normal revocation or through early revocation), the service account key is automatically revoked.
• Quick, short-term access — users do not need to create new GCP Service Accounts for short-term or one-off access (such as batch jobs, deployment jobs, or quick introspection).
• Multi-cloud and hybrid cloud applications — users authenticate to Vault using a central identity service (such as LDAP) and generate GCP credentials without the need to create or manage a new Service Account for that user.

Setup

First, enable the GCP secrets:

vault secrets enable gcp

Now you need to create a service account and it will be introduced to the Vault to use it. The service account must…