Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Support universe_domain for Sovereign Google Cloud Environments #242

Open
matgou opened this issue Feb 27, 2025 · 0 comments
Open

Feature Request: Support universe_domain for Sovereign Google Cloud Environments #242

matgou opened this issue Feb 27, 2025 · 0 comments

Comments

@matgou
Copy link

matgou commented Feb 27, 2025

Recent updates to the Google Cloud SDK have introduced the universe_domain parameter (see: googleapis/google-cloud-go#11059). This parameter is essential for connecting to Google Cloud services within sovereign cloud environments, which utilize distinct endpoints than iamcredentials.googleapis.com.

Currently, the vault-plugin-secrets-gcp plugin lacks support for this parameter, effectively preventing its use in those environments.

Proposed Solution:

I propose adding support for the universe_domain parameter to the plugin's configuration. This could be achieved by:

  • Allowing users to specify universe_domain within the plugin's setup configuration.
  • Or enabling the plugin to read this parameter from a JSON credentials file.

Important Consideration for Non-GDU Environments:

It's crucial to note that in non-Google Distributed Cloud (GDU) environments, a standard OAuth2 server may not be present (like oauth2.googleapis.com). Consequently, the plugin should be designed to use the IAM implementation for self-signed JWT authentication.

Importance of This Feature:

Implementing universe_domain support is vital for enabling the vault-plugin-secrets-gcp plugin to function within sovereign cloud environments.
matgou added a commit to matgou/vault-plugin-secrets-gcp that referenced this issue Feb 27, 2025
@matgou
feat: Add support for universe_domain parameter (hashicorp#242)
c338076 
This commit introduces a new `universe_domain` parameter to the plugin configuration, allowing users to specify the Google Cloud environment for client connections. This enables support for specialized offerings and sovereign controls beyond the default googleapis.com.

Key changes:

- Added `universe_domain` field to the plugin configuration.
- Modified IAM client creation to use the configured `universe_domain`.
- Updated credentials parsing to utilize `cloud.google.com/go/auth/credentials.DetectDefault` and support local-signing JWT generation.
- Adjusted token generation to use `cloud.google.com/go/auth/credentials.DetectDefault` for credential handling.
@matgou matgou mentioned this issue Feb 27, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matgou