BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Google Cloud and HashiCorp Expand Collaboration

Google Cloud and HashiCorp Expand Collaboration

Bookmarks

As part of a wider engagement with the open source community, Google has announced increased collaboration with HashiCorp. The result of this is improved Google Cloud Platform (GCP) specific functionality for Terraform, the infrastructure-as-code cloud provisioning tool, and Vault, the secret management tool. Google explain:

Google and HashiCorp have dedicated engineering teams focused on enhancing and expanding GCP support in HashiCorp products. We're focused on technical and shared go-to-market efforts around HashiCorp products in several critical areas of infrastructure.

Currently, the two main areas of focus are:

  1. Cloud Provisioning: Development of a Google Cloud Provider for Terraform, enabling users to declare their GCP infrastructure as code.
  2. Cloud Security and Secret Management: Enhanced integration between HashiCorp Vault and GCP.

In terms of Terraform, the tool currently has a Google Cloud Provider which has been implemented specifically for GCP. It allows developers to programmatically manage IAM policies, Compute Engine resources and more.

Google has also released numerous GCP modules for Terraform, a means to compose and re-use various architectural patterns for GCP resources. These can be found in the Terraform Module Registry.

HashiCorp Vault now has two GCP specific authentication backends. Essentially, an authentication backend is used for exchanging credentials for a token which can then be used to access secrets within Vault. The backends are:

  1. GCP IAM Service Accounts: Clients with Identify and Access Management (IAM) Service Account Credentials can use this information to generate a JWT which can then be exchanged for a Vault access token.
  2. Google Compute Engine Instance Identity: Google Compute Engine (GCE) instances can use their instance metadata to generate a JWT which can be exchanged for a Vault access token.

By supporting GCP directly, the aim is to simplify the authentication process for GCP services as much as possible: "With these authentication backends, it’s easier for a particular service running on Google Cloud to get access to a secret it needs at build or run time stored in Vault."

Google has also published a solution for running Vault on GCP, with instructions on how to both deploy the application and authenticate with one of the new backends.

Both HashiCorp and Google encourage community contributions to both Vault and Terraform.
 

Rate this Article

Adoption
Style

BT