Google Cloud and HashiCorp Expand Collaboration

| by Andrew Morgan Follow 3 Followers on Sep 26, 2017. Estimated reading time: 1 minute |

As part of a wider engagement with the open source community, Google has announced increased collaboration with HashiCorp. The result of this is improved Google Cloud Platform (GCP) specific functionality for Terraform, the infrastructure-as-code cloud provisioning tool, and Vault, the secret management tool. Google explain:

Google and HashiCorp have dedicated engineering teams focused on enhancing and expanding GCP support in HashiCorp products. We're focused on technical and shared go-to-market efforts around HashiCorp products in several critical areas of infrastructure.

Currently, the two main areas of focus are:

  1. Cloud Provisioning: Development of a Google Cloud Provider for Terraform, enabling users to declare their GCP infrastructure as code.
  2. Cloud Security and Secret Management: Enhanced integration between HashiCorp Vault and GCP.

In terms of Terraform, the tool currently has a Google Cloud Provider which has been implemented specifically for GCP. It allows developers to programmatically manage IAM policies, Compute Engine resources and more.

Google has also released numerous GCP modules for Terraform, a means to compose and re-use various architectural patterns for GCP resources. These can be found in the Terraform Module Registry.

HashiCorp Vault now has two GCP specific authentication backends. Essentially, an authentication backend is used for exchanging credentials for a token which can then be used to access secrets within Vault. The backends are:

  1. GCP IAM Service Accounts: Clients with Identify and Access Management (IAM) Service Account Credentials can use this information to generate a JWT which can then be exchanged for a Vault access token.
  2. Google Compute Engine Instance Identity: Google Compute Engine (GCE) instances can use their instance metadata to generate a JWT which can be exchanged for a Vault access token.

By supporting GCP directly, the aim is to simplify the authentication process for GCP services as much as possible: "With these authentication backends, it’s easier for a particular service running on Google Cloud to get access to a secret it needs at build or run time stored in Vault."

Google has also published a solution for running Vault on GCP, with instructions on how to both deploy the application and authenticate with one of the new backends.

Both HashiCorp and Google encourage community contributions to both Vault and Terraform.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you