Add workload identity

[shinji62]

Overview

This PR implement workload identity support, this PR is highly inspired by @vinay-gopalan work on the GCP secret engine.

This PR should not affect current user, I have tested all the existing authentication:

• Google environment variable
• Application auth credentials
• credentials with json service account key

How I tested:

1. Setup a Vault dev server with enterprise licenses
2. Load the build plugin

vault secrets enable -path=gcpkms -plugin-name=vault-plugin-secrets-gcpkms plugin

3. Tested with different credentials
   First gcpkms config

vault read -format=json gcpkms/config
{
  "request_id": "5b804f26-148e-6344-14f2-b5adde9bdbc6",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "disable_automated_rotation": false,
    "identity_token_audience": "",
    "identity_token_ttl": 0,
    "rotation_period": 0,
    "rotation_schedule": "",
    "rotation_window": 0,
    "scopes": [
      "https://www.googleapis.com/auth/cloudkms"
    ],
    "service_account_email": ""
  },
  "warnings": null,
  "mount_type": "vault-plugin-secrets-gcpkms"
}

Setup using Workload identity (of course Google side have been setup as well)

vault  write gcpkms/config \
 identity_token_audience="https://iam.googleapis.com/projects/000000000/locations/global/workloadIdentityPools/vault-plugin-wif-pool-3e91/providers/vault-plugin-wif-provider" \
    service_account_email="[email protected]"

Write a Key and verify in GCP logs that WIP was used

vault write gcpkms/keys/my-key  key_ring=projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip crypto_key=my-crypto-key-new-wip

GCP logs

"authenticationInfo": {
      "principalEmail": "[email protected]",
      "serviceAccountDelegationInfo": [
        {
          "principalSubject": "principal://iam.googleapis.com/projects/0000000000/locations/global/workloadIdentityPools/vault-plugin-wif-pool-3e91/subject/plugin-identity:root:secret:vault-plugin-secrets-gcpkms_d20692f3"
        }
      ],
      "principalSubject": "serviceAccount:[email protected]"
    },
...
    "serviceName": "cloudkms.googleapis.com",
    "methodName": "CreateCryptoKey",
authorizationInfo": [
      {
        "resource": "projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip",
        "permission": "cloudkms.cryptoKeys.create",
        "granted": true,
        "resourceAttributes": {
          "service": "google.cloud.kms",
          "name": "projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip/cryptoKeys/my-crypto-key-new-wip",
          "type": "cloudkms.googleapis.com/CryptoKey"
        },
        "permissionType": "ADMIN_WRITE"
      }

Change to use a different credentials and auth method to GCP with a different sa "[email protected]"

vault  write gcpkms/config [email protected] identity_token_audience="" service_account_email=""

vault write gcpkms/keys/my-key  key_ring=projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip crypto_key=my-crypto-key-new-creds

GCP logs

"authenticationInfo": {
      "principalEmail": "[email protected]",
      "serviceAccountKeyName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]/keys/43a69719350ca6316203b77524e7d9af7c24afa3",
      "principalSubject": "serviceAccount:[email protected]"
    },
...
    "serviceName": "cloudkms.googleapis.com",
    "methodName": "CreateCryptoKey",
    "authorizationInfo": [
      {
        "resource": "projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip",
        "permission": "cloudkms.cryptoKeys.create",
        "granted": true,
        "resourceAttributes": {
          "service": "google.cloud.kms",
          "name": "projects/my-project/locations/asia-northeast1/keyRings/gwenn-test-wip/cryptoKeys/my-crypto-key-new-creds",
          "type": "cloudkms.googleapis.com/CryptoKey"
        },
        "permissionType": "ADMIN_WRITE"
      }

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[X] Backwards compatible

[digivava]

Working on plugin releases for Vault 1.20 and I just noticed this PR. Assigning @vinay-gopalan as a Reviewer for now as it seems like he may have the most context on the change based on the PR description, but since it's a sizable change I don't think it will make it in this current round of plugin releases.

Vinay please feel free to bring this to the Sustaining rotation's attention if you think you won't have any cycles for reviewing this anytime soon. (This is a PR from a HashiCorp contributor and I believe it's tied to a customer ask.)

[shinji62]

@vinay-gopalan I have rebase the code.