fix: use SignJwt instead of GenerateAccessToken for Vault GCP Workload Identity auth

[Skarlso]

Problem Statement

What is the problem you're trying to solve?

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary

This PR refactors Vault's GCP authentication to use SignJwt instead of GenerateAccessToken for Workload Identity authentication, improving the authentication flow for GCP-based secrets retrieval.

Key Changes

Vault GCP Auth (providers/v1/vault/auth_gcp.go)

• Modified requestTokenWithGcpAuth to prioritize signed JWT if available
• Enhanced setupServiceAccountKeyAuth to extract and store the service account email
• Enhanced setupWorkloadIdentityAuth to:
  • Read ServiceAccount from Kubernetes and extract the GCP service account annotation
  • Generate a signed JWT for Vault login using the new gcpauth.GenerateSignedJWTForVault
  • Store the JWT for use in authentication
• Added new loginWithSignedJWT method to authenticate with Vault using signed JWT tokens
• Added two new fields to client struct: gcpSignedJWT and gcpServiceAccountEmail

New Shared GCP Auth Module (runtime/gcp/auth/)

• Introduced new NewTokenSource function for OAuth2 token source creation supporting service accounts, workload identity, and federation
• Introduced GenerateSignedJWTForVault for Vault-specific JWT generation
• Enhanced workloadIdentity with:
  • SignedJWTForVault method for generating signed JWTs
  • SignJwt method added to IamClient interface
  • Functional options pattern for flexible configuration
  • Token refresh mechanisms
• Refactored workloadIdentityFederation to use new options pattern

GCP Secret Manager Refactoring (providers/v1/gcp/secretmanager/)

• Delegated token source logic to shared gcpauth implementation
• Removed internal workload identity implementations
• Removed associated test files (905 and 499 lines)

Documentation & Configuration

• Updated Vault GCP authentication documentation
• Added new GCP IAM authentication YAML snippet with Workload Identity example
• Updated namespace handling documentation for ClusterSecretStore

Dependency Updates

• Updated module dependencies across all three go.mod files to newer versions of Google Cloud libraries, gRPC, OpenTelemetry, and OAuth2
• Removed GCP Secret Manager provider as a direct dependency from Vault module

[coderabbitai]

Walkthrough

This pull request consolidates GCP authentication logic from the GCP Secret Manager provider into a new shared runtime package, enabling reuse across providers. The Vault provider is enhanced with GCP IAM authentication using signed JWTs. Documentation is updated to reflect GCP authentication support.

Changes

Cohort / File(s)	Summary
Documentation and Examples docs/provider/hashicorp-vault.md, docs/snippets/vault-gcp-store.yaml	Added GCP authentication method documentation with YAML example demonstrating GKE Workload Identity and service account key-based authentication for Vault Secret Store configuration.
GCP Provider Auth Refactoring providers/v1/gcp/secretmanager/auth.go, providers/v1/gcp/secretmanager/client.go	Delegated token source creation to shared gcpauth implementation; removed internal workload identity and federation logic. Removed workloadIdentity field from client struct.
GCP Provider Tests Cleanup providers/v1/gcp/secretmanager/workload_identity_test.go, providers/v1/gcp/secretmanager/workload_identity_federation_test.go	Deleted comprehensive test suites for workload identity and federation (1,404 lines total); test coverage now provided in shared runtime package.
GCP Provider Dependencies providers/v1/gcp/go.mod	Updated and reorganized dependencies including Google Cloud libraries, OAuth2, OpenTelemetry, and Go standard library packages to newer versions.
Vault Provider GCP Integration providers/v1/vault/auth_gcp.go, providers/v1/vault/client.go	Enhanced Vault client with GCP IAM authentication support including signed JWT handling, service account email tracking, and new setup methods for service account key and workload identity authentication.
Vault Provider Dependencies providers/v1/vault/go.mod	Removed direct dependency on GCP provider; updated OAuth2, Google Cloud auth, OpenTelemetry, and system libraries to newer versions.
New Shared GCP Auth Runtime Package runtime/gcp/auth/auth.go, runtime/gcp/auth/auth_test.go, runtime/gcp/auth/testing_helpers_test.go	Introduced new public API for token source creation and Vault JWT generation with comprehensive test coverage and test helpers supporting service account, workload identity, and workload identity federation authentication flows.
GCP Workload Identity Runtime Refactoring runtime/gcp/auth/workload_identity.go, runtime/gcp/auth/workload_identity_test.go	Migrated from secretmanager package to auth; added token refresh mechanisms, IAM client lifecycle management, signed JWT generation for Vault, and functional option pattern for dependency injection. Includes extensive test suite.
GCP Workload Identity Federation Runtime Refactoring runtime/gcp/auth/workload_identity_federation.go, runtime/gcp/auth/workload_identity_federation_test.go	Migrated from secretmanager package to auth; added functional options pattern for configuration; corrected error message typos; includes new comprehensive test suite.
Runtime Constants and Dependencies runtime/constants/constants.go, runtime/go.mod	Added CallGCPSMSignJwt constant; added direct GCP Cloud and OAuth2 dependencies alongside expanded OpenTelemetry instrumentation and updated system library versions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@providers/v1/gcp/secretmanager/client.go`:
- Line 65: Remove the duplicate constant by deleting the local errNoProjectID
declaration from providers/v1/gcp/secretmanager/client.go and instead reference
the existing errNoProjectID from the shared auth package where it is defined;
add the auth package import and update any local references to use that imported
symbol so there is a single canonical definition.

🧹 Nitpick comments (4)

runtime/constants/constants.go (1)

36-36: Consider relocating constant to the GCP section for better organization.

The CallGCPSMSignJwt constant is placed among AWS-related constants (lines 22-35) rather than with the other GCP SM constants (lines 59-69). Moving it to the GCP section would improve code organization and maintainability.

♻️ Suggested placement

 	CallGCPSMGenerateSAToken     = "GenerateServiceAccountToken"
 	CallGCPSMGenerateIDBindToken = "GenerateIDBindToken"
 	CallGCPSMGenerateAccessToken = "GenerateAccessToken"
+	CallGCPSMSignJwt             = "SignJwt"

And remove from line 36.

docs/snippets/vault-gcp-store.yaml (1)

29-33: Consider adding namespace hint to the commented secretRef option.

For consistency with line 28 where namespace is noted as required for ClusterSecretStore, the commented secretRef alternative should also include a namespace field hint to guide users.

📝 Suggested improvement

           # Option 2: Authenticate using a service account key stored in a Secret
           # secretRef:
           #   secretAccessKeySecretRef:
           #     name: "gcpsm-secret"
           #     key: "secret-access-credentials"
+          #     # Namespace is required for ClusterSecretStore
+          #     namespace: "default"

runtime/gcp/auth/auth_test.go (1)

156-161: Unreachable else branch in test.

This else branch is dead code since all test cases have expectError: true. Consider removing it to avoid confusion, as the comment on Lines 131-132 already explains that successful JWT generation is tested via integration tests.

♻️ Suggested simplification

 		if tt.expectError {
 			assert.Error(t, err)
 			assert.Empty(t, jwt)
 			if tt.errorMsg != "" {
 				assert.Contains(t, err.Error(), tt.errorMsg)
 			}
-		} else {
-			// We can't actually test JWT generation without real GCP credentials,
-			// but we can verify it doesn't error with the mock setup
-			assert.NoError(t, err)
-			assert.NotEmpty(t, jwt)
 		}

providers/v1/gcp/go.mod (1)

16-16: Consider aligning google.golang.org/genproto package versions.

There's a version mismatch between genproto sub-packages:

• google.golang.org/genproto (line 16) and genproto/googleapis/api (line 99) both use timestamp 20251202230838
• genproto/googleapis/rpc (line 100) uses a newer timestamp 20251222181119

While this may be intentional due to separate release cycles, verify that the version difference doesn't introduce compatibility issues.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aaa9068 and 146ea7e.

⛔ Files ignored due to path filters (3)

• providers/v1/gcp/go.sum is excluded by !**/*.sum
• providers/v1/vault/go.sum is excluded by !**/*.sum
• runtime/go.sum is excluded by !**/*.sum

📒 Files selected for processing (19)

• docs/provider/hashicorp-vault.md
• docs/snippets/vault-gcp-store.yaml
• providers/v1/gcp/go.mod
• providers/v1/gcp/secretmanager/auth.go
• providers/v1/gcp/secretmanager/client.go
• providers/v1/gcp/secretmanager/workload_identity_federation_test.go
• providers/v1/gcp/secretmanager/workload_identity_test.go
• providers/v1/vault/auth_gcp.go
• providers/v1/vault/client.go
• providers/v1/vault/go.mod
• runtime/constants/constants.go
• runtime/gcp/auth/auth.go
• runtime/gcp/auth/auth_test.go
• runtime/gcp/auth/testing_helpers_test.go
• runtime/gcp/auth/workload_identity.go
• runtime/gcp/auth/workload_identity_federation.go
• runtime/gcp/auth/workload_identity_federation_test.go
• runtime/gcp/auth/workload_identity_test.go
• runtime/go.mod

💤 Files with no reviewable changes (2)

• providers/v1/gcp/secretmanager/workload_identity_federation_test.go
• providers/v1/gcp/secretmanager/workload_identity_test.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-09T19:14:48.246Z

Learnt from: rbstp
Repo: external-secrets/external-secrets PR: 5712
File: config/crds/bases/external-secrets.io_secretstores.yaml:1958-2044
Timestamp: 2026-01-09T19:14:48.246Z
Learning: In external-secrets CRDs, new providers are added to the GA v1 schema only; v1beta1 is maintained for backward compatibility and does not receive new features (e.g., DVLS should be v1-only).

Applied to files:

• docs/snippets/vault-gcp-store.yaml
• runtime/gcp/auth/auth.go
• providers/v1/gcp/go.mod
• runtime/go.mod
• providers/v1/vault/go.mod

🧬 Code graph analysis (8)

providers/v1/vault/client.go (1)

providers/v1/vault/util/vault.go (4)

• Client (51-61)
• Auth (31-33)
• Logical (42-47)
• Token (36-39)

runtime/gcp/auth/workload_identity_federation_test.go (2)

apis/externalsecrets/v1/secretstore_gcpsm_types.go (4)

• GCPWorkloadIdentityFederation (92-120)
• ConfigMapReference (123-144)
• AwsCredentialsConfig (147-163)
• SecretReference (166-180)

apis/meta/v1/types.go (1)

• ServiceAccountSelector (46-66)

runtime/gcp/auth/auth_test.go (1)

runtime/gcp/auth/auth.go (2)

• NewTokenSource (49-85)
• GenerateSignedJWTForVault (90-111)

runtime/gcp/auth/workload_identity_test.go (2)

apis/meta/v1/types.go (1)

• ServiceAccountSelector (46-66)

runtime/gcp/auth/workload_identity.go (1)

• IamClient (103-107)

runtime/gcp/auth/auth.go (2)

providers/v1/gcp/secretmanager/auth.go (1)

• NewTokenSource (36-38)

providers/v1/gcp/secretmanager/client.go (2)

• Client (88-96)
• CloudPlatformRole (54-54)

providers/v1/gcp/secretmanager/auth.go (1)

runtime/gcp/auth/auth.go (1)

• NewTokenSource (49-85)

providers/v1/vault/auth_gcp.go (4)

providers/v1/gcp/secretmanager/auth.go (1)

• NewTokenSource (36-38)

runtime/gcp/auth/auth.go (2)

• NewTokenSource (49-85)
• GenerateSignedJWTForVault (90-111)

apis/externalsecrets/v1/secretstore_vault_types.go (1)

• VaultGCPAuth (403-432)

runtime/constants/constants.go (2)

• ProviderHCVault (71-71)
• CallHCVaultLogin (72-72)

runtime/gcp/auth/workload_identity_federation.go (2)

providers/v1/gcp/secretmanager/client.go (1)

• Client (88-96)

apis/externalsecrets/v1/secretstore_gcpsm_types.go (1)

• GCPWorkloadIdentityFederation (92-120)

🪛 Gitleaks (8.30.0)

runtime/gcp/auth/auth_test.go

[high] 177-177: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze project (actions, none)
• GitHub Check: Analyze project (go, autobuild)

🔇 Additional comments (29)

providers/v1/vault/go.mod (2)

35-168: Test gRPC v1.78.0 compatibility before production—Vault submodules use older versions.

This change updates several indirect dependencies, including google.golang.org/grpc to v1.78.0. While no security vulnerabilities were found in this or related package updates (protobuf v1.36.11, cloud.google.com/go/auth v0.18.0), there is a compatibility consideration: Vault's submodules currently pin much older gRPC versions (e.g., v1.63.2 in hcp_link/proto, v1.41.0 in other modules), and there is no official HashiCorp statement confirming support for v1.78.0.

Since this is an indirect dependency cascading from upstream changes, verify that the build works with Vault and perform integration testing before deploying to production. If you control the Vault build, check the gRPC v1.78.0 release notes for breaking changes relative to the versions Vault currently expects.

---

5-33: GCP authentication refactoring verified successfully.

The migration of GCP authentication logic from the dedicated GCP provider to the shared runtime package is complete:

• runtime/gcp/auth/ provides the necessary authentication implementations (SignJwt, WorkloadIdentity, WorkloadIdentityFederation)
• providers/v1/vault/auth_gcp.go correctly imports and uses github.com/external-secrets/external-secrets/runtime/gcp/auth
• No remaining references to the old providers/v1/gcp dependency
• The golang.org/x/oauth2 upgrade from v0.32.0 to v0.34.0 contains only backward-compatible changes (no breaking changes)

providers/v1/gcp/secretmanager/client.go (2)

88-96: LGTM!

The Client struct simplification aligns with the broader refactor to consolidate workload identity handling into the shared runtime/gcp/auth package. The remaining fields are appropriate for the client's responsibilities.

---

646-656: LGTM!

The Close method correctly handles the simplified client structure, closing only the smClient now that workload identity management has been moved elsewhere.

docs/snippets/vault-gcp-store.yaml (1)

1-28: LGTM!

This is a well-structured documentation example that clearly demonstrates GCP IAM authentication for Vault. The workload identity configuration is recommended as the primary option, the YAML includes helpful comments, and the namespace requirement for ClusterSecretStore is correctly documented.

docs/provider/hashicorp-vault.md (2)

271-281: LGTM!

The authentication methods list is updated correctly to include GCP authentication with proper link formatting and consistent presentation.

---

380-388: LGTM!

The new GCP authentication section is well-written and follows the established documentation pattern. It clearly describes both authentication methods (Workload Identity and service account keys) and includes the appropriate namespace note for ClusterSecretStore.

runtime/go.mod (3)

21-22: LGTM!

The golang.org/x/oauth2 and google.golang.org/api dependencies are essential for GCP authentication flows and API interactions.

---

86-91: OpenTelemetry dependencies are transitive.

These OpenTelemetry instrumentation packages are pulled in as indirect dependencies by the GCP client libraries. This is expected and provides observability capabilities for gRPC and HTTP calls to GCP services.

---

6-8: GCP dependencies are at current versions.

All three GCP dependencies (cloud.google.com/go/secretmanager v1.16.0, cloud.google.com/go/iam v1.5.3, and cloud.google.com/go/compute/metadata v0.9.0) are pinned to their latest available versions and are appropriate for the GCP authentication functionality.

providers/v1/vault/client.go (1)

52-53: LGTM! New fields support GCP Workload Identity authentication for Vault.

The addition of gcpSignedJWT and gcpServiceAccountEmail fields appropriately extends the client struct to store GCP authentication state. The inline comments clearly document each field's purpose.

runtime/gcp/auth/auth_test.go (2)

166-181: Static analysis false positive: Test fixture uses intentionally invalid/truncated private key.

The Gitleaks warning for Line 177 is a false positive. The private key in validSecret is intentionally truncated and invalid—it's only used to test JSON unmarshaling, not actual cryptographic operations. This is a common pattern for test fixtures.

---

40-118: Good test coverage for NewTokenSource with appropriate mocking.

The test structure is well-organized with proper cleanup of mock state via t.Cleanup. The table-driven approach with explicit expectToken and expectError flags makes test intentions clear.

runtime/gcp/auth/testing_helpers_test.go (1)

51-57: Well-documented TestMain for package-wide test setup.

The TestMain approach correctly replaces the SA token generator factory for all tests. The comments (Lines 41-50) thoroughly explain why restoration isn't needed and how individual tests can override the mock if needed.

runtime/gcp/auth/workload_identity_federation.go (2)

129-161: Good use of functional options pattern for testability.

The wifOption type and withWifSATokenGenerator helper enable clean dependency injection for tests without cluttering the production API. The lazy initialization pattern (Lines 152-159) correctly falls back to the real SA token generator when no mock is injected.

---

210-210: Typo fixes in error messages.

Good catch fixing "acccount" → "account" in error messages.

Also applies to: 223-223

providers/v1/gcp/secretmanager/auth.go (1)

34-38: Clean refactoring to shared GCP auth implementation.

This simplification follows DRY principles by delegating to the centralized runtime/gcp/auth package. The public API remains unchanged, ensuring backward compatibility for callers.

runtime/gcp/auth/workload_identity_test.go (1)

1-426: LGTM! Comprehensive test coverage for workload identity flows.

The test file provides good coverage for:

• Token source creation with and without GCP service account annotations
• Signed JWT generation for Vault authentication
• Error handling for missing service accounts and annotations
• Mock implementations are well-structured and follow standard patterns

The test assertions appropriately verify both the request payloads (e.g., service account email, vault role in JWT) and the expected responses.

runtime/gcp/auth/workload_identity_federation_test.go (1)

1-411: LGTM! Good validation test coverage for workload identity federation.

The tests comprehensively cover:

• Configuration validation (exactly one auth method required, audience requirements)
• ConfigMap handling (missing configmap, missing key, empty value, invalid JSON, wrong credential type)
• AWS credential handling (missing secret, missing required keys)
• Namespace resolution for ClusterSecretStore

The comment on line 311 clarifying the intentional test behavior is helpful.

providers/v1/vault/auth_gcp.go (2)

71-74: LGTM! Clean separation of JWT-based login flow.

The early return when gcpSignedJWT is present correctly bypasses the standard GCP auth library flow and uses the direct JWT login, which is the intended behavior for Workload Identity authentication with Vault.

---

264-291: LGTM! Proper Vault JWT login implementation.

The loginWithSignedJWT method correctly:

• Constructs the login payload with role and JWT
• Uses the appropriate Vault API endpoint format
• Records metrics for observability
• Validates the response thoroughly before setting the token

runtime/gcp/auth/auth.go (1)

1-132: LGTM! Well-structured shared GCP authentication package.

The implementation provides a clean API with:

• Clear fallback chain: service account → workload identity → workload identity federation → default credentials
• Proper resource cleanup via defers
• Testability via defaultTokenSourceFunc override
• Consistent early-return pattern throughout

The GenerateSignedJWTForVault function properly validates input and delegates to the workload identity implementation.

runtime/gcp/auth/workload_identity.go (3)

142-188: LGTM! Thread-safe refreshable token source implementation.

The refreshableTokenSource correctly:

• Uses mutex for thread-safe access
• Refreshes tokens 1 minute before expiry to avoid race conditions
• Uses an independent context with timeout for refresh operations
• Handles edge cases like nil tokens and zero expiry times

---

362-438: LGTM! Correct JWT signing for Vault GCP IAM authentication.

The SignedJWTForVault implementation:

• Properly validates the GCP service account annotation requirement
• Uses the correct JWT payload structure with sub, aud, exp, iat claims
• Formats the audience as vault/{role} per Vault documentation
• Records metrics for the SignJwt API call
• Properly manages IAM client lifecycle with defer

---

267-285: Good refactor to use refreshable token source.

Wrapping the token generation in a refreshableTokenSource ensures that long-running operations won't fail due to token expiration. The initial token generation validates the configuration early, which is a good practice.

providers/v1/gcp/go.mod (4)

26-29: Indirect dependency classification is correct.

The packages marked as indirect (cloud.google.com/go/auth, cloud.google.com/go/compute/metadata, cloud.google.com/go/iam, k8s.io/apimachinery, k8s.io/client-go) are not directly imported by code in providers/v1/gcp/. Instead, they are used transitively through the runtime package, particularly runtime/gcp/auth imported in secretmanager/auth.go. The refactoring to consolidate GCP authentication logic into the shared runtime package is correctly reflected in these go.mod changes.

---

3-3: No action needed. Go 1.25.5 is the current stable release as of January 2026 (released December 2, 2025) and is appropriate for this module.

Likely an incorrect or invalid review comment.

---

91-92: No security concerns identified. Both golang.org/x/crypto v0.46.0 and golang.org/x/net v0.48.0 are current stable versions with no unfixed vulnerabilities. All recent CVEs affecting these packages have been resolved in earlier releases, and both versions are newer than the fixes.

---

10-10: Direct dependency versions are secure and current.

The updated dependencies—googleapis/gax-go/v2 v2.16.0, golang.org/x/oauth2 v0.34.0, google.golang.org/api v0.260.0, google.golang.org/grpc v1.78.0, and google.golang.org/protobuf v1.36.11—are all recent, stable releases with no known security vulnerabilities.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n 'errNoProjectID' --type go

Repository: external-secrets/external-secrets

Length of output: 383

---

🏁 Script executed:

sed -n '1,20p' providers/v1/gcp/secretmanager/provider.go

Repository: external-secrets/external-secrets

Length of output: 689

---

🏁 Script executed:

sed -n '150,165p' providers/v1/gcp/secretmanager/provider.go

Repository: external-secrets/external-secrets

Length of output: 636

---

🏁 Script executed:

# Check the package declaration and if both files are in the same package
head -25 providers/v1/gcp/secretmanager/provider.go | grep "^package"
head -25 providers/v1/gcp/secretmanager/client.go | grep "^package"

Repository: external-secrets/external-secrets

Length of output: 120

---

Remove duplicate errNoProjectID constant definition.

The error constant errNoProjectID is already defined in runtime/gcp/auth/workload_identity.go:61 with the same value. Having duplicate constants across packages creates maintenance burden and inconsistency. Consolidate to a single definition in the shared auth package and import it where needed.

🤖 Prompt for AI Agents

In `@providers/v1/gcp/secretmanager/client.go` at line 65, Remove the duplicate
constant by deleting the local errNoProjectID declaration from
providers/v1/gcp/secretmanager/client.go and instead reference the existing
errNoProjectID from the shared auth package where it is defined; add the auth
package import and update any local references to use that imported symbol so
there is a single canonical definition.