35 lines
1.4 KiB
YAML
35 lines
1.4 KiB
YAML
schemaVersion: "1"
|
|
kind: mixin
|
|
name: vault-gcp-secret-manager
|
|
description: >
|
|
Installs the Google Cloud CLI (`gcloud`) so the Coyote vault can read
|
|
secrets from GCP Secret Manager inside the sandbox. The GCP Rust SDK does
|
|
not strictly require the CLI, but most users authenticate via
|
|
`gcloud auth application-default login`, which needs the CLI to be
|
|
installed. After install, run that command in the sandbox; the ADC file
|
|
persists for the lifetime of the sandbox.
|
|
|
|
network:
|
|
allowedDomains:
|
|
- "packages.cloud.google.com:443"
|
|
- "accounts.google.com:443"
|
|
- "oauth2.googleapis.com:443"
|
|
- "secretmanager.googleapis.com:443"
|
|
- "cloudresourcemanager.googleapis.com:443"
|
|
- "*.googleapis.com:443"
|
|
|
|
commands:
|
|
install:
|
|
- command: |
|
|
set -euo pipefail
|
|
sudo apt-get update
|
|
sudo apt-get install -y apt-transport-https ca-certificates gnupg
|
|
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
|
|
| sudo tee /etc/apt/sources.list.d/google-cloud-sdk.list >/dev/null
|
|
curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
|
|
| sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
|
|
sudo apt-get update
|
|
sudo apt-get install -y google-cloud-cli
|
|
user: "1000"
|
|
description: Install gcloud CLI from Google's official apt repository
|