This benchmark will test the dynamic generation of GCP access token and service account key credentials.
credentials(string: <required>) - JSON credentials (either file contents or '@path/to/file') See docs for alternative ways to pass in to this parameter, as well as the required permissions. This value can also be provided with theVAULT_BENCHMARK_GCP_CREDENTIALSenvironment variable.ttl(string:"0s") – Specifies default config TTL for long-lived credentials (i.e. service account keys). Uses duration format strings.max_ttl(string:"0s")– Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Uses duration format strings.
name(string: "benchmark-roleset"): Name of the role.secret_type(string: "access_token"): Type of secret generated for this role set. Accepted values:access_token,service_account_key.project(string: <required>): Name of the GCP project that this roleset's service account will belong to.bindings(string: <required>): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string). This value can also be provided with theVAULT_BENCHMARK_GCP_BINDINGSenvironment variable.token_scopes(array: []): List of OAuth scopes to assign toaccess_tokensecrets generated under this role set (access_tokenrole sets only)
test "gcp_secret" "gcp_secret1" {
weight = 100
config {
gcp {
credentials = "@VaultServiceAccountKey.json"
}
roleset {
name = "gcp-secrets-roleset"
project = "<project_id>"
bindings = "@gcpbindings.hcl"
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
}
}rps = "1"
test "gcp_secret" "gcp_secret1" {
weight = 100
config {
gcp {
credentials = "@VaultServiceAccountKey.json"
}
roleset {
name = "gcp-secrets-roleset"
project = "<project-id>"
secret_type = "service_account_key"
bindings = "@gcpbindings.hcl"
token_scopes = ["access_token"]
}
}
}