Cloudrun auto auth token

[ntang86]

Hello,

I used to use the GCE metadata to auto auth to vault with the jwt but I noticed that it does not work with cloud run.
I get the following

expected JWT to have claims with GCE metadata

I saw that apparently this PR solved the authentication issue #115, but I can't make it work. Do we have an example?
I can get an ID token through "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" but when I try to authenticate, it shows the above error.

Checking the jwt produced on Cloud Run by the same code, on cloud run I'm missing some data. Hence, the error message. Would it be possible to use "gce" auth with cloudrun?

  "google": {
    "compute_engine": {
      "instance_creation_timestamp":,
      "instance_id": "",
      "instance_name": "",
      "project_id": "",
      "project_number":,
      "zone": ""
    }

[austingebauer]

Hi @ntang86 - The instance_id claim needs to be populated in this case. You can see the condition in the code at https://github.com/hashicorp/vault-plugin-auth-gcp/blob/main/plugin/path_login.go#L234. Do you know if it's possible to have that populated in cloud run?

Otherwise, it's going to take a pull request with some changes here to support it for cloud run.