Expose GCP secrets key IDs

[mweigel]

Attempt to address Expose GCP secrets key IDs #13

• Key IDs are consistently displayed when rotated
• Key IDs can be read for mount, rolesets and static accounts

Mount operations

# Reading mount configuration.
bao read gcp/config

Key                      Value
---                      -----
max_ttl                  4h
private_key_id           b6a47b005b4c718322c891608873a4aa330562dc
service_account_email    [email protected]
ttl                      1h

# Rotating root credentials (existing behaviour)
bao write -f gcp/config/rotate-root

Key               Value
---               -----
private_key_id    2d30a5de98138d3e99af949e2af140482a1552db

Static account operations

# Reading static account.
bao read gcp/static-account/static-01

Key                        Value
---                        -----
private_key_id             9459858d15af346d2c00533700ba32e8d1fc1664
secret_type                access_token
service_account_email      [email protected]
service_account_project    my-project
token_scopes               [https://www.googleapis.com/auth/cloud-platform]

# Rotating static account credentials.
bao write -f gcp/static-account/static-01/rotate-key

Key               Value
---               -----
private_key_id    342501dcc414f3928dd78e3cdcbf711f06009bbf

Roleset operations

# Reading roleset.
bao read gcp/roleset/roleset-01

Key                      Value
---                      -----
bindings                 map[//cloudresourcemanager.googleapis.com/projects/my-project:[roles/viewer]]
private_key_id           c0b7506dbe911ea270139a0a384e621ff86a834a
project                  my-project
secret_type              access_token
service_account_email    [email protected]
token_scopes             [https://www.googleapis.com/auth/cloud-platform]

# Rotating roleset credentials.
bao write -f gcp/roleset/roleset-01/rotate-key

Key               Value
---               -----
private_key_id    b1f9962977a2e9539afa2e1623086e62e5f5315c

[Copilot]

Pull Request Overview

This PR adds support for exposing GCP service account private key IDs across mount configuration, rolesets, and static accounts. This addresses issue #13 by providing visibility into which key is currently active when reading configurations and returning key IDs when rotating credentials.

Key changes include:

• Added private_key_id field to read operations for mount config, rolesets, and static accounts
• Modified rotate operations to return the new private_key_id after successful rotation
• Updated test expectations to include the new private_key_id field

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
secrets/gcp/path_config.go	Enhanced config read to extract and return private_key_id from credentials
secrets/gcp/path_static_account.go	Added private_key_id to static account read response
secrets/gcp/path_static_account_rotate_key.go	Modified rotate response to include new private_key_id
secrets/gcp/path_role_set.go	Added private_key_id to roleset read and rotate responses
secrets/gcp/path_config_test.go	Updated test expectations to include private_key_id field

[Copilot]

The error message contains a grammatical error. It should be "Failed to parse private key ID" instead of "Failed to parse key private key ID".

Suggested change

	fmt.Sprintf("Failed to parse key private key ID: %v", err),
	fmt.Sprintf("Failed to parse private key ID: %v", err),

[JanMa]

Returning the Private Key ID will only work when the user passes the service account credentials in the credentials settings. From my experience it is much more common to use the default credentials passed to an application running in GCP as described in our docs.

I'd prefer it if this only returns an error if cfg.CredentialsRaw is not empty. Also I think this should try to parse the GOOGLE_APPLICATION_CREDENTIALS environment variable and use the key specified in there if it is not empty.