openbao · mweigel · Jul 7, 2025 · JanMa · Jul 20, 2025 · Copilot
@@ -72,15 +72,25 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, data
 		return nil, nil
 	}
 
-	configData := map[string]interface{}{
-		"ttl":                   int64(cfg.TTL / time.Second),
-		"max_ttl":               int64(cfg.MaxTTL / time.Second),
-		"service_account_email": cfg.ServiceAccountEmail,
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"ttl":                   int64(cfg.TTL / time.Second),
+			"max_ttl":               int64(cfg.MaxTTL / time.Second),
+			"service_account_email": cfg.ServiceAccountEmail,
+			"private_key_id":        "",
+		},
+	}
+
+	creds, err := gcputil.Credentials(cfg.CredentialsRaw)
+	if err != nil {
+		resp.Warnings = []string{
+			fmt.Sprintf("Failed to parse key private key ID: %v", err),
-			fmt.Sprintf("Failed to parse key private key ID: %v", err),
+			fmt.Sprintf("Failed to parse private key ID: %v", err),
-			fmt.Sprintf("Failed to parse key private key ID: %v", err),
+			fmt.Sprintf("Failed to parse private key ID: %v", err),
+		}
+	} else {
+		resp.Data["private_key_id"] = creds.PrivateKeyId
 	}
 
-	return &logical.Response{
-		Data: configData,
-	}, nil
+	return resp, nil
 }
 
 func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

@@ -32,6 +32,7 @@ func TestConfig(t *testing.T) {
 		"ttl":                   int64(0),
 		"max_ttl":               int64(0),
 		"service_account_email": "",
+		"private_key_id":        "privateKey123",
 	}
 
 	testConfigRead(t, b, reqStorage, expected)

@@ -6,6 +6,7 @@ package gcp
 import (
 	"context"
 	"fmt"
+	"path"
 
 	"github.com/hashicorp/errwrap"
 	"github.com/openbao/openbao-plugins/secrets/gcp/util"
@@ -179,6 +180,7 @@ func (b *backend) pathRoleSetRead(ctx context.Context, req *logical.Request, d *
 
 	if rs.TokenGen != nil && rs.SecretType == SecretTypeAccessToken {
 		data["token_scopes"] = rs.TokenGen.Scopes
+		data["private_key_id"] = path.Base(rs.TokenGen.KeyName)
 	}
 
 	return &logical.Response{
@@ -419,7 +421,12 @@ func (b *backend) pathRoleSetRotateKey(ctx context.Context, req *logical.Request
 	if warn != "" {
 		return &logical.Response{Warnings: []string{warn}}, nil
 	}
-	return nil, nil
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"private_key_id": path.Base(rs.TokenGen.KeyName),
+		},
+	}, nil
 }
 
 func getRoleSet(name string, ctx context.Context, s logical.Storage) (*RoleSet, error) {

@@ -7,6 +7,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"path"
 
 	"github.com/hashicorp/errwrap"
 	"github.com/openbao/openbao/sdk/v2/framework"
@@ -131,6 +132,7 @@ func (b *backend) pathStaticAccountRead(ctx context.Context, req *logical.Reques
 	}
 	if acct.TokenGen != nil && acct.SecretType == SecretTypeAccessToken {
 		data["token_scopes"] = acct.TokenGen.Scopes
+		data["private_key_id"] = path.Base(acct.TokenGen.KeyName)
 	}
 
 	return &logical.Response{

@@ -6,6 +6,7 @@ package gcp
 import (
 	"context"
 	"fmt"
+	"path"
 
 	"github.com/openbao/openbao/sdk/v2/framework"
 	"github.com/openbao/openbao/sdk/v2/logical"
@@ -108,7 +109,12 @@ func (b *backend) pathStaticAccountRotateKey(ctx context.Context, req *logical.R
 		}
 		b.tryDeleteWALs(ctx, req.Storage, oldWalId)
 	}
-	return nil, nil
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"private_key_id": path.Base(acct.TokenGen.KeyName),
+		},
+	}, nil
 }
 
 const pathStaticAccountRotateKeyHelpSyn = `Rotate the key used to generate access tokens for a static account`