diff --git a/docs/documentation/platform/identities/gcp-auth.mdx b/docs/documentation/platform/identities/gcp-auth.mdx
new file mode 100644
index 0000000000..de4c0162d9
--- /dev/null
+++ b/docs/documentation/platform/identities/gcp-auth.mdx
@@ -0,0 +1,291 @@
+---
+title: GCP Auth
+description: "Learn how to authenticate with Infisical Google Cloud Platform"
+---
+
+**GCP Auth** is a GCP-native authentication method for GCP resources to access Infisical.
+
+- GCP GCE Auth: For Google Compute Engine (GCE) instances to authenticate with Infisical.
+- GCP IAM Auth: For Google Cloud Platform (GCP) service accounts to authenticate with Infisical.
+
+
+
+ ## Concept
+
+At a high-level, Infisical authenticates a GCE instance by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed GCE instance) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+In GCP GCE Auth, the client obtains an [instance identity metadata token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity) constituting the identity for a GCE instance; this is a unique JWT token that includes details about the instance as well as Google's [RS256 signature](https://datatracker.ietf.org/doc/html/rfc7518#section-3.3).
+The token is sent to Infisical afterwhich Infisical verifies the token against Google's [public OAuth2 certificates](https://www.googleapis.com/oauth2/v3/certs) and checks if the associated instance is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP GCE Auth as they handle the
+authentication process including generating the signed JWT token.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+
+
+## Workflow
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP GCE authentication method.
+
+
+
+ To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+ 
+
+ When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+ 
+
+ Now input a few details for your new identity. Here's some guidance for each field:
+
+ - Name (required): A friendly name for the identity.
+ - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+ Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP Auth** and set the **Type** to **GCP GCE Auth**.
+
+ 
+
+ Here's some more guidance on each field:
+
+ - Service Account JSON: The JSON key file for the GCP service account that will be used by Infisical to look-up authenticated service account details.
+ - Allowed Service Account Emails: A comma-separated list of trusted service account emails corresponding to the GCE instance(s) allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+ - Allowed Projects: A comma-separated list of trusted GCP projects that the GCE instance must belong to authenticate with Infisical.
+ - Allowed Zones: A comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical; this should be the fully-qualified zone name in the format `-`like `us-central1-a`, `us-west1-b`, etc.
+ - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+ - Access Token Max TTL (default is `2592000` equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+ - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+ - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+
+ Note that you should enable the [IAM Service Account Credentials API](https://console.developers.google.com/apis/api/iamcredentials.googleapis.com/overview)
+ in your project.
+
+
+
+ To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+ To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+ Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+ 
+
+ 
+
+
+ To access the Infisical API as the identity, you need to generate an [instance identity metadata token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity) constituting the identity of the present GCE instance and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the token in exchange for an access token.
+
+ We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+
+
+ Start by making a request from the GCE instance to obtain the instance identity metadata token.
+
+ #### Sample request
+ ```bash Request
+ curl -H "Metadata-Flavor: Google" \
+ 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${identityId}&format=full'
+ ```
+
+ Next use send the obtained JWT token along to authenticate with Infisical and obtain an access token.
+
+ #### Sample request
+
+ ```bash Request
+ curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+ --header 'Content-Type: application/x-www-form-urlencoded' \
+ --data-urlencode 'identityId=...' \
+ --data-urlencode 'jwt=...'
+ ```
+
+ #### Sample response
+
+ ```bash Response
+ {
+ "accessToken": "...",
+ "expiresIn": 7200,
+ "accessTokenMaxTTL": 43244
+ "tokenType": "Bearer"
+ }
+ ```
+
+ Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+
+
+
+
+ We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+
+
+ Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+ the default TTL is `7200` seconds which can be adjusted.
+ If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+ a new access token should be obtained by performing another login operation.
+
+
+
+
+
+
+
+ ## Concept
+
+At a high-level, Infisical authenticates an IAM service account by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed service account) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+In GCP IAM Auth, the client generates a signed JWT using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt); this is done using the service account credentials from the GCP environment where the client is running.
+The signed JWT is sent to Infisical afterwhich Infisical verifies the JWT and checks if the associated service account is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP IAM Auth as they handle the
+authentication process including generating the signed JWT token.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+
+
+## Workflow
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP IAM authentication method.
+
+
+
+ To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+ 
+
+ When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+ 
+
+ Now input a few details for your new identity. Here's some guidance for each field:
+
+ - Name (required): A friendly name for the identity.
+ - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+ Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP IAM Auth** and set the **Type** to **GCP IAM Auth**.
+
+ 
+
+ Here's some more guidance on each field:
+
+ - Service Account JSON: The JSON key file for the GCP service account that will be used by Infisical to look-up authenticated service account details.
+ - Allowed Service Account Emails: A comma-separated list of trusted IAM service account emails that are allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+ - Allowed Projects: A comma-separated list of trusted GCP projects that the IAM service accounts must belong to authenticate with Infisical.
+ - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+ - Access Token Max TTL (default is `2592000` equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+ - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+ - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+
+ Note that you should enable the [IAM Service Account Credentials API](https://console.developers.google.com/apis/api/iamcredentials.googleapis.com/overview)
+ in your project.
+
+
+
+ To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+ To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+ Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+ 
+
+ 
+
+
+ To access the Infisical API as the identity, you need to generate a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt) and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the signed JWT token in exchange for an access token.
+
+ We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+
+
+ The following code provides a generic example of how you can generate a signed JWT token against the `projects.serviceAccounts.signJwt` API method.
+
+ The shown example uses Node.js and the official [google-auth-library](https://github.com/googleapis/google-auth-library-nodejs#readme) package but you can use any language you wish.
+
+
+ The example assumes that you have created a GCP service account and have downloaded the JSON key file for it.
+
+ Make sure that the service account has the `iam.serviceAccounts.signJwt` permission; this is available on the `roles/iam.serviceAccountTokenCreator` role.
+
+
+ ```javascript
+ const { GoogleAuth } = require("google-auth-library");
+
+ const auth = new GoogleAuth({
+ keyFile: serviceAccountKeyFile, // path to the service account JSON key file
+ scopes: "https://www.googleapis.com/auth/cloud-platform",
+ });
+
+ const client = await auth.getClient();
+ const projectId = await auth.getProjectId();
+
+ const identityId = "";
+
+ const jwtPayload = {
+ sub: client.email,
+ aud: identityId,
+ };
+
+ const { data } = await client.request({
+ url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${client.email}:signJwt`,
+ method: "POST",
+ data: { payload: JSON.stringify(jwtPayload) },
+ });
+
+ const jwt = data.signedJwt // send this jwt to Infisical in the next step
+ ```
+
+ #### Sample request
+
+ ```bash Request
+ curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+ --header 'Content-Type: application/x-www-form-urlencoded' \
+ --data-urlencode 'identityId=...' \
+ --data-urlencode 'jwt=...'
+ ```
+
+ #### Sample response
+
+ ```bash Response
+ {
+ "accessToken": "...",
+ "expiresIn": 7200,
+ "accessTokenMaxTTL": 43244
+ "tokenType": "Bearer"
+ }
+ ```
+
+ Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+
+
+
+
+ We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+
+
+ Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+ the default TTL is `7200` seconds which can be adjusted.
+ If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+ a new access token should be obtained by performing another login operation.
+
+
+
+
+
+
diff --git a/docs/documentation/platform/identities/gcp-iam-auth.mdx b/docs/documentation/platform/identities/gcp-iam-auth.mdx
deleted file mode 100644
index 5bc2b5d783..0000000000
--- a/docs/documentation/platform/identities/gcp-iam-auth.mdx
+++ /dev/null
@@ -1,158 +0,0 @@
----
-title: GCP Auth
-description: "Learn how to authenticate with Infisical Google Cloud Platform"
----
-
-**GCP IAM Auth** is a GCP-native authentication method for IAM service accounts.
-
-## Concept
-
-At a high-level, Infisical authenticates an IAM service account by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed service account) at the `/api/v1/auth/gcp-iam-auth/login` endpoint. If successful,
-then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
-
-In GCP IAM Auth, the client generates a signed JWT using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt); this is done using the service account credentials from the GCP environment where the client is running.
-The signed JWT is sent to Infisical afterwhich Infisical verifies the JWT and checks if the associated service account is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
-
-
-We recommend using one of Infisical's clients like SDKs or the Infisical Agent
-to authenticate with Infisical using GCP IAM Auth as they handle the
-authentication process including generating the signed JWT token.
-
-Also, note that Infisical needs network-level access to send requests to the Google Cloud API
-as part of the GCP IAM Auth workflow.
-
-
-
-## Workflow
-
-In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
-access the Infisical API using the GCP IAM authentication method.
-
-
-
- To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
-
- 
-
- When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
-
- 
-
- Now input a few details for your new identity. Here's some guidance for each field:
-
- - Name (required): A friendly name for the identity.
- - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
-
- Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP IAM Auth**.
-
- 
-
- Here's some more guidance on each field:
-
- - Allowed Service Account Emails: A comma-separated list of trusted IAM service account emails that are allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
- - Allowed Projects: A comma-separated list of trusted GCP projects that the IAM service accounts must belong to authenticate with Infisical.
- - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
- - Access Token Max TTL (default is `2592000` equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
- - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
- - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
-
-
- To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
-
- To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
-
- Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
-
- 
-
- 
-
-
- To access the Infisical API as the identity, you need to generate a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt) and make a request to the `/api/v1/auth/gcp-iam-auth/login` endpoint containing the signed JWT token in exchange for an access token.
-
-
- Enable the [IAM Service Account Credentials API](https://console.developers.google.com/apis/api/iamcredentials.googleapis.com/overview) in your project
- Cloud Resource Manager API
- Identity and Access Management (IAM) API has not been used in project 512461120021 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=512461120021 then retry.
-
- Add the role `roles/iam.serviceAccountTokenCreator` to the service account. This role includes the required `iam.serviceAccounts.signJwt` permission.
-
- Must have: `resourcemanager.projects.get` (for the Infisical service account)
-
-o Infisical uses scope:https://www.googleapis.com/auth/cloud-platform.read-only
-
-
-
- We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
-
-
-
- The following query construction provides a generic example of how you can generate a signed JWT token against the `projects.serviceAccounts.signJwt` API method.
-
- The shown example uses Node.js and the official [google-auth-library](https://github.com/googleapis/google-auth-library-nodejs#readme) package but you can use any language you wish.
-
- ```javascript
- const { GoogleAuth } = require("google-auth-library");
-
- const auth = new GoogleAuth({
- keyFile: serviceAccountKeyFile, // path to the service account JSON key file
- scopes: "https://www.googleapis.com/auth/cloud-platform",
- });
-
- const client = await auth.getClient();
- const projectId = await auth.getProjectId();
-
- const identityId = "";
-
- const jwtPayload = {
- sub: client.email,
- aud: identityId,
- };
-
- const { data } = await client.request({
- url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${client.email}:signJwt`,
- method: "POST",
- data: { payload: JSON.stringify(jwtPayload) },
- });
-
- const jwt = data.signedJwt // send this jwt to Infisical in the next step
- ```
-
- #### Sample request
-
- ```bash Request
- curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-iam-auth/login' \
- --header 'Content-Type: application/x-www-form-urlencoded' \
- --data-urlencode 'identityId=...' \
- --data-urlencode 'jwt=...'
- ```
-
- #### Sample response
-
- ```bash Response
- {
- "accessToken": "...",
- "expiresIn": 7200,
- "accessTokenMaxTTL": 43244
- "tokenType": "Bearer"
- }
- ```
-
- Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
-
-
-
-
- We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
-
-
- Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
- the default TTL is `7200` seconds which can be adjusted.
- If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
- a new access token should be obtained by performing another login operation.
-
-
-
-
diff --git a/docs/documentation/platform/identities/machine-identities.mdx b/docs/documentation/platform/identities/machine-identities.mdx
index e4b93053ca..cd8ab2cbec 100644
--- a/docs/documentation/platform/identities/machine-identities.mdx
+++ b/docs/documentation/platform/identities/machine-identities.mdx
@@ -7,7 +7,7 @@ description: "Learn how to use Machine Identities to programmatically interact w
An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).
-Each identity must authenticate with the Infisical API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth), [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth), or [GCP IAM Auth](/documentation/platform/identities/gcp-iam-auth) to get back a short-lived access token to be used in subsequent requests.
+Each identity must authenticate with the Infisical API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth), [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth), or [GCP IAM Auth](/documentation/platform/identities/gcp-auth) to get back a short-lived access token to be used in subsequent requests.
@@ -39,7 +39,7 @@ To interact with various resources in Infisical, Machine Identities are able to
- [Universal Auth](/documentation/platform/identities/universal-auth): A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
- [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
-- [GCP IAM Auth](/documentation/platform/identities/gcp-iam-auth): A GCP-native authentication method for IAM service accounts to authenticate with Infisical.
+- [GCP IAM Auth](/documentation/platform/identities/gcp-auth): A GCP-native authentication method for IAM service accounts to authenticate with Infisical.
## FAQ
diff --git a/docs/images/platform/identities/identities-org-create-gcp-gce-auth-method.png b/docs/images/platform/identities/identities-org-create-gcp-gce-auth-method.png
new file mode 100644
index 0000000000..779c268842
Binary files /dev/null and b/docs/images/platform/identities/identities-org-create-gcp-gce-auth-method.png differ
diff --git a/docs/images/platform/identities/identities-org-create-gcp-iam-auth-method.png b/docs/images/platform/identities/identities-org-create-gcp-iam-auth-method.png
index 67d9068512..f26e864735 100644
Binary files a/docs/images/platform/identities/identities-org-create-gcp-iam-auth-method.png and b/docs/images/platform/identities/identities-org-create-gcp-iam-auth-method.png differ
diff --git a/docs/mint.json b/docs/mint.json
index 976d5df37d..916a9ca2f3 100644
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -154,7 +154,7 @@
"documentation/platform/token",
"documentation/platform/identities/universal-auth",
"documentation/platform/identities/aws-iam-auth",
- "documentation/platform/identities/gcp-iam-auth",
+ "documentation/platform/identities/gcp-auth",
"documentation/platform/mfa",
{
"group": "SSO",
diff --git a/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx b/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
index ce9a70187c..ecfac5f451 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
@@ -200,6 +200,27 @@ export const IdentityGcpAuthForm = ({
return (