0

I have some issue, wasn't able to find any docs, maybe I'm missing something.

We are going to use this method. I've deployed some service and Vault in GKE in one project and it works fine. I used this article for configuration. So, I created separate roles in Vault for each project and bound it to workload identity services of each application. Role for service in another project has bound_projects variable with the name of the project.

When I try to login or try to run application in another project, it shows such errors in console: [RequestedSecret [path='secret/secret_path', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Cannot login using GCP-IAM: could not find service account 'projects/-/serviceAccounts/<service_name>': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/<service_name>., forbidden; nested exception is org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: [{"errors":["could not find service account 'projects/-/serviceAccounts/<service_name>': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/<service_name>., forbidden"]} ]

When I try to login in console via this sa I got this. I have this user and role with this permission attached to it:

$ vault login -method=gcp role="my-iam-role-preprod" service_account="sa_name" project="project_id" jwt_exp="15m" credentials=@cred.json Error authenticating: Error making API request.

URL: PUT <vault_addr>/v1/auth/gcp/login Code: 500. Errors:

  • could not find service account 'projects/-/serviceAccounts/sa_name': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/sa_name., forbidden

I have Service Account Token Creator role assigned to SA in another project and have Browser // Service Account Key Admin roles assigned to Vault service account in project, where Vault is deployed.

Vault version is Vault v1.7.3. GKE is 1.19.10-gke.1600.

Rafik Alimardanov
  • 11
  • 2
  • First, I would suggest to share more information about your configuration. Please could you share Vault's related configuration? We could follow some possible root causes suggested on [similar question about Vault in GKE permission denied](https://stackoverflow.com/questions/64193339/permission-denied-when-authenticating-pod-to-external-vault-service-running-on-g). – Pit Jul 22 '21 at 12:22
  • I took a look at link you shared, but I don't use kubernetes authentication, I use [GCP-IAM](https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.authentication.gcpiam). Shared configuration in another answer to this post. – Rafik Alimardanov Jul 22 '21 at 13:16

0 Answers0