Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GKE WLI send wrong ID for JWT signing #484

Open
3 tasks done
halradaideh opened this issue Jul 18, 2024 · 3 comments
Open
3 tasks done

GKE WLI send wrong ID for JWT signing #484

halradaideh opened this issue Jul 18, 2024 · 3 comments
Labels
area/auth area/provider/gcp area/provider/vault kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.

Comments

@halradaideh
Copy link

halradaideh commented Jul 18, 2024
edited
Loading

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.
  • I agree to follow the Code of Conduct.

Vault Secrets Webhook Version

1.21.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.29.6

Kubernetes Distribution/Provisioner

GKE

Expected Behavior

The authentication is to happen via sending the GKE WLI KSA's GSA to sign a JWT request

Actual Behavior

it is sending the WLF pool for the GKE

Steps To Reproduce

  1. install webhook via the helm chart
  2. configure it to use Vault and gcp-iam auth method
env:
  VAULT_SKIP_VERIFY: "true"
  VAULT_ADDR: "https://X:8200"
  VAULT_ROLE: "read_all_secrets"
  VAULT_AUTH_METHOD: gcp-iam
  VAULT_PATH: gcp
  1. deploy an app that requires a secret

Configuration

No response

Logs

time=X level=ERROR msg="failed to request new Vault token" app=vault-env err="unable to sign JWT for authenticating to GCP: unable to sign JWT: rpc error: code = InvalidArgument desc = Invalid form of account ID PROJECT_ID.svc.id.goog. Should be [Gaia ID |Email |Unique ID |] of the account"

Additional Information

I was able to sign in externally using a SA key directly, so. vault and the GCP auth method works
(note: the SA KEY is the same GSA used for WLI in GKE's KSA)

a note, inside the pod I tried login with debug mode via vault CLI, I got this error, which is weird

/tmp # vault login -method=gcp role="read_all_secrets" jwt_exp="15m"
Error authenticating: Error making API request.

URL: PUT https://X:8200/v1/auth/gcp/login
Code: 400. Errors:

* role requires that service account JWTs expire within 900 seconds
@halradaideh halradaideh added the kind/bug Categorizes issue or PR as related to a bug. label Jul 18, 2024
@halradaideh
Copy link
Author

@ramizpolic any idea?

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 22, 2024
@halradaideh
Copy link
Author

issue still exists

@csatib02 csatib02 added area/auth area/provider/gcp area/provider/vault and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Sep 22, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 22, 2024
@github-actions GitHub Actions
Copy link

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/auth area/provider/gcp area/provider/vault kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@halradaideh @csatib02