You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good day,
Does this plugin supports multiple project authentication with vault?
I have 2 projects in one of them is my GKE cluster with deployed Vault. I use Spring Cloud Vault for application bootstrap.
Everything is working fine for application also running inside this cluster, it's able to get secrets and etc. Config was done using this docs.
I can't authenticate using service account inside another project. I get such kind of errors inside my application:
[RequestedSecret [path='secret/secret_path', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Cannot login using GCP-IAM: could not find service account 'projects/-/serviceAccounts/<service_name>': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/<service_name>., forbidden; nested exception is org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: [{"errors":["could not find service account 'projects/-/serviceAccounts/<service_name>': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/<service_name>., forbidden"]} ]
And such kind of errors when I try to login via GCP console:
Error authenticating: Error making API request.
URL: PUT <vault_addr>/v1/auth/gcp/login Code: 500. Errors:
could not find service account 'projects/-/serviceAccounts/<sa_name>': googleapi: Error 403: Permission
iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/<sa_name>.,
forbidden
Config done from my side is like this:
I've configured vault in dev-mode using helm chart. Then created workload identity user for cluster to use and add annotations to vault service account inside GKE. It has browser and service account key admin permissions.
For application in the same project, I added service account token creator to workload identity user used by this application.
Inside vault, I've enabled gcp authentication, created secret, policy with read capabilities to this secret and created role:
So inside one project it works as expected. When I try to do the same from another project, it throughs an errors mentioned above. I wasn't able to find any info about how authentication to vault can be configured for cross project. For second project I've created role named my-iam-role-preprod.
The text was updated successfully, but these errors were encountered:
Good day,
Does this plugin supports multiple project authentication with vault?
I have 2 projects in one of them is my GKE cluster with deployed Vault. I use Spring Cloud Vault for application bootstrap.
Everything is working fine for application also running inside this cluster, it's able to get secrets and etc. Config was done using this docs.
I can't authenticate using service account inside another project. I get such kind of errors inside my application:
And such kind of errors when I try to login via GCP console:
Config done from my side is like this:
I've configured vault in dev-mode using helm chart. Then created workload identity user for cluster to use and add annotations to vault service account inside GKE. It has browser and service account key admin permissions.
For application in the same project, I added service account token creator to workload identity user used by this application.
Inside vault, I've enabled gcp authentication, created secret, policy with read capabilities to this secret and created role:
This is my bootstrap.properties file:
So inside one project it works as expected. When I try to do the same from another project, it throughs an errors mentioned above. I wasn't able to find any info about how authentication to vault can be configured for cross project. For second project I've created role named my-iam-role-preprod.
The text was updated successfully, but these errors were encountered: