Error authenticating on Google Cloud Cloud Run Job - Error 400: Invalid form of account ID default. Should be [Gaia ID |Email |Unique ID |] of the account, badRequest

[jkhuang-42]

Hello there,

I am trying to use Vault enterprise version 13.1 (https://hub.docker.com/layers/hashicorp/vault-enterprise/1.13.1-ent/images/sha256-011333bae83920631fe6d1a3f6c20707a1b56d9c7b56d0357b2127739ea885e8?context=explore)

I want to run the Vault agent in Cloud Run as a Job (Cloud Run Service can be another option as well)

I have set up my service account ([email protected]) with the roles

ServiceAccountKeyAdmin and serviceAccountTokenCreator

I have created a simple docker image where the vault image and alpine image are pulled then in the entrypoint it is just running the v
vault agent -config /vault-agent/agent.hcl command

The agent.hcl file looks like this

xit_after_auth = false
pid_file        = "/pid/pidfile"

vault {
  address = "{my vault address here}:8200"
  retry {
    num_retries = 3
  }
}
auto_auth {
  method "gcp" {
    mount_path = "auth/gcp_poc"
    config = {
      type = "iam"
      role = "gcp-iam-role"
    }
  }

}

listener "tcp" {
  address = "127.0.0.1:8100"
  tls_disable = true
}

api_proxy {
  use_auto_auth_token = "force"
  enforce_consistency = "always"
}

On the vault server side I have set up a GCP IAM vault role (as the GCE role cannot be used)

vault write auth/gcp_poc/role/gcp-iam-role \
    type="iam" \
    policies="dev" \
    bound_service_accounts="[email protected]"

When the Google Cloud Run Job starts, we do see the vault agent has started as we can see from the message

However, below that, there is an error here.

"2023-08-31T18:17:22.512Z [ERROR] agent.auth.handler: error getting path or data from method: error="unable to sign JWT for projects/-/serviceAccounts/default using given Vault credentials: googleapi: Error 400: Invalid form of account ID default. Should be [Gaia ID |Email |Unique ID |] of the account, badRequest" backoff=1s"

I am confused by this error because I am running this job using a specific service account and not the default service account. It also should have the capabilities for signingJWT.

Any help or information regarding this would be greatly appreciated.
Thanks

[heatherezell]

Hello! If you are using Vault Enterprise, have you filed a support ticket? Also, posting on our Discuss forum is often a great way of getting questions answered by fellow practitioners who may have seen your situation or error before. Let me know - thanks!

[jkhuang-42]

I have created a support ticket https://support.hashicorp.com/hc/en-us/requests/122408
and also posted on the forum, will look forward to hearing back

[heatherezell]

Since this is more of a support request, I'm going to go ahead and close this issue now. If you would like to file a bug report or an enhancement request, please feel free to open a new issue. Thanks!

[halradaideh]

what was the problem?
i am trying this with GKE WLI, and I get this error

time=2024-07-18T20:42:16.355Z level=ERROR msg="failed to request new Vault token" app=vault-env err="unable to sign JWT for authenticating to GCP: unable to sign JWT: rpc error: code = InvalidArgument desc = Invalid form of account ID X.svc.id.goog. Should be [Gaia ID |Email |Unique ID |] of the account"