Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create roleset with custom path #189

Closed
believerjo opened this issue Nov 30, 2023 · 4 comments
Closed

Unable to create roleset with custom path #189

believerjo opened this issue Nov 30, 2023 · 4 comments

Comments

@believerjo
Copy link

believerjo commented Nov 30, 2023
edited
Loading

I'm trying to create gcp auth with custom path like:

vault auth enable -path=<custom-path> gcp

However Im unable to create a roleset for this, getting an error:

vault write auth/<custom-path>/roleset/poc-sm-token \
    project=$GCP_PROJECT_ID \
    secret_type="access_token"  \
    token_scopes="https://www.googleapis.com/auth/cloud-platform" \
    [email protected]

Error writing data to auth/<custom-path>/roleset/poc-59-sm-token: Error making API request.

URL: PUT https://poc-vault.cloudtribe.five9lab.com/v1/auth/<custom-path>/roleset/poc-59-sm-token
Code: 404. Errors:

* 1 error occurred:
	* unsupported path

Any help is highly appreciated.
@austingebauer
Copy link
Contributor

Hi @believerjo. I think you're mixing Vault's GCP auth method with its GCP secrets engine. The GCP auth method doesn't have a roleset resource hence the 404.

@believerjo
Copy link
Author

Hi @austingebauer , thank you for replying. I'm trying to figure out if I can tie multiple GCP service account with Vault so that I get generate access tokens for CI jobs instead of storing service account credentials within CI.

I was following this https://developer.hashicorp.com/vault/tutorials/secrets-management/gcp-secrets-engine#lab-setup

I created the default config

vault write gcp/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@$TUTORIAL_TEMP/VaultServiceAccountKey.json

without issues.

Now I need to bind another SA, was able to create config as below:

vault write auth/project-123/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@$TUTORIAL_TEMP/VaultServiceAccountKey2.json

But I'm not sure how to create the roleset hence asked for help.

I think you are right that I'm mixing things up. Any idea if this is even possible to use a GCP secret engine with multiple SAs (in effect able to tie different GCP projects to generate access tokens)?

@austingebauer
Copy link
Contributor

austingebauer commented Dec 5, 2023
edited
Loading

Gotcha! What you're trying to do seems possible. Are you sure that you need the GCP auth method at this point? I'm not seeing any reference to the GCP auth method in that tutorial.

You can create many different GCP secrets engine instances within Vault. Each could use a different service account and target different GCP projects. You should be able to enable additional GCP secrets engines using something like:

vault secrets enable -path=gcp1 gcp
vault write gcp1/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@example_service_account_key_1.json

vault secrets enable -path=gcp2 gcp
vault write gcp2/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@example_service_account_key_2.json

Notice that the "paths" are different in the vault write [path]/config ... commands.

@fairclothjm
Copy link
Contributor

We reserve github issues for bug reports and feature requests, which this doesn't appear to be. As such, I'm going to close this and suggest that you ask about this at Vault.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fairclothjm @believerjo @austingebauer