document required scopes and where to set them

[josharian]

Thanks very much for Berglas. I was very excited to find a native Go option for secret management.

I'm having a hard time figuring out how to set sufficient scopes for my service account to read secrets. I'm using berglas.Replace. The error I'm getting (mildly redacted) is:

failed to access secret BUCKET/SECRET: failed to access secret: failed to decrypt dek: rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.

I don't see anything documented about what permissions the service account needs (or for that matter, how to provide them). I gave it IAM roles Storage Object Viewer and Cloud KMS CryptoKey Decrypter.

Apologies for what is definitely a naive and possibly also a stupid question. Thanks.

[sethvargo]

Hi @josharian

Scopes are not the same as permissions. Berglas requires the cloud-platform scope. For permissions, access needs roles/cloudkms.cryptoKeyDecrypter on the Crypto Key. It also needs the roles/storage.legacyObjectReader and roles/storage.objectViewer permissions. Let me know if that helps.

[josharian]

Yes, thanks!

For others who may encounter this issue, I set the various permissions via the console. I couldn't find a way to add the required scope in the console, but following https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes I ran:

gcloud compute instances set-service-account INSTANCE --service-account SERVICE_ACCOUNT --scopes cloud-platform

And that did it.

I think it'd be good to document the required scopes and permissions, but I'm not sure exactly how or where (or else I'd send a docs PR).

[josharian]

It is still relevant, in that if I needed these docs, probably someone else does too.

I can't help move it forward, as I noted in my last comment.