Closed josharian closed 4 years ago
Hi @josharian
Scopes are not the same as permissions. Berglas requires the cloud-platform
scope. For permissions, access
needs roles/cloudkms.cryptoKeyDecrypter
on the Crypto Key. It also needs the roles/storage.legacyObjectReader
and roles/storage.objectViewer
permissions. Let me know if that helps.
Yes, thanks!
For others who may encounter this issue, I set the various permissions via the console. I couldn't find a way to add the required scope in the console, but following https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes I ran:
gcloud compute instances set-service-account INSTANCE --service-account SERVICE_ACCOUNT --scopes cloud-platform
And that did it.
I think it'd be good to document the required scopes and permissions, but I'm not sure exactly how or where (or else I'd send a docs PR).
It is still relevant, in that if I needed these docs, probably someone else does too.
I can't help move it forward, as I noted in my last comment.
Thanks very much for Berglas. I was very excited to find a native Go option for secret management.
I'm having a hard time figuring out how to set sufficient scopes for my service account to read secrets. I'm using
berglas.Replace
. The error I'm getting (mildly redacted) is:failed to access secret BUCKET/SECRET: failed to access secret: failed to decrypt dek: rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.
I don't see anything documented about what permissions the service account needs (or for that matter, how to provide them). I gave it IAM roles
Storage Object Viewer
andCloud KMS CryptoKey Decrypter
.Apologies for what is definitely a naive and possibly also a stupid question. Thanks.