Hi I have 2 projects, infra and production.
my vault cluster runs in infra and my jenkins worker spins up in the production project. I also have jenkins workers that spin up in the infra project
my service account/IAM user applied to my infra jenkins worker is infra-jenkins@infra-project-name.iam.gserviceaccount.com
my service account/IAM policy applied to my production jenkins worker is infra-jenkins@production-project-name.iam.gserviceaccount.com
they both have the same permissions including
compute admin
editor
service account user
service account token creator
the gce auth role created for both instances is as below
vault read auth/gcp/role/jenkins-slave-infra
Key Value
--- -----
add_group_aliases false
bound_projects [infra-project]
bound_service_accounts [infra-jenkins@infra-project-name.iam.gserviceaccount.com]
max_ttl 2h
policies [jenkins]
type gce
vault read auth/gcp/role/jenkins-slave-production
Key Value
--- -----
add_group_aliases false
bound_projects [production-project]
bound_service_accounts [infra-jenkins@production-project-name.iam.gserviceaccount.com]
max_ttl 2h
policies [jenkins]
type gce
Hi I have 2 projects, infra and production. my vault cluster runs in infra and my jenkins worker spins up in the production project. I also have jenkins workers that spin up in the infra project my service account/IAM user applied to my infra jenkins worker is infra-jenkins@infra-project-name.iam.gserviceaccount.com my service account/IAM policy applied to my production jenkins worker is infra-jenkins@production-project-name.iam.gserviceaccount.com they both have the same permissions including
the gce auth role created for both instances is as below
I authenticate with Vault using the method described here - https://petersouter.xyz/demonstrating-the-gce-auth-method-for-vault/
my infra project jenkins worker and any other instances in this project can authenticate and retrieve secrets from Vault without issue.
however my production jenkins worker is unable to authenticate based on an IAM permission I know it has assigned to it, specifically.
Error from vault: [ "error when attempting to find instance (project production-project-name, zone: europe-west1-d, instance: jenkins-worker-production-jngotu) :unable to find instance associated with token: googleapi: Error 403: Required 'compute.instances.get' permission for 'projects/production-project-name/zones/europe-west1-d/instances/jenkins-worker-production-jngotu', forbidden" ]