sce81
commented
5 years ago ah i figured it out.. the service account assigned to my Vault instance needed to be in the production account
Closed sce81 closed 5 years ago
sce81
commented
5 years ago ah i figured it out.. the service account assigned to my Vault instance needed to be in the production account
Hi I have 2 projects, infra and production. my vault cluster runs in infra and my jenkins worker spins up in the production project. I also have jenkins workers that spin up in the infra project my service account/IAM user applied to my infra jenkins worker is infra-jenkins@infra-project-name.iam.gserviceaccount.com my service account/IAM policy applied to my production jenkins worker is infra-jenkins@production-project-name.iam.gserviceaccount.com they both have the same permissions including
the gce auth role created for both instances is as below
I authenticate with Vault using the method described here - https://petersouter.xyz/demonstrating-the-gce-auth-method-for-vault/
my infra project jenkins worker and any other instances in this project can authenticate and retrieve secrets from Vault without issue.
however my production jenkins worker is unable to authenticate based on an IAM permission I know it has assigned to it, specifically.
Error from vault: [ "error when attempting to find instance (project production-project-name, zone: europe-west1-d, instance: jenkins-worker-production-jngotu) :unable to find instance associated with token: googleapi: Error 403: Required 'compute.instances.get' permission for 'projects/production-project-name/zones/europe-west1-d/instances/jenkins-worker-production-jngotu', forbidden" ]