Unable to create roleset with custom path

hashicorp / vault-plugin-auth-gcp

GCP Authentication Plugin for Vault

Mozilla Public License 2.0

53 stars 25 forks source link

Unable to create roleset with custom path #189

Closed believerjo closed 9 months ago

believerjo commented 11 months ago

I'm trying to create gcp auth with custom path like:

vault auth enable -path=<custom-path> gcp

However Im unable to create a roleset for this, getting an error:

vault write auth/<custom-path>/roleset/poc-sm-token \
    project=$GCP_PROJECT_ID \
    secret_type="access_token"  \
    token_scopes="https://www.googleapis.com/auth/cloud-platform" \
    bindings=@gcpbindings-sm.hcl

Error writing data to auth/<custom-path>/roleset/poc-59-sm-token: Error making API request.

URL: PUT https://poc-vault.cloudtribe.five9lab.com/v1/auth/<custom-path>/roleset/poc-59-sm-token
Code: 404. Errors:

* 1 error occurred:
    * unsupported path

Any help is highly appreciated.

austingebauer commented 11 months ago

Hi @believerjo. I think you're mixing Vault's GCP auth method with its GCP secrets engine. The GCP auth method doesn't have a roleset resource hence the 404.

believerjo commented 11 months ago

Hi @austingebauer , thank you for replying. I'm trying to figure out if I can tie multiple GCP service account with Vault so that I get generate access tokens for CI jobs instead of storing service account credentials within CI.

I was following this https://developer.hashicorp.com/vault/tutorials/secrets-management/gcp-secrets-engine#lab-setup

I created the default config

vault write gcp/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@$TUTORIAL_TEMP/VaultServiceAccountKey.json

without issues.

Now I need to bind another SA, was able to create config as below:

vault write auth/project-123/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@$TUTORIAL_TEMP/VaultServiceAccountKey2.json

But I'm not sure how to create the roleset hence asked for help.

I think you are right that I'm mixing things up. Any idea if this is even possible to use a GCP secret engine with multiple SAs (in effect able to tie different GCP projects to generate access tokens)?

austingebauer commented 11 months ago

Gotcha! What you're trying to do seems possible. Are you sure that you need the GCP auth method at this point? I'm not seeing any reference to the GCP auth method in that tutorial.

You can create many different GCP secrets engine instances within Vault. Each could use a different service account and target different GCP projects. You should be able to enable additional GCP secrets engines using something like:

vault secrets enable -path=gcp1 gcp
vault write gcp1/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@example_service_account_key_1.json

vault secrets enable -path=gcp2 gcp
vault write gcp2/config \
    ttl="2m" \
    max_ttl="10m" \
    credentials=@example_service_account_key_2.json

Notice that the "paths" are different in the vault write [path]/config ... commands.

fairclothjm commented 9 months ago

We reserve github issues for bug reports and feature requests, which this doesn't appear to be. As such, I'm going to close this and suggest that you ask about this at Vault.