issue with gcp artifact registry roleset: unsupported ressource type

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

https://www.vaultproject.io/

Other

31.18k stars 4.21k forks source link

issue with gcp artifact registry roleset: unsupported ressource type #11220

Open artifact-reg opened 3 years ago

artifact-reg commented 3 years ago

hello I am trying to add permission at artifact registry repository level using vault roleset. I got unsupported ressource type thanks for your support and best regards

cat bind.hcl resource "https://artifactregistry.googleapis.com/v1beta2/projects/prj-id/locations/europe-west1/repositories/test123" { roles = ["roles/artifactregistry.reader"] }

./vault write gcp/roleset/my-token-roleset project="prj-id" secret_type="access_token" token_scopes="https://www.googleapis.com/auth/cloud-platform" bindings=@bind.hcl Error writing data to gcp/roleset/my-token-roleset: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset Code: 400. Errors:

invalid resource "https://artifactregistry.googleapis.com/v1beta2/projects/prj-id/locations/europe-west1/repositories/test123": unsupported resource type: projects/locations/repositories

MarvinMuuss commented 3 years ago

Hi there, we're facing the same problem when trying to create a roleset in combination with an Artifact Registry. Did you find any solution to that? BR

artifact-reg commented 3 years ago

Hi no solution yet. But as a workaround:

created a service account sa1 that has permission on artifact registry repository
created a roleset that has permission to impersonate this service account ( serviceaccounttokencreator on sa1) best regards

shanerade commented 3 years ago

Hello,

The issue here is that the auto-generated list of API resources that support SetIAMPolicy/GetIAMPolicy needs to be updated via a make update-resources after cloning and bootstrapping of the GCP plugin repo here. There's a small blurb about it here.

I'll submit a PR for this which will close this bug.

artifact-reg commented 3 years ago

hello thanks shanerade please can you estimate the time to get a patch released? Will this patch be available for all supported vault versions? best regards

verdel commented 1 year ago

@shanerade, why was pull request closed?

n3ph commented 8 months ago

@shanerade Any news here?

heatherezell commented 7 months ago

Please note that @shanerade is not a member of the HashiCorp organization. If someone would like to submit a PR, we can take a look at it. Thank you!

bmaximuml commented 2 months ago

This is fixed in: https://github.com/hashicorp/vault/pull/28089