salrashid123 / vault_gcp

Vault auth and secrets on GCP
Apache License 2.0
7 stars 3 forks source link

Deprecated gcp commands #3

Open nia-potato opened 1 year ago

nia-potato commented 1 year ago

Hi @salrashid123

Thanks for the awesome guide, i wish the official guide could catch up to ur explanation lol.

Jokes aside, i believe $ gcloud iam service-accounts add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT --member=serviceAccount:$GENERIC_SERVICE_ACCOUNT --role=p=roles/iam.serviceAccountTokenCreator is currently deprecated, would you know how to do the same with this command and main.go with the newer method

salrashid123 commented 1 year ago

i think its just a typo in the --role= parameter, it should read

$ gcloud iam service-accounts  add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT --member=serviceAccount:$GENERIC_SERVICE_ACCOUNT --role=roles/iam.serviceAccountTokenCreator
nia-potato commented 1 year ago

hi @salrashid123 thanks for replying

but what i meant was actually after running the command without the typo when you run

vault login -method=gcp \
    role="my-iam-role" \
    service_account="$GENERIC_SERVICE_ACCOUNT" \
    project="$PROJECT_ID" \
    jwt_exp="15m" \
    credentials=@generic-svc.json

you will still get

Error authenticating: unable to sign JWT for projects/-/serviceAccounts/generic-svc-account@test-dev.iam.gserviceaccount.com using given Vault credentials: googleapi: Error 403: Permission 'iam.serviceAccounts.signJwt' denied on resource (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "iam.googleapis.com",
    "metadata": {
      "permission": "iam.serviceAccounts.signJwt"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]
, forbidden

since i believe this link indicates that this method is already depracated or am i missing something: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/signJwt