Open nia-potato opened 1 year ago
salrashid123
commented
1 year ago i think its just a typo in the --role= parameter, it should read
$ gcloud iam service-accounts add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT --member=serviceAccount:$GENERIC_SERVICE_ACCOUNT --role=roles/iam.serviceAccountTokenCreator
nia-potato
commented
1 year ago hi @salrashid123 thanks for replying
but what i meant was actually after running the command without the typo when you run
vault login -method=gcp \
role="my-iam-role" \
service_account="$GENERIC_SERVICE_ACCOUNT" \
project="$PROJECT_ID" \
jwt_exp="15m" \
credentials=@generic-svc.json
you will still get
Error authenticating: unable to sign JWT for projects/-/serviceAccounts/generic-svc-account@test-dev.iam.gserviceaccount.com using given Vault credentials: googleapi: Error 403: Permission 'iam.serviceAccounts.signJwt' denied on resource (or it may not exist).
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.signJwt"
},
"reason": "IAM_PERMISSION_DENIED"
}
]
, forbidden
since i believe this link indicates that this method is already depracated or am i missing something: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/signJwt
Hi @salrashid123
Thanks for the awesome guide, i wish the official guide could catch up to ur explanation lol.
Jokes aside, i believe
$ gcloud iam service-accounts add-iam-policy-binding $GENERIC_SERVICE_ACCOUNT --member=serviceAccount:$GENERIC_SERVICE_ACCOUNT --role=p=roles/iam.serviceAccountTokenCreatoris currently deprecated, would you know how to do the same with this command and main.go with the newer method