Closed ralimardanov closed 2 years ago
mp911de
commented
2 years ago We integrate with the Google authentication API as described in the Vault docs. We cannot really help much in terms of Google API specifics. If you can provide the correct Google API method call, then we can see what we can do from the given input data.
ralimardanov
commented
2 years ago Hi @mp911de, thanks for reply. There isn't any information(at least I wasn't been able to find any) about cross project authentication to Vault.
From logs I can see such request, for example: _"[RequestedSecret [path='secret/ng-platform-srv-dictionary', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Cannot sign JWT; nested exception is com.google.api.client.googleapis.json.GoogleJsonResponseException: 404 Not Found POST https://iam.googleapis.com/v1/projects/-/serviceAccounts/$%7BVAULT_IAM_SA%7D:signJwt_
Application is doing some API request like this above, I add permissions and $VAULT_IAM_SA variable and after this I got issue, mentioned above:
_Cannot login using GCP-IAM: could not find service account 'projects/-/serviceAccounts/
mp911de
commented
2 years ago We do not support multiple Google Projects or multiple tokens. That's something you need to handle on your own.
SpringCloudVersion is 2020.0.0.
Good day, I have 2 projects in one of them is my GKE cluster with deployed Vault. And everything is working fine for application also running inside this cluster, it's able to get secrets and etc. Config was done using this docs. We use workload identity for applications running inside GKE.
The issue is, that I can't authenticate using service account inside another project. I get such kind of errors inside my application: _[RequestedSecret [path='secret/secret_path', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Cannot login using GCP-IAM: could not find service account 'projects/-/serviceAccounts/': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/., forbidden; nested exception is org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: [{"errors":["could not find service account 'projects/-/serviceAccounts/': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/., forbidden"]} ]_
And such kind of errors when I try to login via GCP console: vault login -method=gcp role="my-iam-role-preprod" service_account="sa_name" project="project_id" jwt_exp="15m" credentials=@cred.json
_Error authenticating: Error making API request. URL: PUT/v1/auth/gcp/login Code: 500. Errors:
could not find service account 'projects/-/serviceAccounts/': googleapi: Error 403: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/-/serviceAccounts/., forbidden_
I have this sa inside this project and I have Service Account Token Creator role assigned. In main project I have the same role assigned to application sa(we use workload identity) and Browser // Service Account Key Admin roles assigned to service account, which is used by Vault server itself.
My bootstrap.properties file looks like this: _spring.application.name=
spring.cloud.vault.uri=
spring.cloud.vault.authentication=GCP_IAM
spring.cloud.vault.gcp-iam.role=${VAULT_IAM_ROLE} #role created on vault side for IAM auth
spring.cloud.vault.gcp-iam.service-account-id=${VAULT_IAM_SA} #sa used for IAM auth
spring.cloud.vault.gcp-iam.project-id=${VAULT_SA_PROJECT_ID} #project id for IAM auth
spring.cloud.vault.generic.enabled=false
spring.cloud.vault.fail-fast=false
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.kv.backend=secret
spring.cloud.vault.kv.profile-separator='/'
spring.cloud.vault.kv.default-context=
spring.cloud.vault.kv.application-name=_
I can share more detailed config info, in case if it will be needed.