Using Google Compute Engine with GCP auth backend

[simon...@ext.conrad.com]

Hi,

we are currently running Vault in Kubernetes Engine on GCP. We installed it from Kubeapps. Now we want to use the gcp auth method. We enabled it and added a role:

vault auth-enable gcp

vault write auth/gcp/role/test-role \
    type="gce" \
    project_id="$GOOGLE_PROJECT" \
    policies="default" \
    bound_service_accounts="$SERVICE_ACCOUNT"

Now we login to the GCE VM associated with $SERVICE_ACCOUNT and request an id_token:

JWT_TOKEN=$(curl -H "Metadata-Flavor: Google" \
'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=vault/test-role&format=full')

We check this id_token on jwt.io just to make sure, that it is a proper JWT. The next step is to login to vault:

vault write auth/gcp/login role=test-role jwt=${JWT_TOKEN}

Now the reponse is:

Error writing data to auth/gcp/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/gcp/login

Code: 400. Errors:

* could not find service account with id '10....30': service account 'projects/<removed>/serviceAccounts/10....30' does not exist

However, this service account is existing.

Furthermore, we don't understand how vault could know that the SA does not exist, since it should only be necessary to validate and parse the provided JWT.

Even though it should not be necessary, we uploaded a service account JSON into the vault gcp auth configuration, but that leads to the same error.

We are really desperate and are looking forward to your support.

Thank you very much and best wishes,

Simon

[Jeff Mitchell]

Hi Simon,

That auth method is maintained by Google, any chance you can file an issue at https://github.com/hashicorp/vault-plugin-auth-gcp so that they get eyes on it?

Thanks!

--Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5067cd7a-e72d-4cff-9b2d-2e7b466f6f72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Emily Ye]

Hi Simon,

Please feel free to submit an issue on the repo Jeff gave. I'm actually wondering if your Vault auth backend is set up correctly, as this error could happen if the Vault server hasn't been configured with the correct IAM permissions to view service accounts (iam.serviceAccounts.get?) and validate this JWT.

Emily

[simon...@ext.conrad.com]

Hi Emily,

thanks for the advice, we changed said permissions and now it works. 

It would be very interesting to understand why Vault needs this permissions, since it should be sufficient to present a Google Signed JWT.

best wishes,

Simon