Vault GCP Secrets Engine OAuth for Google Cloud Kubernetes Engine

[Oliver Bazely]

Hi,

I've managed to setup Vault GCP secrets engine with a GCP service account so it gives me back OAuth tokens for accessing a GCP bucket. I'm now trying to do the same for a Google Kubernetes Engine cluster. I can't seem to set the right resource address in the bindings hcl. I'm not sure if the problem is with Vault, or if I am just putting the wrong resource address? Has anyone got this to work, or pointers as to where I might be going wrong?

My workflow is:

# Enable GCP secrets engine

vault secrets enable gcp

# Write service credentials

vault write gcp/config credentials=@gcp_service_account.json ttl=3600 max_ttl=86400

# Write roleset

vault write gcp/roleset/my-token-roleset project="<project-redacted>" secret_type="access_token"  token_scopes="https://www.googleapis.com/auth/cloud-platform" bindings=@token_role_bindings_gke.hcl

token_role_bindings_gke.hcl contains:

resource "//container.googleapis.com/v1/projects/<project-redacted>/zones/<zone-redacted>/clusters/<cluster-redacted>" {
    roles = [
      "roles/container.admin",
    ]
}

I get back messages like:

Error writing data to gcp/roleset/my-token-roleset: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
Code: 400. Errors:

* error parsing relative resource path in full resource name '//container.googleapis.com/v1/projects/<redacted>/zones/<redacted>/clusters/<redacted>': invalid relative resource name v1/projects/<redacted>/zones/<redacted>/clusters/<redacted> (invalid collection ID v1)

I have tried various combinations for resource address, but none of them are recognised.

Thanks

Oliver

[Emily Ye]

Hi Oliver,

I'm the GCP plugin maintainer, sorry that I didn't see this earlier! Unfortuntely there are a couple of issues here: 

1. You can't actually assign Cloud IAM policies to GKE resources (see methods on containers.clusters and lack of get/setIamPolicy). I believe you have to set it as a project-level role or use k8s RBAC (see https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#interaction_with_identity_and_access_management) 

2. The URI you gave is a full resource name and thus shouldn't have a version in it. If you need to specify version, you need to use the self-link (https://container.googleapis.com/v1/...). Ideally, if this were actually supported as a resource, v1 is the recommended API so you could just do full resource name (//container.googleapis.com/projects/my-proj/containers/my-container/zones/my-zone/clusters/my-cluster) and we'd infer the version, but since we don't mark the GKE service as supporting IAM, this is just returning an error for parsing the URI. 

Please let me know if you have any other questions and sorry for the trouble! 

Emily