Hi all!
I have an HA Vault server with a GCP storage type.
I configured the server service account in google for vault, created service accounts in google for services, and annotated service accounts in Kubernetes.
When I set vault annotations like, vault agent and vault injector pods don’t create:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: update
vault.hashicorp.com/auth-config-service-account: "${K8S_SERVICE_SERVICEACC_NAME}"
vault.hashicorp.com/auth-config-type: "iam"
vault.hashicorp.com/auth-type: "gcp"
vault.hashicorp.com/ca-cert: /run/secrets/kubernetes.io/serviceaccount/ca.crt
vault.hashicorp.com/log-level: debug
vault.hashicorp.com/role: "${ROLE_NAME}"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-keys: "kv/path/to/secret"
vault.hashicorp.com/agent-inject-template-keys: |
{{ with secret "kv/path/to/secret" }}
{{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
{{ end }}
{{ end }}
There are my steps to set up the google part:
#Create the vault kms keyring:
gcloud kms keyrings create ${KMS_NAME} \
--location global \
--project ${PROJECT_ID}
#Create the vault-init encryption key:
gcloud kms keys create ${KMS_KEY_NAME} \
--location global \
--keyring ${KMS_KEYRING_NAME} \
--purpose encryption \
--project ${PROJECT_ID}
#Create a GCS bucket:
gsutil mb -p ${PROJECT_ID} gs://${BUCKET_NAME}
#Set versioning
gsutil versioning set on gs://${BUCKET_NAME}
#Create the vault service account:
gcloud iam service-accounts create ${SERVER_SERVICEACC_NAME} \
--display-name "${SERVER_SERVICEACC_NAME}" \
--project ${PROJECT_ID}
#Create json credentials, save it and write to vault
vault auth enable gcp
vault write auth/gcp/config credentials=@/path/to/credentials.json
#Grant access to the vault storage bucket:
gsutil iam ch \
serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com:objectAdmin \
gs://${BUCKET_NAME}
gsutil iam ch \
serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com:legacyBucketReader \
gs://${BUCKET_NAME}
#Grant access to the vault-init KMS encryption key:
gcloud kms keys add-iam-policy-binding \
${KMS_KEYRING_NAME} \
--location global \
--keyring ${KMS_KEYRING_NAME} \
--member serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter \
--project ${PROJECT_ID}
#Configure gcp policy for vault
gcloud iam roles create VaultAuthRole \
--title=${TITLE} \
--stage=GA \
--description="Role used for the Vault Auth Method" \
--project "${PROJECT_ID}" \
--permissions=iam.serviceAccounts.get,iam.serviceAccountKeys.get,compute.instances.get
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member "serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role projects/"${PROJECT_ID}"/roles/VaultAuthRole
================================
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member "serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role projects/${PROJECT_ID}/roles/VaultAuthRole
vault auth enable gcp
vault write auth/gcp/config credentials=@${SERVER_SERVICEACC_NAME}.json
vault write auth/gcp/role/${ROLE_NAME} \
type="iam" \
policies="${POLICY_NAME}" \
max_jwt_exp="3600" \
vault policy write ${ROLE_NAME} - <<EOH
path "*" {
capabilities = ["read"]
}
EOH
kubectl run vault -it --rm --restart=Never \
--serviceaccount my-service-ksa \
-n ${NAMESPACE} \
--image vault \
-- vault login -address="$VAULT_ADDR" -method=gcp service_account="${SERVER_SERVICEACC_NAME}" role="${ROLE_NAME}"
Do you have any ideas?