GCP auth method, more than one project?

trudesea · June 8, 2021, 6:31pm

Hi All,

I’m trying to enable more than one path for the gcp auth method. I already followed the tutorial documentation and created the auth method at the default path of /gcp. Added a service account for my main project at gcp/config and added a roleset for it at gcp/roleset

This works as intended.

But I need to add another project and I’m running into issues.

So I create a new gcp auth method under a different path:

vault auth enable -path=project2 gcp

But when trying to add the service account credentials for the new project

vault write project2/config credentials=@credentials.json

Error writing data to project2/config: Error making API request.

URL: PUT https://vault.xxx.xxx:8200/v1/project2/config
Code: 404. Errors:

* no handler for route 'project2/config'

I assume this is not the way to do it, but I’ve not found any docs yet on how to do this properly. I don’t want to overwrite what is in gcp/config with the project2 service account or does it do an add vs replace?

How would one go about doing this?

Thanks

jeffsanicola · June 8, 2021, 7:07pm

Try vault write auth/project2/config credentials=@credentials.json instead

jeffsanicola · June 8, 2021, 7:09pm

You should be able to use a single GCP Auth method for multiple projects by creating unique roles per project. This assumes, of course, that the multiple projects are part of a related group or organization and permissions in GCP are setup correctly.

trudesea · June 8, 2021, 8:08pm

Thanks Jeff, the write auth/… seems to work. Yes I thought about using a single auth method but I need to wrap my head around that. We are still in development stage so that shouldn’t be an issue.

Thanks again.