Hi,
So I’m trying to figure this out. I have a Vault Service Account in one of my projects. It correctly creates a service account and IAM roles when applying the roleset for that project.
However, I’ve given the Vault Service Account from that project the same roles in another project. When applying the roleset for that project, the service account is created but the IAM roles for that service account are not applied and I don’t see any errors in the vault command or in the audit logs for IAM.
Are there docs on how to properly do this?.. because I’m sure I’ve not setup something correctly
Project that works (Project1)
vault write gcp/roleset/project1 bindings=@project1.hcl token_scopes="https://www.googleapis.com/auth/cloud-platform" project=project1 secret_type="access_token"
resource "//cloudresourcemanager.googleapis.com/projects/project1" {
roles = ["roles/editor"]
}
Project2, vault service account created, but no IAM roles
vault write gcp/roleset/project2 bindings=@project2.hcl token_scopes="https://www.googleapis.com/auth/cloud-platform" project=project2 secret_type="access_token"
resource "//cloudresourcemanager.googleapis.com/projects/project2" {
roles = ["roles/editor"]
The project1 vault service account has the following roles in project1 and project2. More than needed I realize but I’ll trim it back after troubleshooting.
Security Admin
Security Reviewer
Service Account Admin
Create Service Accounts
Service Account Key Admin
Service Account Token Creator
Service Account User
Project IAM Admin
I have both IAM APIs setup on project 2
Identity and Access Management (IAM) API
IAM Service Account Credentials API
So what am I doing wrong here?
Thanks for any input