Giving Vault GCP Service Account correct roles in other projects


So I’m trying to figure this out. I have a Vault Service Account in one of my projects. It correctly creates a service account and IAM roles when applying the roleset for that project.

However, I’ve given the Vault Service Account from that project the same roles in another project. When applying the roleset for that project, the service account is created but the IAM roles for that service account are not applied and I don’t see any errors in the vault command or in the audit logs for IAM.

Are there docs on how to properly do this?.. because I’m sure I’ve not setup something correctly

Project that works (Project1)

vault write gcp/roleset/project1 bindings=@project1.hcl token_scopes="" project=project1 secret_type="access_token"

resource "//" {
  roles = ["roles/editor"]

Project2, vault service account created, but no IAM roles

vault write gcp/roleset/project2 bindings=@project2.hcl token_scopes="" project=project2 secret_type="access_token"

resource "//" {
  roles = ["roles/editor"]

The project1 vault service account has the following roles in project1 and project2. More than needed I realize but I’ll trim it back after troubleshooting.

Security Admin
Security Reviewer
Service Account Admin
Create Service Accounts
Service Account Key Admin
Service Account Token Creator
Service Account User
Project IAM Admin

I have both IAM APIs setup on project 2

Identity and Access Management (IAM) API
IAM Service Account Credentials API

So what am I doing wrong here?

Thanks for any input

This may not be related to your issue, but are both of your code snippets accurate? Both are writing to the project1 roleset and I believe the second command will overwrite the first.

Have you tried retrieving credentials for the roleset already?

It’s been a while since I’ve used GCP so I don’t remember what the expected behavior is but you might need to get the creds before you see the attached IAM roles:

That is a typo on second code snippet, will fix

Yes, I thought the same, I have done a

vault read gcp/token/project2

And retrieved a token, but no new IAM roles and can’t do anything with the token due to lack of permissions.