Vault gcs backend

Hi There

I’m trying to use gcs as the storage backend for vault however I’m getting the below error message.

[ERROR] core: failed to acquire lock: error=“lock: attempt lock: googleapi: Error 403: Insufficient Permission, insufficientPermissions”

I checked the the permission on the google storage bucket and the service account has Storage Admin.

Vault v1.4.3

  storage "gcs" {
    bucket        = "storage_bucket_name"
    ha_enabled    = "true"
  }

I’ve also set the environment variable GOOGLE_CREDENTIALS to the location of credential json file.

Cheers,

Brett

Hi,

Are you using helm package or Kubernetes recipe (yamls)?

Thanks

I’m using the hashicorp helm chart to install vault onto gke cluster

I had exactly the same issue just now after upgrading our vault from 1.2.3 to 1.5.4 with the incubator/vault helm chart.

We used to specify the service-account to use for the vault in config.json with:

{
  "storage": {
    "gcs": {
      "bucket":"our-vault-bucket",
      "credentials_file":"/vault/sa/key.json"
     }
   }
}

Seems this is no longer supported, as the error disappeared as soon as I configured the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to exactly the same SA.

For your reference, we do this with the following values (extraEnv was added to fix this issue) for the helm chart:

  extraEnv:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /vault/sa/key.json
  extraVolumes:
  - name: vault-gcs-sa
    secret:
      secretName: vault-gcs-service-account
  extraVolumeMounts:
  - name: vault-gcs-sa
    mountPath: /vault/sa
    readOnly: true

Our storage account only has the Storage Object Admin permissions.

Maybe this could help you, or the next poor soul googling this error.