HashiCorp Discuss

Vault policy for GCP Secrets Engine

noobfromvn April 4, 2022, 10:32am 1

Hi all,

I’ve just setup Vault to manage the GCP service accounts. Now, I want to create a policy that permit user using this GCP secrets engine. But user cannot get GCP service account key.

Step: Google Cloud - Secrets Engines | Vault by HashiCorp

Policy:

# List, create, update, and delete gcp secrets
path "gcp/static-account/xxxx" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

This is CURL command

curl -sk --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/gcp/static-account/${GCP_ACCOUNT}/key
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

I don’t know why user get permission denied.

jeffsanicola April 4, 2022, 12:33pm 2

You probably need to change the path to gcp/static-account/xxxx/key.

Capabilities should only need "read".

The API docs are helpful in determining the needed paths: Google Cloud - Secrets Engines - HTTP API | Vault by HashiCorp

1 Like

Topic		Replies	Views	Activity
GCP Secrets Engine : Managing Key Rotation for existing service accounts Vault	1	710	March 10, 2020
HCSEC-2021-28 - Vault's Google Cloud Secrets Engine Policies With Globs May Provide Additional Privileges in Vault 1.8.0 Onwards Security security-vault	0	7248	October 7, 2021
Not understanding Vault policies for secret paths Vault	8	2734	June 7, 2021
Vault to grant temp access to GCP web interface Vault	0	247	February 2, 2021
Authentication issues with GCP secrets engine impersonated account path Vault vault	0	213	March 20, 2024