Vault policy for GCP Secrets Engine

Hi all,

I’ve just setup Vault to manage the GCP service accounts. Now, I want to create a policy that permit user using this GCP secrets engine. But user cannot get GCP service account key.

Step: Google Cloud - Secrets Engines | Vault by HashiCorp


# List, create, update, and delete gcp secrets
path "gcp/static-account/xxxx" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

This is CURL command

curl -sk --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/gcp/static-account/${GCP_ACCOUNT}/key
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

I don’t know why user get permission denied.

You probably need to change the path to gcp/static-account/xxxx/key.

Capabilities should only need "read".

The API docs are helpful in determining the needed paths: Google Cloud - Secrets Engines - HTTP API | Vault by HashiCorp

1 Like