What happens when we delete the gcp roleset in vault?

I have a vault server running. I’ve enabled and configured GCP secret engine by using the vault CLI tool.

$ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/sh

$ vault write gcp/config credentials=@my-service-ac-credentials.json
Success! Data written to: gcp/config

Then I’ve configured a roleset by using,

$ vault write gcp/roleset/my-token-roleset \
    project="my-project" \
    secret_type="access_token"  \
    token_scopes="https://www.googleapis.com/auth/cloud-platform" \
    bindings=-<<EOF
      resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
        roles = ["roles/viewer"]
      }
    EOF

On creation of a roleset, the vault server creates a google service account on my-project with the given bindings.

But when I delete the roleset from vault by using,

$ vault delete gcp/roleset/my-token-roleset
Success! Data deleted (if it existed) at: gcp/roleset/my-token-roleset

the google service account is still there. Is it expected behavior? If it is, how to delete the created google service account along with the deletion of gcp roleset in vault?

1 Like

Were you able to find out the answer to your question?

I have the same concern and haven’t found an answer.