I have a vault server running. I’ve enabled and configured GCP secret engine by using the vault
CLI tool.
$ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/sh
$ vault write gcp/config credentials=@my-service-ac-credentials.json
Success! Data written to: gcp/config
Then I’ve configured a roleset by using,
$ vault write gcp/roleset/my-token-roleset \
project="my-project" \
secret_type="access_token" \
token_scopes="https://www.googleapis.com/auth/cloud-platform" \
bindings=-<<EOF
resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
roles = ["roles/viewer"]
}
EOF
On creation of a roleset
, the vault server creates a google service account on my-project
with the given bindings
.
But when I delete the roleset
from vault by using,
$ vault delete gcp/roleset/my-token-roleset
Success! Data deleted (if it existed) at: gcp/roleset/my-token-roleset
the google service account is still there. Is it expected behavior? If it is, how to delete the created google service account along with the deletion of gcp roleset in vault?