I’m quite new to both Vault and GCP and working with their APIs. When I create a service account, I’m granting it project wide role access. And, if I understand correctly, I could create conditions for those roles to limit it to a particular resource with a particular name structure.
I’m not seeing any way on the Cloud SQL side (in the Console) to limit a particular instance to a particular service account, for use with Cloud SQL Proxy. Should I create a roleset to point to cloudsqladmin API or perhaps the instances self-link? So far, I’ve been using cloudresourcemanager, which seems to make generic SA accounts, not particular to a resource. So, still wrapping my head around specifying resources for a particular API, similar to the docs where they use this as a resource when creating the roleset:
Should I be able to specify something similar for Cloud SQL instances, to limit which instance the GSA is able to access, and are the roles I specify unique to the cloud sql admin API, or would I just use the same roles as if I were using cloudresourcemanager API?
Can the GCP Secrets engine rotate keys/tokens for an existing GSA?