Using TF 12 and own cluster, cant parse seal configuration
mdcsaenz opened this issue · 2 comments
What did you expect to happen?
Expected the stateful set to initialized the containers with the service account in place to unseal vault.
What actually happened?
instead I get an error that the service account does not have permissions.
Output
Error parsing Seal configuration: failed to encrypt with GCP CKMS - ensure the key exists and the service account has at least roles/cloudkms.cryptoKeyEncrypterDecrypter permission: rpc error: code = PermissionDenied desc = Permission cloudkms.cryptoKeyVersions.useToEncrypt denied for resource project
Additional context
- I am apply the TF sethvargo/12 for terraform 12.
- I am apply this to an already made cluster
- The vault-server SA has the correct role. Does the SA for kubernetes need to be something different?
- Put in a namespace called vault not default
- Using your image
Any assistance on this would be appreciated, thank you.
I am apply this to an already made cluster
This is most likely your problem. These configurations aren't really designed to be used against an existing cluster. My guess is that the service account that is attached to your GKE nodes is the default Kubernetes service account. These configurations assume that you don't use that account and instead use the customer vault-server SA.
You can try creating a new node pool with the vault-server SA, or you can give the Kubernetes service account access to KMS. However, note that doing so will give any GKE clusters or GCE VMs the ability to decrypt the data, which is not desirable. This is why we use a dedicated service account. Unfortunately it is not currently possible to replace the service account for a GKE cluster after it's created.
Yes that was exactly the issue, very much appreciate your response and the work you put out there!