GCP secrets engine permissions and project level permissions
jasonbisson opened this issue · 3 comments
The Service Account Admin role applies to the resource level only and project level permissions will fail for resourcemanager.projects.setIamPolicy and resourcemanager.projects.getIamPolicy.
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/setIamPolicy
REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.
I validated "roles/resourcemanager.projectIamAdmin" has the minimal (3) permissions required to remove and add roles at project level. I know it's powerful role, but I don't see an alternative if project level grants are needed.
In fact you'll likely need even Org level permissions if you'd like to use the GCP Secrets engine outside the project that Vault lives in. Have a look at this repo where I demo how to use this module with the GCP secrets engine. This isn't really a bug with the terraform-google-vault module though.
The expectation is that any necessary additional roles should be added outside the module since we cannot assume which Vault plugins users choose. Please let me know if this helps.
Good point about going up to the org level and thanks for the link to your repo. I think the module is great at standing up the infrastructure, but using vault to generate GCP service account keys was gap for me. Fair point that you can't provide options for all the plugins.