Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: set policy version appropriately after roleset bindings have changed #93

Merged
merged 1 commit into from
Jul 24, 2020

Conversation

austingebauer
Copy link
Contributor

Overview

Closes #88

This PR ensures that the IAM policy version returned from getIamPolicy is the same one provided to setIamPolicy after bindings have been changed. The version number was not being copied into the new Policy struct when bindings changed, which led to the error:

Error writing data to gcp/roleset/my-key-roleset: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset
Code: 400. Errors:

* unable to set policy: googleapi: Error 400: Specified policy version (1) cannot be less than the existing policy version (3). For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.

I was able to reproduce the issue and verify the change in this PR fixes it.

Related Issues/Pull Requests

Contributor Checklist

  • Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
    • No docs needed for this fix
  • Backwards compatible
  • Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
=== RUN   TestIamResource_ServiceAccount
--- PASS: TestIamResource_ServiceAccount (2.02s)
PASS
make test
?       github.com/hashicorp/vault-plugin-secrets-gcp   [no test files]
ok      github.com/hashicorp/vault-plugin-secrets-gcp/plugin    (cached)
ok      github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil    0.315s
?       github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil/internal   [no test files]
ok      github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util       (cached)
?       github.com/hashicorp/vault-plugin-secrets-gcp/scripts/gohelpers [no test files]

@austingebauer austingebauer requested review from emilymye and a team July 24, 2020 00:22
@austingebauer austingebauer changed the title fix: ensure version 3 policy is set after getting a version 3 policy fix: set policy version appropriately after roleset bindings have changed Jul 24, 2020
@austingebauer austingebauer merged commit c25987d into master Jul 24, 2020
@austingebauer austingebauer deleted the fix-set-policy-v3 branch July 24, 2020 18:50
@somethingnew2-0
Copy link
Contributor

Thank you for fixing this! 🥳

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to set policy: Specified policy version (1) cannot be less than the existing policy version (3)
6 participants