Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ineffective GCP IAM roleset for specific BigQuery dataset resource #10923

Closed
anguskktsang opened this issue Feb 16, 2021 · 0 comments · Fixed by hashicorp/vault-plugin-secrets-gcp#130
Assignees
Labels
bug Used to indicate a potential bug ecosystem secret/gcp

Comments

@anguskktsang
Copy link

anguskktsang commented Feb 16, 2021

Describe the bug
Create a gcp/roleset on a specific resource of BigQuery Dataset, received successfully prompt from Vault CLI.
However the created GCP service account wasn't granted the expected IAM role (permission).

To Reproduce
Steps to reproduce the behavior:

  1. Run
vault write gcp/roleset/<some-gcp-roleset-to-create> \
    project="<some-gcp-project>" \
    secret_type="service_account_key" \
    bindings=-<<EOF
      resource "//bigquery.googleapis.com/projects/<some-gcp-project>/datasets/<some-bigquery-dataset>" {
        roles = [
          "roles/bigquery.admin", 
        ]
      }
EOF

to create a gcp/roleset with role bound with specific BigQuery Dataset

  1. Receiced successful prompt from Vault CLI:
    Success! Data written to: gcp/roleset/<some-gcp-roleset-to-create>

Expected behavior
A. Expect the underlining GCP service account associates with the created gcp/roleset can create Bigquery Table on the specified Bigquery Dataset
B. The GCP 'Dataset permissions' tab of the specified Bigquery Dataset shows the service account with the specified role, i.e. "roles/bigquery.admin"
Ref: https://cloud.google.com/bigquery/docs/dataset-access-controls#granting_access_to_a_dataset

Environment:

  • Vault Server Version (retrieve with vault status): 1.6.1
  • Vault CLI Version (retrieve with vault version): Vault v1.6.1 (6d2db3f033e02e70202bef9ec896360062b88b03)
  • Server Operating System/Architecture: Debian GNU/Linux 10 (buster)

Vault server configuration file(s):

hcl
ui = true

storage "gcs" {
  bucket      = "<some-gcp-bucket>"
  ha_enabled  = "true"
}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"

Additional context
I have been working well with the GCP-project-wise specification, i.e.
//cloudresourcemanager.googleapis.com/projects/<some-gcp-project>

vault write gcp/roleset/<some-gcp-roleset-to-create> \
    project=<some-gcp-project> \
    secret_type="service_account_key" \
    bindings=-<<EOF
    resource "//cloudresourcemanager.googleapis.com/projects/<some-gcp-project>" {
        roles = [
          "roles/bigquery.admin"
        ]
      }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug ecosystem secret/gcp
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants