403 Permission Denied when trying to read Secrets from Vault using GCP IAM auth
Question
I am using GCP IAM auth method to authenticate against vault. I followed the steps as suggested in vault gcp auth to authenticate using a Service Account
I was able to successfully authenticate and login. But when I try to read the secrets from the specified path, it says permission denied.
$vi test-policy.hcl
path "secret/test/*" {
capabilities = ["read"]
}
I have the below roles assigned to my Service Account.
- Service Account Admin
- Service Account Key Admin
- Service Account Token Creator
vault kv get secret/test/awskeys
Error reading secret/data/test/awskeys: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/test/awskeys
Code: 403. Errors:
* 1 error occurred:
* permission denied
I have the same issue using the spring-cloud-vault application as well. Is there any role that I missed to assign to this Service Account or am I setting the policy wrong?
Note: Vault Server is setup on AWS.
1 answers
solution1
2 ACCPTED 2020-01-28 10:45:19
It was the policy setting. I updated it to below and it worked! Specific path instead of *.
path "secret/data/test/awskeys" {
capabilities = ["read"]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.