[gcp][cross-project] Vault doesn't set permissions for roleset ServiceAccount

[swapzero]

Doesn't work

Project A:

• Vault is running in GKE (workload identity setup)
• Vault ServiceAccount has roles/owner permissions in Project B
• terraform is used to setup
  • vault_gcp_secret_backend (no credentials specified, relying on workload identity)
  • vault_gcp_secret_roleset in Project B

Result:

• the ServiceAccount for the roleset is created in Project B
• the ServiceAccount key for the above is created in Project B
• ❗ the pemission specified in bindings is not granted to the roleset ServiceAccount

Works

Same as above except:

• a ServiceAccount is created in Project B (roles/owner)
• a ServiceAccount Key is created for the above
• vault_gcp_secret_backend (terraform) is created using credentials set to the above SA key
• vault_gcp_secret_roleset created just like in the first scenario

Result:

• the role specified in the roleset bindings is now added to the roleset SA

We checked GCP logs and we figured out that in the scenario that doesn't work, there is no attempt to call SetIamPolicy like in the scenario that works.

Any help with this is appreciated :).

Thanks!

LE: Vault is 1.9.3

[fairclothjm]

Hello! Is there any recent update on this issue? Are you still experiencing this issue?