hashicorp
issue with gcp artifact registry roleset: unsupported ressource type
hello I am trying to add permission at artifact registry repository level using vault roleset. I got unsupported ressource type thanks for your support and best regards
cat bind.hcl resource "https://artifactregistry.googleapis.com/v1beta2/projects/prj-id/locations/europe-west1/repositories/test123" { roles = ["roles/artifactregistry.reader"] }
./vault write gcp/roleset/my-token-roleset project="prj-id" secret_type="access_token" token_scopes="https://www.googleapis.com/auth/cloud-platform" [email protected] Error writing data to gcp/roleset/my-token-roleset: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset Code: 400. Errors:
invalid resource "https://artifactregistry.googleapis.com/v1beta2/projects/prj-id/locations/europe-west1/repositories/test123": unsupported resource type: projects/locations/repositories
Hi there, we're facing the same problem when trying to create a roleset in combination with an Artifact Registry. Did you find any solution to that? BR
Hi no solution yet. But as a workaround:
- created a service account sa1 that has permission on artifact registry repository
- created a roleset that has permission to impersonate this service account ( serviceaccounttokencreator on sa1) best regards
Hello,
The issue here is that the auto-generated list of API resources that support SetIAMPolicy/GetIAMPolicy needs to be updated via a make update-resources after cloning and bootstrapping of the GCP plugin repo here. There's a small blurb about it here.
I'll submit a PR for this which will close this bug.
hello thanks shanerade please can you estimate the time to get a patch released? Will this patch be available for all supported vault versions? best regards
Please note that @shanerade is not a member of the HashiCorp organization. If someone would like to submit a PR, we can take a look at it. Thank you!
