How to use workload identity to unseal the vault without providing service account keys

[PayalSasmal10]

I am trying to launch with workload identity so that i don't mount Service account key.
Below Steps i followed

1. Enabled Workload Identity
2. Created Service account vault-test
3. Created Keyring and Crypto Key called vault-keyring & vault-key
4. Created a role vaultunseal using below permission

--permissions=cloudkms.cryptoKeyVersions.useToEncrypt,cloudkms.cryptoKeyVersions.useToDecrypt,cloudkms.cryptoKeys.get

5. Attached the role in that same service account

gcloud kms keyrings add-iam-policy-binding vault-keyring
--location=us-east4
--member=serviceAccount:[email protected]
--role=projects/PROJECT-NAME/roles/vaultunseal

6. Have enabled the workloadidentity using below command

gcloud iam service-accounts add-iam-policy-binding
--role roles/iam.workloadIdentityUser
--member "serviceAccount:PROJECT-NAME.svc.id.goog[KUBE-NAMESPACE/KUBE-VAULT-SERVICE-ACCOUNT-NAME]"
[email protected]

7. Here is my values.yaml file looks like

global:
  enabled: true
  image: "vault:1.2.3"

server:
  extraEnvironmentVars:
    GOOGLE_REGION: us-east4
    GOOGLE_PROJECT: PROJECT-NAME

  serviceaccount:
    annotations:
      iam.gke.io/gcp-service-account: vault-test@PROJECT_NAME.iam.gserviceaccount.com

  ha:
    enabled: true
    replicas: 3

    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "PROJECT-NAME"
        region      = "us-east4"
        key_ring    = "vault-keyring"
        crypto_key  = "vault-key"
      }

      storage "etcd" {
        path = "vault"
        ha_enabled = "true"
      }

But I am getting below error
2021-02-15T10:47:09.088Z [WARN] failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-02-15T10:47:14.088Z [INFO] core: stored unseal keys supported, attempting fetch
2021-02-15T10:47:14.092Z [WARN] failed to unseal core: error="stored unseal keys are supported, but none were found"

I know this error comes because of KMS keys and keyring are not correct. But I don't know where I am doing mistake here.

I followed this issue #77 for my reference but could not resolve it. I went to document @jasonodonnell provided into that link. But it did not help me either.

Could anyone please help me here?

[PayalSasmal10]

Never mind, we resolved this. For anyone future reference, you have to provide roles/cloudkms.admin to your GSA service account then it will work

[brettcurtis]

Just some detail on what we are seeing here. On first run with roles/cloudkms.cryptoKeyEncrypterDecrypter we fail with:

"Error parsing Seal configuration: error checking key existence: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeys.get' denied on resource

roles/cloudkms.admin does have this permission but so does roles/cloudkms.viewer.

So with roles/cloudkms.viewer and roles/cloudkms.cryptoKeyEncrypterDecrypter we are able to run vault operator init and use auto-unseal.

The docs are off too, they point to a repo that uses role/owner on the key.

[BorysekOndrej]

Thank you Payal and Brett, the info from you has helped me resolve the same issue.

One small update for anyone that finds this issue in future: the Vault Helm chart uses capitalization serviceAccount, instead of serviceaccount like Payal originally wrote. The template is case-sensitive.

server:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: vault-test@PROJECT_NAME.iam.gserviceaccount.com