I am using GCP IAM auth method to authenticate against vault. I followed the steps as suggested in vault gcp authto authenticate using a Service Account
I was able to successfully authenticate and login. But when I try to read the secrets from the specified path, it says permission denied.
$vi test-policy.hcl
path "secret/test/*" {
capabilities = ["read"]
}
I have the below roles assigned to my Service Account.
vault kv get secret/test/awskeys
Error reading secret/data/test/awskeys: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/test/awskeys
Code: 403. Errors:
* 1 error occurred:
* permission denied
I have the same issue using the spring-cloud-vault application as well. Is there any role that I missed to assign to this Service Account or am I setting the policy wrong?
Note: Vault Server is setup on AWS.
It was the policy setting. I updated it to below and it worked! Specific path instead of *.
path "secret/data/test/awskeys" {
capabilities = ["read"]
}