Vault csi provider in gcp

Question

I'm trying to run Vault CSI provider but I'm getting the following error in my app pod:

MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod vault/my-service-9b78df688-8xnql, err: rpc error: code = Unknown desc = error making mount request: failed to login: Error making API request. Namespace: vault URL: POST https://vault.craft-code.com/v1/auth/gcp/login Code: 400. Errors: * unable to get public key for signed JWT: unable to get public key "xxxxx" for JWT subject "system:serviceaccount:vault:service-web-app": googleapi: Error 400: Request contains an invalid argument.

According to the doc, before login to vault google cloud should issue jwt credential to be able to login in vault. I'm ussing terraform but I don't know how to do that. Could something explain it?

Answer 1

Once the service account and key have been created, the private key can be used to generate the JWT token needed to login to Vault.

To configure a Google Cloud service account to issue a JWT token before it can be used to login to Vault, you need to complete the following steps:

• Create a service account in the Google Cloud platform.
• Download the JSON key file associated with the service account.
• Configure the Vault server to use the GCP auth backend and provide the JSON key file for the service account.
• Configure the Google Cloud IAM roles for the service account in order to grant it access to the Vault server.
• Get the JWT token from the service account and use it to authenticate with Vault.

Refer to this doc also