添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
打篮球的煎饼  ·  2017年成都初中数学知识点全总结(完美打印 ...·  1 月前    · 
要出家的足球  ·  关于我校2017年文化名家暨“四个一批”人才 ...·  1 年前    · 
阳刚的路灯  ·  22岁中国女留学生澳洲离奇失联,5天后在泰国 ...·  1 年前    · 
气势凌人的豆芽  ·  aws SQS ...·  1 年前    · 
耍酷的皮带  ·  Window.location 用法详解 ...·  1 年前    · 
link管理  ›  Vault does not started. GCS Backend & GKE & Workload Identity - Vault - HashiCorp Discuss
access gk
https://discuss.hashicorp.com/t/vault-does-not-started-gcs-backend-gke-workload-identity/8657
孤独的火龙果
4 周前

I was using Vault in the following environment.

vault: https://github.com/hashicorp/vault-helm/releases/tag/v0.5.0
GKE: 1.15.11-gke.5
Backend: GCS

I use Workload Identity to access KMS and GCS from the vault server.
This was working well until yesterday (2020/05/11).

I updated GKE version to 1.15.11-gke.12 yesterday, and suddenly vault doesn’t start.

Error Log: 

2020-05-12T13:35:04.633Z [WARN]  storage migration check error: error="failed to read value for "core/migration": Get https://storage.googleapis.com/xxxx-storage/core/migration: compute: Received 403 `
Unable to generate token; IAM returned 403 Forbidden: Request had insufficient authentication scopes.
This error could be caused by a missing IAM policy binding on the target IAM service account.
You can create the necessary policy binding with:
  gcloud iam service-accounts add-iam-policy-binding \
    --role=roles/iam.workloadIdentityUser \
    --member="serviceAccount:xxxx.svc.id.goog[default/vault]" \
    [email protected]
For more information, refer to the Workload Identity documentation:
    https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

I tried reverting the version of GKE, creating a new GKE cluster and installing vault from helm again, but I can’t start it with the same error.

I tried adding full access to GCS to ServiceAccount, but it didn’t work.


I thought it was a Workload Identity issue, so I started POD with the same service account and tried to access GCS from gsutil, and this worked.


I am at a loss for the cause.

Do you have any possible problems?


I am using the same GKE version but its failing with below error after upgrading GKE from to 1.15.9-gke.24,


severity:  “ERROR”

textPayload:  "2020-05-29T06:40:06.523Z [WARN]  storage migration check error: error=“failed to read value for “core/migration”: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?>AccessDeniedAccess denied.
Primary: /namespaces/project.svc.id.goog with additional claims does not have storage.objects.get access to the Google Cloud Storage object.
 
推荐文章
打篮球的煎饼  ·  2017年成都初中数学知识点全总结(完美打印版)_成都学而思1对1
1 月前
要出家的足球  ·  关于我校2017年文化名家暨“四个一批”人才、国家“万人计划”哲学社会科学领军人才、“长江学者奖励计划”推荐人选的公示-广州美术学院官网
1 年前
阳刚的路灯  ·  22岁中国女留学生澳洲离奇失联,5天后在泰国被找到!细节披露_安某_诈骗_朋友
1 年前
气势凌人的豆芽  ·  aws SQS 队列管理_aws如何查看消息体-CSDN博客
1 年前
耍酷的皮带  ·  Window.location 用法详解 — 李晓的博客
1 年前
Link管理   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台