Updating GCP Dynamic Secrets Backend

[tdgeery]

With Vault Release v.1.8.x

The deprecations for the gcp/<key/token>/<role> will change to: gcp/roleset/<role>/<key/token>

With Deprecations

I've noticed on the HVAC docs that there's no way to override which pathway to use:

:param method: Supported methods:
            POST: /{mount_point}/key/{roleset}. Produces: 200 application/json
            GET: /{mount_point}/key/{roleset}. Produces: 200 application/json

[tdgeery]

Also, with the release of static-accounts need to add way to read secrets from pathway

vault read gcp/static-account/{roleset}/token

For now I've used a workaround:

token_response = client.secrets.kv.v1.read_secret(
    path=f'static-account/{vault_token_roleset}/token',
    mount_point='gcp',
)

[JKCai]

I would also keen to see this update.

On the other hand, while trying the workaround, it works running it for static account, but it doesn't work running it for roleset. Have you facing this issue too? @tdgeery
Thanks in advance.

key_response = client.secrets.kv.v1.read_secret(
    path=f'roleset/{vault_roleset}/key',
    mount_point='gcp',
)

[tdgeery]

@JKCai this worked for me:

key_response = client.secrets.kv.v1.read_secret(
    path=f'roleset/{gcp_roleset}/key',
    mount_point='gcp',
)

that looks the same, but there might be something wrong with your Policy permissions for gcp/roleset

[JKCai]

Thanks for getting back to me. Good to know the code is alright and pointing me to the direction. @tdgeery