Vault GCP Roleset Fails With "context deadline exceeded" Due to Incorrect App Engine Permission

Avatar
Yash Verma
  • Updated

Issue Summary

 

When using HashiCorp Vault’s GCP Secrets Engine with a GCP Roleset,  roleset creation may fail with the following error:

Error writing data to mount-name/roleset/role-name: context deadline exceeded


This typically occurs when Vault attempts to apply IAM bindings as part of the roleset creation workflow, but encounters insufficient or invalid permissions on the target GCP resource (project, folder, or organization).

In this specific case, the error is caused by assigning an unsupported App Engine IAM role (roles/appengine.admin) to a folder-level resource, which is not allowed by Google Cloud IAM.

 

Observed CLI error snippet and corresponding audit Log:

 

Screenshot 2025-10-28 at 12.56.01 PM.png

 

{"forwarded_from":"vault-dev.gcp.ad.idemo-ppc.com","request":{"client_id":"0DHqvq2D77kL2/JTPSZkTMJbkFVmUu0TzMi0jiXcFy8=","client_token":"hvs.l1N3BLASqFEuunT42WSHmgrp","client_token_accessor":"gnIEjASyFFlj4YmTAO34Epvt","data":{"bindings":"      resource \"//cloudresourcemanager.googleapis.com/projects/cs-ppcgcp100-prj-ppc-terraform\" {\n        roles = [\"roles/appengine.admin\"]\n      }\n","project":"cs-ppcgcp100-prj-ppc-terraform","secret_type":"access_token","token_scopes":"https://www.googleapis.com/auth/cloud-platform"},"headers":{"user-agent":["Go-http-client/2.0"]},"id":"06868715-870f-d186-ec07-a26c7e1d8407","mount_accessor":"gcp_f423ddce","mount_class":"secret","mount_point":"cs-PCS-GCP-Onestop/gcp/","mount_running_version":"v0.22.1+builtin","mount_type":"gcp","namespace":{"id":"ivxi5","path":"cs-PCS-GCP-Onestop/"},"operation":"create","path":"gcp/roleset/appengine","remote_address":"10.224.121.11","remote_port":48592,"replication_cluster":"9c68c94b-cac8-e644-458c-14571b34ebac"},"response":{"data":{"error":"error getting service account and creating IAM bindings after creation: retry failed: unable to get policy: Post \"https://cloudresourcemanager.googleapis.com/v3/projects/cs-ppcgcp100-prj-ppc-terraform:getIamPolicy\": context canceled"},"mount_accessor":"gcp_f423ddce","mount_class":"secret","mount_point":"cs-PCS-GCP-Onestop/gcp/","mount_running_plugin_version":"v0.22.1+builtin","mount_type":"gcp"},"time":"2025-10-17T13:49:02.17187998Z","type":"response"}
{"forwarded_from":"vault-dev.gcp.ad.idemo-ppc.com","request":{"client_id":"0DHqvq2D77kL2/JTPSZkTMJbkFVmUu0TzMi0jiXcFy8=","client_token":"hvs.l1N3BLASqFEuunT42WSHmgrp","client_token_accessor":"gnIEjASyFFlj4YmTAO34Epvt","data":{"bindings":"      resource \"//cloudresourcemanager.googleapis.com/projects/cs-ppcgcp100-prj-ppc-terraform\" {\n        roles = [\"roles/appengine.admin\"]\n      }\n","project":"cs-ppcgcp100-prj-ppc-terraform","secret_type":"access_token","token_scopes":"https://www.googleapis.com/auth/cloud-platform"},"headers":{"user-agent":["Go-http-client/2.0"]},"id":"06868715-870f-d186-ec07-a26c7e1d8407","mount_accessor":"gcp_f423ddce","mount_class":"secret","mount_point":"cs-PCS-GCP-Onestop/gcp/","mount_running_version":"v0.22.1+builtin","mount_type":"gcp","namespace":{"id":"ivxi5","path":"cs-PCS-GCP-Onestop/"},"operation":"create","path":"gcp/roleset/appengine","remote_address":"10.224.121.11","remote_port":48592,"replication_cluster":"9c68c94b-cac8-e644-458c-14571b34ebac"},"response":{"data":{"error":"error getting service account and creating IAM bindings after creation: retry failed: unable to get policy: Post \"https://cloudresourcemanager.googleapis.com/v3/projects/cs-ppcgcp100-prj-ppc-terraform:getIamPolicy\": context canceled"},"mount_accessor":"gcp_f423ddce","mount_class":"secret","mount_point":"cs-PCS-GCP-Onestop/gcp/","mount_running_plugin_version":"v0.22.1+builtin","mount_type":"gcp"},"time":"2025-10-17T13:49:02.17187998Z","type":"response"}
{"data":{"error":"error getting service account and creating IAM bindings after creation: retry failed: unable to set IAM policy for resource \"//cloudresourcemanager.googleapis.com/folders/754262219188\": unable to set policy: googleapi: Error 400: Role roles/appengine.admin is not supported for this resource."}

 

What This Means

  • Vault attempts to set IAM policy bindings on the target folder.

  • Google Cloud returns a 400 Bad Request because the role roles/appengine.admin is not valid at the folder level.

  • As Vault continues to retry but cannot apply the IAM binding, the workflow eventually times out and surfaces as a context deadline exceeded.

 

Root Cause

The GCP IAM role assigned in the Vault roleset containsroles/appengine.admin, which is not supported for folder-scoped IAM bindings.
Certain GCP roles are only valid at the project level, and app engine roles fall under this restriction. Similarly, there can be other role type restrictions at project/folder/organisational level leading to such failures.

 

Additional Notes

  • The error “context deadline exceeded” is Vault’s generic timeout, but the underlying reason is revealed in the audit logs.

  • Always validate IAM bindings against the correct scope to ensure compatibility, especially when Vault rolesets target folders or organizations.

 

References

GCP Secret Engine

GCP Secret Engine Roleset API

 

 

Articles in this section

See more

Related articles