CVE-2021-30476

An attacker with access to a GCE VM that is able to authenticate to Vault via the GCP auth method can gain authentication even when the Terraform configuration specifies `bound_labels` that should restrict which VMs are allowed [ref_id=1]. Because the provider silently fails to write the `bound_labels` to Vault, any GCE VM in the project can authenticate against the role, bypassing the intended label-based access control [ref_id=1]. The attacker does not need to modify Terraform state or configuration; they simply authenticate from a VM that lacks the required label, and Vault accepts the authentication because no label constraint was ever applied [ref_id=1].

The vulnerability is in the `vault_gcp_auth_backend_role` resource of the HashiCorp Terraform Vault Provider (terraform-provider-vault). The resource does not apply the `bound_labels` configuration to the Vault GCP auth method role when `type` is set to `"gce"` [ref_id=1].

The advisory does not include a patch diff, but the fix was released in terraform-provider-vault version 2.19.1 [ref_id=1]. The remediation ensures that when a `vault_gcp_auth_backend_role` resource is created with `type = "gce"`, the `bound_labels` parameter is correctly written to Vault's GCP auth backend role configuration. Users must upgrade to version 2.19.1 or later and re-apply their Terraform configuration to ensure `bound_labels` are enforced.

1. Start a dev Vault instance: `vault server -dev -dev-root-token-id=root` 2. Create a Terraform configuration with a `vault_gcp_auth_backend_role` resource of type `"gce"` and `bound_labels = ["role:test"]` 3. Run `terraform init && terraform apply` 4. Verify the role configuration: `vault read auth/gcp/role/test-role` — note that `bound_labels` is missing from the output 5. Authenticate from a GCE VM that does not have the label `role:test` — authentication succeeds despite the Terraform configuration specifying the label constraint [ref_id=1]