Environment permission issue with serviceProjectNetworkAdmin role. #2795

Stepanenko-Alexey · 2025-01-02T19:12:11Z

Stepanenko-Alexey
Jan 2, 2025

Hey guys,
There is a an issue with serviceProjectNetworkAdmin based on environment tag.

1-resman:
Project factory - disabled
data/Stage-3/config.yaml:

short_name: abcd
environment: dev
folder_config:
  name: dev
  parent_id: parent_folder
stage2_iam:
  networking:
    iam_admin_delegated: true
    sa_roles:
      rw: 
        - service_project_network_admin

With this config, stage 3 resman service account gets serviceProjectNetworkAdmin on networking folder with environment condition. In this case on development net-spoke project with development tag.

Now the issue is when SA (created by stage 3) is trying to attach service project to host net-spoke project it gets error:
Error 403: Required 'compute.organizations.disableXpnResource' permission for 'projects/abc-abcd-dev-net-spoke-0'

The issue doesn't exist with project factory because, PF service account get this permission without condition.

The workaround i did is disable iam binding with condition in case of serviceProjectNetworkAdmin.

1-resman>stage-2-networking.tf>module.net-folder

# stage 3 roles
    {
      for k, v in local.net_s3_iam : k => {
        role    = lookup(var.custom_roles, split(":", k)[0], split(":", k)[0])
        members = v
        condition = {
          title      = "stage 3 ${split(":", k)[1]}"
          expression = <<-END
            resource.matchTag(
              '${local.tag_root}/${var.tag_names.environment}',
              '${split(":", k)[1]}'
            )
          END
        }
      } if !can(regex("roles/serviceProjectNetworkAdmin:.*$", k)) <<<<<<<<<<
    },
    {
      for k, v in local.net_s3_iam : k => {
        role    = lookup(var.custom_roles, split(":", k)[0], split(":", k)[0])
        members = v
      } if can(regex("roles/serviceProjectNetworkAdmin:.*$", k)) <<<<<<<<<
    },

So now SA gets permission on all spokes without environment separation.
Seems that the issue is XPN permission that can be granted only on Org or Folder level.

Probably the solution is to place net-spoke projects under environment folders and grant serviceProjectNetworkAdmin on folder without condition.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Environment permission issue with serviceProjectNetworkAdmin role. #2795

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Environment permission issue with serviceProjectNetworkAdmin role. #2795

Stepanenko-Alexey Jan 2, 2025

Replies: 0 comments

Stepanenko-Alexey
Jan 2, 2025