Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimum permissions #96

Open
antoinecastex opened this issue Oct 21, 2020 · 5 comments
Open

Minimum permissions #96

antoinecastex opened this issue Oct 21, 2020 · 5 comments
Assignees
@eranchetz
Labels
enhancement New feature or request

Comments

@antoinecastex
Copy link

Hello Team DoIt !

Hope you are doing well ?

Here we are deploying Zorya globally to manage the VMs and also the Cloud SQL instances & GKE Cluster, that's nice !

We just have a question regarding permission for theses 3 products

What's the minimum permissions (can be created under custom role) for that ? Because for example Compute Instance Admin v1 seems to be big just for start and stop vms ?

Thanks a lot
@eranchetz eranchetz self-assigned this Oct 22, 2020
@eranchetz eranchetz added the enhancement New feature or request label Oct 22, 2020
@eranchetz
Copy link
Contributor

Hey @antoinecastex we definitely agree the "least privilege" is concept we should implement, we'll start working on this shortly, I'll keep this udpated with our progress.

@eranchetz
Copy link
Contributor

eranchetz commented Nov 9, 2020
edited
Loading

Hey @antoinecastex thanks for the patience, it took us longer than expected 😅

First a Warning:
You can of course only use the default appengine service account (@appspot.gserviceaccount.com), so you will need to take this into consideration if other appengine applications are deployed in this project that it will affect them as well.

This is what we did:

  1. Created a custom role name "zorya" with the following permissions:
clouddebugger.debuggees.create
cloudsql.instances.list
cloudsql.instances.get
cloudsql.instances.update
cloudtasks.tasks.create
compute.instanceGroups.get
compute.instances.list
compute.instances.start
compute.instances.stop
compute.zones.list
container.clusters.list
logging.logEntries.create
  1. Attached the above custom role to @appspot.gserviceaccount.com
  2. Also, attached the role Cloud Datastore User
  3. Removed the default compute admin API
  4. Wait...
  5. Check if Zorya is behaving as usual (worth checking the logs to see if there any issues with permission)

That's that, we would like to document that in our main README, however it could be super helpful if you could test that in your test environment first and let us know if you encounter any issues before we do.

Please let me know if my above instructions are clear enough as well 😄

Awaiting your reply

@antoinecastex
Copy link
Author

It's done and that's work very well

thanks @eranchetz

@eranchetz
Copy link
Contributor

Hey @antoinecastex I don't know if you are using Zorya for CloudSQL, but it seems we were missing one permission:
cloudsql.instances.get

I have also added it above and I will document it later on.

@antoinecastex
Copy link
Author

@eranchetz i'm not using for CloudSQL from now but thanks for the information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eranchetz eranchetz

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eranchetz @antoinecastex