Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read-only bootstrap SA lacks logging.settings.get permissions #2176

Closed
andres-cloudpunk opened this issue Mar 26, 2024 · 2 comments · Fixed by #2178
Closed

Read-only bootstrap SA lacks logging.settings.get permissions #2176

andres-cloudpunk opened this issue Mar 26, 2024 · 2 comments · Fixed by #2178

Comments

@andres-cloudpunk
Copy link

Describe the bug
When setting up CICD on GitHub actions, the plan is run by a read-only service account through impersonation, usually a SA named like XXXX-prod-bootstrap-0r@XXXX-prod-iac-core-0.iam.gserviceaccount.com, while the apply is run by a more powerful service account, XXXX-prod-bootstrap-0@XXXX-prod-iac-core-0.iam.gserviceaccount.com

When running the fast-pr job, you get the following error:

Error: Error when reading or editing LoggingOrganizationSettings "organizations/123456789012/settings": googleapi: Error 403: Permission 'logging.settings.get' denied on resource (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "iam.googleapis.com",
    "metadata": {
      "permission": "logging.settings.get"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]

  with module.organization-logging.google_logging_organization_settings.default[0],
  on .terraform/modules/organization-logging/organization/logging.tf line 37, in resource "google_logging_organization_settings" "default":
  37: resource "google_logging_organization_settings" "default" {

After some debugging, we noticed that the apply SA has the Logging Admin role, which includes the logging.settings.get permission, while the plan SA has the Logs Viewer role, which lacks said permission.

Giving a Logging Admin permission to a read-only SA makes no sense, so perhaps we should add logging.settings.get to the Custom role organizationAdminViewer custom role?

@ludoo
Copy link
Collaborator

ludoo commented Mar 26, 2024

Good catch and great suggestion. I wonder why this did not cause errors when we tested the move to split service accounts. If you prefer to send a PR go ahead, otherwise we'll make one ASAP. Thanks again for this!

@ludoo
Copy link
Collaborator

ludoo commented Mar 27, 2024

Ahhh yes, this is a consequence of #2139. Sending a PR to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants