Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation about JIT-ed service accounts #1149

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions modules/project/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,39 @@ module "project" {
# tftest modules=1 resources=2
```

### Service identities requiring manual IAM grants

The module will create service identities at project creation instead of creating of them at the time of first use. This allows granting these service identities roles in other projects, something which is usually necessary in a Shared VPC context.

You can grant roles to service identities using the following construct:

```hcl
module "project" {
source = "./fabric/modules/project"
name = "project-example"
iam = {
"roles/apigee.serviceAgent" = [
"serviceAccount:${module.project.service_accounts.robots.apigee}"
]
}
}
# tftest modules=1 resources=2
```

This table lists all affected services and roles that you need to grant to service identities

| service | service identity | role |
|---|---|---|
| apigee.googleapis.com | apigee | roles/apigee.serviceAgent |
| artifactregistry.googleapis.com | artifactregistry | roles/artifactregistry.serviceAgent |
| cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent |
| cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder |
| gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent |
| multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent |
| pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent |
| sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent |


## Shared VPC

The module allows managing Shared VPC status for both hosts and service projects, and includes a simple way of assigning Shared VPC roles to service identities.
Expand Down
21 changes: 12 additions & 9 deletions modules/project/service-accounts.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,19 @@ locals {
gke-mcs-importer = "${local.project.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
}
)
# JIT-ed service accounts are created without default roles granted, these needs to be assigned manually to them
# Roles can be found here: https://cloud.google.com/iam/docs/service-agents
# Remember to update "Service identities requiring manual IAM grants" in README.md when updating this list
service_accounts_jit_services = [
"apigee.googleapis.com",
"artifactregistry.googleapis.com",
"cloudasset.googleapis.com",
"gkehub.googleapis.com",
"multiclusteringress.googleapis.com",
"pubsub.googleapis.com",
"secretmanager.googleapis.com",
"sqladmin.googleapis.com",
"cloudbuild.googleapis.com",
"apigee.googleapis.com", # grant roles/apigee.serviceAgent to apigee
wiktorn marked this conversation as resolved.
Show resolved Hide resolved
"artifactregistry.googleapis.com", # grant roles/artifactregistry.serviceAgent to artifactregistry
"cloudasset.googleapis.com", # grant roles/cloudasset.serviceAgent to cloudasset
"cloudbuild.googleapis.com", # grant roles/cloudbuild.builds.builder to cloudbuild
"gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet
"multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress
"pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub
"secretmanager.googleapis.com", # no grants needed
"sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify)
]
service_accounts_cmek_service_keys = distinct(flatten([
for s in keys(var.service_encryption_key_ids) : [
Expand Down