Find a REST api to return the supported resource types can be used in IAMPolicy's resourceRef

[patrickchense]

Hi, I know a group of supported resource types can be used in IAMPolicy's spec.resourceRef field lists in the documentation. Since config connector doesn't provide a dry-run check for the resourceRef, we want to add a check ourselves.
But I cannot find a REST API to return the list anywhere, so I have to hard-code the whole list and carry the maintain burden if KCC updates it.
So my question is, is there a REST API somewhere I can use?

Thanks

[diviner524]

Hi @patrickchense , unfortunately there is no REST API which returns this list of IAM supported resource types in Config Connector. This list is due to a limitation of Config Connector but not GCP IAM Policy.

At the same time, we are actively working on supporting IAM policy for more resources. If the lack of IAM support for certain resource is a blocker to you, please share more details on the resources, so I can bring this to attention internally and expedite the process.

[diviner524]

Hi @patrickchense , also if possible could you please share more context on the check you are trying to add so we might be able to better help you? Are you trying to create custom rules using tools like config-lint, before applying YAML files?

Additionally, please note that Config Connector does have webhook which will error out and reject unsupported resource types, if they are found in resourceRef of IAM Policy. But I assume that does not meet your requirement and you expect the check/failure to happen earlier?

[patrickchense]

Hi @diviner524, thanks for the explanation, we do want the check to happen earlier.
The current kpt preview doesn't validate IAM resources. For example, it can not check if the resourceRef and role match, and it can not check if the resourceRef is supported by IAM or not. Errors like below are only caught during kpt live apply.

kpt live apply: IAMPartialPolicy/build-agent-cs-analytics-bq-runner-iam-partial-policy-wfs InProgress Update call failed: error setting policy: error applying changes: summary: Error setting IAM policy for service account 'projects/cs-analyti/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/bigquery.jobUser is not supported for this resource., badRequest, detail:

This inconsistency between preview and apply causes our users a lot of pain, so we're trying to add some validation piece by piece, starting from checking if the resourceRef is in-scope.

So my followup questions are, does the KCC team have plans to improve this, if we want to add those checks ourselves, is there a better way than hard-code all the supported resource types and roles in our logic?

[jcanseco]

Hi @patrickchense, gotcha. Have you tried using --server-side with kpt preview? The --server-side flag tells kpt to perform the dry-run by sending the resource to the server, thereby triggering any webhooks including KCC's webhooks.

[patrickchense]

@jcanseco sorry I didn't notice the updates. To answer the question, we use kpt preview --server-side but still cannot catch the misconfiguration.

We have a similar request coming from our users about IAM again. The user set roles/bigquery.jobUser to a ServiceAccount, and preview passed but apply failed with an error.

Error 400: Role roles/bigquery.jobUser is not supported for this resource., badRequest, detai

Is there any updates for this type of misconfiguration to be caught earlier? Some Google APIs we can use to detect the error would be nice, we really don't want to hard-code the validation logic.