Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimal Permissions for user credentials #26

Closed
rfranzke opened this issue Feb 4, 2020 · 3 comments · Fixed by #536
Closed

Minimal Permissions for user credentials #26

rfranzke opened this issue Feb 4, 2020 · 3 comments · Fixed by #536
Labels
kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) status/closed Issue is closed (either delivered or triaged)

Comments

@rfranzke
Copy link
Member

rfranzke commented Feb 4, 2020

From gardener-attic/gardener-extensions#133

We have narrowed down the access permissions for AWS shoot clusters (potential remainder tracked in #178), but not yet for Azure, GCP and OpenStack, which this ticket is now about. We expect less success on these infrastructures as AWSes permision/policy options are very detailed. This may break the "shared account" idea on these infrastructures (Azure and GCP - OpenStack can be mitigated by programmatically creating tenants on the fly).
@rfranzke rfranzke added the kind/enhancement Enhancement, improvement, extension label Feb 4, 2020
@rfranzke
Copy link
Member Author

rfranzke commented Feb 4, 2020

Disclaimer: It is unclear whether the current required permissions can be narrowed down even more (whether the cloud provider allows this fine-granular tuning) - if you think it is not possible/not recommended please close the issue with a proper explanation.

@rfranzke rfranzke mentioned this issue Feb 21, 2020
Closed
@dansible
Copy link

Follow up from #44 - we're currently using the Contributor role for the Azure ServicePrincipal but it's likely that this is overprivileged. Is there a better role to use or a custom set of permissions to grant to the SP?

@muenchdo
Copy link

I'm also very interested in this as we are currently discussing deploying a shoot into a customer's Azure subscription.

@ghost ghost added the lifecycle/stale Nobody worked on this for 6 months (will further age) label May 19, 2020
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Jul 19, 2020
@dkistner dkistner mentioned this issue Jul 14, 2022
Merged
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Document detailed Azure permissions to manage a Shoot dkistner/gardener-extension-provider-azure
4 participants
@muenchdo @rfranzke @dansible @gardener-robot