Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overlapping GCP organization domain IAM (bootstrap) #838

Closed
MichaelHusbyn opened this issue Sep 27, 2022 · 2 comments · Fixed by #842
Closed

Overlapping GCP organization domain IAM (bootstrap) #838

MichaelHusbyn opened this issue Sep 27, 2022 · 2 comments · Fixed by #842
Labels
on:FAST

Comments

@MichaelHusbyn
Copy link

Hi

Default setup is today with 2 roles on organization domain level:
roles/browser
roles/resourcemanager.organizationViewer

Browser gives the following permissions:

  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Organization viewer gives the following permissions:

  • resourcemanager.organizations.get

The right resourcemanager.organizations.get is in both. In this example the Organization Viewer right is redundant. It is not clear from the name that it contains both so from that perspectice I understand why both are applied.

There is another discussion about the default rights.
It can be discussed if getIamPolicy is something that all users should have. Folder Viewer may contain a better set of permissions.
Have not seen any recommendation on what permissions to give on organization level from Google. Except least privilige.
If Folder Viewer is used then Organization Viewer is needed.

References, doc & TF:
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/00-bootstrap/IAM.md
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/00-bootstrap/organization.tf

Cheers and keep up the good work
@ludoo
Copy link
Collaborator

ludoo commented Sep 27, 2022

Hey Michael, thanks for raising this!

You're right, the roles assigned to domain users are in overlap and it probably stems from the fact many users remove the browser role, and only keep organization viewer. +1 to removing organization viewer, I would maybe also add a comment to point out that it might be a sensible default if no other roles are given. Would you care sending a PR?

Folder admin is granted to org admins to allow them to effectively manage folders. We default to "open" permissions for org admins as those are usually tightened up progressively after install. They can anyway self-assign pretty much anything via the org admin role, so it's not that big of a difference in terms of actual security.

Happy to discuss this further of course!

@ludoo ludoo added the on:FAST label Sep 27, 2022
@MichaelHusbyn
Copy link
Author

I can try to send a PR later if I get the time to register myself.
We can discuss permissions for a long time, but I agree, difference in terms of actual security is not so big. And it most likely will be something that you should change when implementing. Still, nice that the baseline is secure as it can get right out of the box

@ludoo ludoo mentioned this issue Sep 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
on:FAST
Projects
None yet
Milestone
No milestone
2 participants
@ludoo @MichaelHusbyn