Skip to content

GCP IAM Policies#659

Merged
Bobi-Wan merged 9 commits intogardener:mainfrom
Bobi-Wan:feat/gcp-principals
Oct 24, 2025
Merged

GCP IAM Policies#659
Bobi-Wan merged 9 commits intogardener:mainfrom
Bobi-Wan:feat/gcp-principals

Conversation

@Bobi-Wan
Copy link
Copy Markdown
Contributor

@Bobi-Wan Bobi-Wan commented Oct 13, 2025
edited
Loading

What this PR does / why we need it:
This PR is needed to track principal IAM permissions.
How this is done by collection every known project's IAM Policy, which contains all the role-member (principal) bindings.

As the GCP follows the following structure:
Org
->Folder1
->FolderX
->Project

IAM access is inherited if it is defined on a higher level.
The collected policy seems to include the roles that come from higher levels, so we don't need to collect those separately.

The collected structures are:

  • IAMPolicy - same as GCP IAM Policy
  • IAMBinding - a role:member (1:n) mapping inside a policy. There can be many bindings in a policy.
  • IAMRoleMember - custom abstraction to be able to more easily query information about a principal.

The following tables were created respectively:

  • gcp_iam_policy
  • gcp_iam_binding
  • gcp_iam_role_member

This PR is missing Grafana dashboards, but they will need to be discussed further, to be added the coming days.

Release note:

GCP IAM Policy

@Bobi-Wan Bobi-Wan requested a review from a team as a code owner October 13, 2025 11:45
@gardener-robot gardener-robot added needs/review Needs review size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs/second-opinion Needs second review by someone else labels Oct 13, 2025
@Bobi-Wan Bobi-Wan force-pushed the feat/gcp-principals branch 2 times, most recently from 64351f9 to 8505f3b Compare October 13, 2025 12:17
dnaeon
dnaeon requested changes Oct 14, 2025
View reviewed changes
Comment thread pkg/gcp/models/models.go
Comment thread examples/config.yaml
Comment thread pkg/gcp/tasks/metrics.go
@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Oct 14, 2025
@Bobi-Wan Bobi-Wan force-pushed the feat/gcp-principals branch 2 times, most recently from d7294c9 to 6b67ba2 Compare October 14, 2025 12:55
@Bobi-Wan Bobi-Wan force-pushed the feat/gcp-principals branch from 6b67ba2 to af29111 Compare October 14, 2025 12:56
@gardener-robot gardener-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 14, 2025
dnaeon
dnaeon approved these changes Oct 21, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@dnaeon dnaeon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review needs/second-opinion Needs second review by someone else labels Oct 21, 2025
@Bobi-Wan Bobi-Wan merged commit 1046a10 into gardener:main Oct 24, 2025
4 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Oct 24, 2025
@Bobi-Wan Bobi-Wan deleted the feat/gcp-principals branch January 7, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dnaeon dnaeon dnaeon approved these changes

Assignees

No one assigned

Labels

reviewed/lgtm Has approval for merging size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. status/closed Issue is closed (either delivered or triaged)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Bobi-Wan @dnaeon @gardener-robot