Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcloud: support GCE_ZONE_ID to bypass zone list #2073

Closed
wants to merge 2 commits into from
Closed

gcloud: support GCE_ZONE_ID to bypass zone list #2073

wants to merge 2 commits into from

Conversation

philpennock
Copy link
Contributor

The GCloud IAM permission system permits a zone to grant access to an actor, without the project granting any access. This can be used with Service Accounts to let an SA edit DNS in one particular zone, and nothing more.

Remove the need for the caller to have project-level role access granting the dns.managedZones.list permission, in exchange for the caller telling us the explicit zone ID to use, via the GCE_ZONE_ID environment variable.

PR comment: sorry, I'm going to need help figuring out the test rig and how to set it up to fail the managedzones list call but succeed on zone edits, to add a test for this logic.

@ldez ldez added this to the v4.15 milestone Jan 12, 2024
@ldez
Copy link
Member

ldez commented Jan 12, 2024

Hello,

Your PR comes from a GitHub Organization, it's a problem to edit your PR and for automation that modifies or updates PR.

Can you re-create your PR from a personal fork?

@ldez ldez removed this from the v4.15 milestone Jan 12, 2024
@philpennock
gcloud: support GCE_ZONE_ID to bypass zone list
0b65c6e 
The GCloud IAM permission system permits a zone to grant access to an actor,
without the project granting any access.  This can be used with Service
Accounts to let an SA edit DNS in one particular zone, and nothing more.

Remove the need for the caller to have project-level role access granting the
`dns.managedZones.list` permission, in exchange for the caller telling us the
explicit zone ID to use, via the `GCE_ZONE_ID` environment variable.
@philpennock
gcloud: reduce complexity for linters
7dd0f64 
Restructure to reduce complexity, rename variables for compatibility, and use
`golangci-lint run --fix` before check-in.
@philpennock philpennock mentioned this pull request Jan 13, 2024
Merged
@philpennock
Copy link
Contributor Author

Your PR comes from a GitHub Organization, it's a problem to edit your PR and for automation that modifies or updates PR.

Can you re-create your PR from a personal fork?

Done, this has been re-forked and a new PR submitted, #2081.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/dnsprovider declined enhancement
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@philpennock @ldez