Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to attach roles just on the created SA instead of at the project level in workload-identity module #1909

Closed
rrajvans opened this issue Mar 20, 2024 · 1 comment
Closed

Add option to attach roles just on the created SA instead of at the project level in workload-identity module #1909

rrajvans opened this issue Mar 20, 2024 · 1 comment
Labels
enhancement New feature or request Stale

Comments

@rrajvans
Copy link

rrajvans commented Mar 20, 2024
edited
Loading

TL;DR

Add option to attach roles/iam.serviceAccountOpenIdTokenCreator & roles/iam.serviceAccountTokenCreator just on the SA itself instead at the project level

Terraform Resources

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam

Detailed design

Change field roles to roles_project_level to clarify these roles are granted at project level

Create optional list field roles_sa_level to clarify these roles are granted on the GCP Service account

roles_sa_level will allow only roles/iam.serviceAccountTokenCreator & roles/iam.serviceAccountOpenIdTokenCreator taken from https://cloud.google.com/iam/docs/service-account-permissions. roles/iam.serviceAccountUser not needed as the SA already has that role on itself. We'll use `validate` to check if the user provided list should not be greater than 2 and  specifies one of the above 2 roles for each value.

We'll add a https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member in https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/modules/workload-identity/main.tf and use for_each to attach these roles at the SA level.

Additional information

Our team faced the issue where we wanted to attach roles/iam.serviceAccountTokenCreator on the GCP SA itself but the roles field in workload-identity module gives roles to the SA at the project level which can be a security risk. We had to use this module to attach the role on the SA itself. It would be nice to have the option to specify roles on the SA itself within the workload-identity module.
Please let me know if this sounds good. If yes, I can start working on it.
Thanks!
@rrajvans rrajvans added the enhancement New feature or request label Mar 20, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label May 19, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rrajvans