-
Notifications
You must be signed in to change notification settings - Fork 411
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Follow least privilege principal for backup service account #597
feat: Follow least privilege principal for backup service account #597
Conversation
Based on this roles/cloudsql.viewer role is sufficient for export workflows but for backup workflows roles/cloudsql.editor role needs to be used. In any case admin role on all instances is against best practices. PS: IMHO GCP should create role dedicated for backup/export operation, if someone know a place where I can report/request it please let me know. |
/gcbrun |
@imrannayer can you paste gcbrun logs? |
|
This does not look like issue related to my change |
/gcbrun |
@imrannayer can you please merge this? |
@ps-occrp will these examples verify the change you made? |
@imrannayer First example with MySQL will verify it but second one with Postgres will not verify it. |
@ps-occrp is it possible to update postgres example so the test can verify it? |
@imrannayer I can update it but I don't think it makes sense, mysql example is creating service account and using it and in that case this PR is involved. Postgresql example uses existing service account. This provides complete coverage, if I update postgresql example to not use existing service account and create new service account than test coverage will reduce. |
/gcbrun |
/gcbrun |
@imrannayer can this be merged? |
/gcbrun |
Follow least privilege principal for backup service account