Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support service account impersonation (Closes #248) #249

Merged
merged 1 commit into from
Jun 28, 2021
Merged

Support service account impersonation (Closes #248) #249

merged 1 commit into from
Jun 28, 2021

Conversation

xanonid
Copy link
Contributor

@xanonid xanonid commented Jun 25, 2021
edited
Loading

Closes: #248

@cbruno10 cbruno10 requested a review from LalitLab June 25, 2021 13:08
@LalitLab
Copy link
Contributor

@xanonid
Thank you for contribution.

Can you help me to test the service account impersonation capability for the plugin?
Below is what I have tried so far to test it.

  • Created a service account having owner access to the project
  • Now I have granted Service Account User role to the user on the above-created service account
  • Then I have created ADC credentials for the user using gcloud auth application-default login
    where I got below warning
WARNING: 
Cannot add the project "xxxxxxx-aaa" to ADC as the quota project because the account in ADC does not have the "serviceusage.services.use" permission on this project. You might receive a "quota_exceeded" or "API not enabled" error.

On running below query in steampipe I am getting error:

> select * from gcp.gcp_storage_bucket
Error: Get "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=xxxxxxx-aaa": impersonate: status code 403: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

@xanonid
Copy link
Contributor Author

xanonid commented Jun 28, 2021

Hi @LalitTurbot,

thanks for your reply. You can test the impersonation directly with gcloud using the corresponding flag:
gcloud --impersonate-service-account=YOUR_SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com alpha storage ls

You need the roles/iam.serviceAccountTokenCreator role. The roles/​iam.serviceAccountUser role is not enough.

Here is a lengthy description for the needed steps.

@LalitLab
Copy link
Contributor

Hi @LalitTurbot,

thanks for your reply. You can test the impersonation directly with gcloud using the corresponding flag:
gcloud --impersonate-service-account=YOUR_SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com alpha storage ls

You need the roles/iam.serviceAccountTokenCreator role. The roles/​iam.serviceAccountUser role is not enough.

Here is a lengthy description for the needed steps.

Thanks, it worked after granting iam.serviceAccountTokenCreator to the user on the service account.

LalitLab
LalitLab approved these changes Jun 28, 2021
View reviewed changes
Copy link
Contributor

@LalitLab LalitLab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cbruno10 cbruno10 merged commit 14b0fe1 into turbot:main Jun 28, 2021
@cbruno10
Copy link
Contributor

@xanonid Thanks again for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LalitLab LalitLab LalitLab approved these changes

@cbruno10 cbruno10 cbruno10 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please support GCP service account impersonation
3 participants
@xanonid @LalitLab @cbruno10