Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify required permission for Leo SA #806

Closed
vkumra-broad opened this issue Mar 5, 2019 · 5 comments
Closed

Verify required permission for Leo SA #806

vkumra-broad opened this issue Mar 5, 2019 · 5 comments
Assignees
@vkumra-broad
Labels
RC_Z_2019-04-11

Comments

@vkumra-broad
Copy link
Contributor

Bernick pinged the #dsp-infosec-champions room in slack asking that we look into the service specific Service Accounts to verify what permissions they actually need.
@davidbernick
Copy link

This is not new -- I asked about this in November. Do we have an official answer?

@rtitle
Copy link
Collaborator

rtitle commented Mar 8, 2019
edited
Loading

The ask here is what permissions the Leo SA needs in broad-dsde-prod, correct? I believe we need storage admin, because we create buckets in broad-dsde-prod. Other operations are all done in users' billing projects, so are probably not needed in broad-dsde-prod.

We may be able to test this:

  1. Create a SA in broad-dsde-dev
  2. Deploy Leo to a fiab. Change leonardo.conf to point to the above SA
  3. Play with IAM roles in broad-dsde-dev for the above SA until we find the minimal set that works

@davidbernick
Copy link

davidbernick commented Mar 8, 2019 via email

@vkumra-broad vkumra-broad self-assigned this Apr 8, 2019
@vkumra-broad
Copy link
Contributor Author

Tested in dev: Storage Admin and CloudSQL Client are the only permissions that leo service account needs.

@vkumra-broad
Copy link
Contributor Author

Also needs Dataproc Viewer permission.

@rtitle rtitle closed this as completed Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vkumra-broad vkumra-broad

Labels
RC_Z_2019-04-11
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidbernick @rtitle @vkumra-broad