Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use dedicated service account for each Cloud Function #7

Open
cisaacstern opened this issue Jun 30, 2022 · 1 comment
Open

Use dedicated service account for each Cloud Function #7

cisaacstern opened this issue Jun 30, 2022 · 1 comment

Comments

@cisaacstern
Copy link
Member

cisaacstern commented Jun 30, 2022
edited
Loading

In #6, I moved the webhook cred into the Secrets Manager API, and granted the default runtime service account read access to it:

dataflow-status-monitoring/terraform/secrets.tf

Lines 21 to 23 in 98846c2

role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${var.project}@appspot.gserviceaccount.com",

Here's the SO post which made me realize that was necessary and the place in the GCP docs it references.

For a more fine-grained permission structure down the line, we could also make a dedicated service account for each function.

This seemed to add unnecessary complexity at this early stage of the project, but may be worth keeping in mind as we grow.

cc @sharkinsspatial @rabernat (No action needed now AFAICT, just keeping you both in the loop.)
@cisaacstern
Copy link
Member Author

Note that while this structure is currently used for GitHub repository dispatch PATs, we can use the same approach for FastAPI credentials once we move registrar functionality into pangeo-forge-orchestrator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cisaacstern