This repository has been archived by the owner on Dec 20, 2024. It is now read-only.
IAM for user access to bastion is broken by default #17
Labels
Comments
|
Option 1 seems to be better ! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Issue description
When deploying a bastion using this module, with minimal configuration and by following the examples provided in the repo, permissions are non-sufficient for users to access the bastion.
Steps to reproduce
Observed behaviour
gcloud compute ssh --tunnel-over-iapExpected behaviour
gcloud compute ssh --tunnel-over-iapCause
In order to connect to a GCE instance, a user needs to have
actAspermissions on the Google Service Account bound to the GCE instance.By default, the bastion module binds no Google Service Account to the bastion. Therefore, the Compute Engine default service account is assigned by GCP.
However, the test user had no permissions on the project, so he does not have the
actAspermission on the Compute Engine default service account.How to fix
I see two possible ways of fixing this.
membersasroles/iam.serviceAccountUseron this service-account.membersasroles/iam.serviceAccountUseron this service-account.My recommendation is to go with Option 1.
I'm happy to open a PR once we decide on the better option :)
Notes
Additionally I think we should include this in the README as well, so that a user of this module that wishes to use a custom service-account for the bastion would know that this permission is required for members to access the bastion.
The text was updated successfully, but these errors were encountered: