GoogleCloudPlatform/cloud-foundation-fabric

Issue with folder iam policy access for read only sa in project factory

Closed this issue · 1 comments

ishtiaqSamdani007 commented

With the project factory - the read only service account gets only folder viewer permission.
This does not give access to resourcemanager.folders.getIamPolicy. Folder Viewer IAM

So PRs fail (in plan stage) with errors such as these

module.projects.module.hierarchy-folder-lvl-1["sandboxes"].google_folder.folder[0]: Refreshing state... [id=folders/nnnn]

Error: Error when reading or editing Resource "folder \"folders/nnnn\"" with IAM Binding (Role "roles/pubsub.admin"): Error retrieving IAM policy for folder "folders/nnnn": googleapi: Error 403: Permission 'resourcemanager.folders.getIamPolicy' denied on resource '//cloudresourcemanager.googleapis.com/folders/nnnn' (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "cloudresourcemanager.googleapis.com",
    "metadata": {
      "permission": "resourcemanager.folders.getIamPolicy",
      "resource": "folders/nnnn"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]
, forbidden

  with module.projects.module.hierarchy-folder-lvl-1["sandboxes"].google_folder_iam_binding.authoritative["roles/pubsub.admin"],
  on .terraform/modules/projects/modules/folder/iam.tf line , in resource "google_folder_iam_binding" "authoritative":
  36: resource "google_folder_iam_binding" "authoritative" {

I am considering doing this

  • create a custom role folder_iam_viewer (in bootstrap stage) - that includes the getIamPolicy permission.

And then update the resman level - branch-teams to include that custom role.

(local.custom_roles.folder_iam_viewer) = ( local.branch_optional_r_sa_lists.pf-dev )

Is this the right approach? Should I make a PR for this or am I missing something?

ludoo commented

Good point and thanks for reporting it. I would just use the custom organizationAdminViewer role we are already defining in stage 0.

Can you send a PR to add that role to the project factory service accounts, probably at the org level with conditions on the prod and dev tags? Otherwise I can do it soonish (probably tomorrow).

  • 👍1