Allow using groups for shared VPC access
g-prkr opened this issue · 5 comments
TL;DR
Currently, the project creation creates new service accounts and updates the access for the shared VPC project by updating the IAM policy. This runs into limitations of the no. of principals that IAM policies support (1500), documented here - https://cloud.google.com/iam/docs/reference/rest/v1/Policy#:~:text=The%20bindings%20in,the%20Policy.
The recommended approach to fix this is to use a group which has access to the shared VPC project and adding the new SA to the group, instead of updating the policy. Making these configurable options will help large customers scale the automation more easily.
Terraform Resources
No response
Detailed design
No response
Additional information
No response
I'm assuming the IAM policy you're mentioning is for the project service account on the shared VPC subnets as roles/compute.networkUser. This is happening here.
The customer has the option to set create_project_sa as false and instead set manage_group and provide the gsuite group as group_email.
This way the project service account won't be created and won't get added to the shared VPC project's IAM policies while the group will to which access can be managed as needed.
Does this make sense to you?
Thanks.
The expectation is that the SA gets created for the new project and gets access to the shared VPC. In order to get access, instead of modifying the IAM policy, will the new SA gets added to the configured group.
Will setting create_project_sa to true and manage_group as well with the group_email achieve this?
No it won't. It'll give both the SA and the group the networkUser role on the host project.
For this we'll need to introduce another flag that specifies if the created project SA should explicitly be given permissions or just added to the group.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days