IAM Permissions are missing from the documentation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Google Cloud Platform Integrator Charm |
New
|
Undecided
|
Unassigned |
Bug Description
Opened by lazypower on 2018-12-14 21:57:43+00:00 at https:/
-------
After deploying the gcp-integrator charm, it was blocked by the level of credentials of the service-account we assigned to the unit.
unit-gcp-
unit-gcp-
unit-gcp-
File "/var/lib/
request.
File "lib/charms/
_add_
File "lib/charms/
'--role', role)
File "lib/charms/
raise GCPError(stderr)
charms.
unit-gcp-
I think it would be helpful to clearly document the IAM policy that's expected to be provided to the GCP Integrator to streamline bootstrapping a fresh deployment.
Despite seeing the link to "Enable API Access" - that link wasn't helpful. I was brought to a dashboard that didn't seem to have the juice we were looking for. Here's what I see when I visit, which doesn't seem to have anything to do with IAM credentials in this context other than the "credentials" button on the left which brings me to the IAM detail editor for service accounts.
=======
Comment created by kwmonroe on 2018-12-14 22:35:47+00:00
Thanks for the report @lazypower. The link from the readme [0] will take you to a dashboard of whatever gce account you're currently logged-in as. That's conceivably less-than-helpful :/ Sorry about that!
We had something similar come up for AWS (that is, enumerate the perms required) which yielded this:
https:/
We'll fix this with something similar for gcp.
[0] - https:/
-------
Comment created by johnsca on 2018-12-15 00:10:00+00:00
I think that @kwmonroe has a good point that you might be logged into a different account in your browser than the master for the SA, but from the browser page and the error, it does look like the API is already enabled anyway.
The error message does give the permission that failed (`my-project:
Since GCP, unlike AWS, requires passing credentials for the SA anyway, it would probably be better to at least offer a fallback mode where, instead of managing dedicated SAs for the related applications, it just passed through the creds it was given. While this would make the cred have to be one-size-fits-all, it would require granting less trust to the integrator, which might be preferable. This is essentially how the OpenStack and vSphere integrators work, since those platforms don't support managed SAs with fine-grained roles anyway.
I wound up editing the permission we gave it by binding a custom role that granted the specific IAM permission it was seeking and that seems to have resolved the inconsistencies for now.
I'd advocate we get at least those bare minimum role assumptions spelled out so we can create a "one shot" role that it needs to self bootstrap. otherwise it works as advertised.