[GCP Provider] Missing List of Permission Requirements
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Low
|
Unassigned |
Bug Description
[Problem]
The Juju docs states the roles of ‘Compute Instance Admin (v1)’ and ‘Compute Security Admin’ are sufficient for service accounts on GCP to bootstrap controllers and create instances. The problem is that enterprises have various security concerns and may not be able to provide all the permissions offered to Compute Instance Admin (v1) and Compute Security Admin. It would be beneficial to maintain a list of minimum permissions required by juju service accounts to be able to bootstrap controllers and create instances on GCP. This would enable enterprises to maintain finer grained control of juju on GCP.
I have narrowed down the list of permissions but it can probably be even shorter:
https:/
Marked wishlist and added to gce-provider tag.
Agree that this is important work to do. It should be prioritized and batched up w/ other GCE work.