Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update required permissions for GCP providers #10

Open
rahmatrhd opened this issue Mar 24, 2023 · 4 comments
Open

Update required permissions for GCP providers #10

rahmatrhd opened this issue Mar 24, 2023 · 4 comments
Labels
documentation Improvements or additions to documentation

Comments

@rahmatrhd
Copy link
Member

rahmatrhd commented Mar 24, 2023

In existing docs, the required roles mentioned for each GCP provider are not the minimal necessary ones. Instead, we mention the available admin/owner level roles that could contain unnecessary permissions for Guardian to access the services. Proposing to list the required GCP permissions (plus the recommended role(s) that contains all the required permissions) so user can even create a custom role to only give the necessary permissions.

Existing docs:

Proposed update:

  • BigQuery [WIP]
    • Required permissions:
      bigquery.datasets.get
      bigquery.datasets.getIamPolicy
      bigquery.datasets.setIamPolicy
      bigquery.datasets.update
      bigquery.tables.list
      bigquery.tables.get
      bigquery.tables.getIamPolicy
      bigquery.tables.setIamPolicy
      
    • Recommended predefined role:
  • GCS [WIP]
    • Required permissions:
    • Recommended predefined role:
  • Gcloud IAM [WIP]
    Project:
    • Required permissions:
      iam.roles.get
      iam.roles.list
      resourcemanager.projects.getIamPolicy
      resourcemanager.projects.setIamPolicy
      
    • Recommended predefined role: roles/resourcemanager.projectIamAdmin + roles/iam.roleViewer
  • Dataplex [WIP]
    • Required permissions:
      bigquery.dataPolicies.get
      bigquery.dataPolicies.list
      bigquery.dataPolicies.getIamPolicy
      bigquery.dataPolicies.setIamPolicy
      datacatalog.taxonomies.list
      
    • Recommended predefined role:

*) will test if the listed permissions above are sufficient for Guardian needs

@rahmatrhd rahmatrhd added the documentation Improvements or additions to documentation label Mar 24, 2023
@bsushmith
Copy link
Collaborator

For dataplex provider, these permissions also would be needed -

bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy

@bsushmith
Copy link
Collaborator

Have granted only these permissions to guardian SA for gcloud_iam provider and it works fine.

iam.roles.get
iam.roles.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

@rahmatrhd
Copy link
Member Author

@bsushmith are there any GCP predefined roles that only include those permissions?

@bsushmith
Copy link
Collaborator

There's no predefined role with this set of persmissions. we had to create a custom role for this with a name like - project.iamManager

lifosmin pushed a commit to lifosmin/guardian that referenced this issue Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants