Update required permissions for GCP providers
rahmatrhd opened this issue · comments
In existing docs, the required roles mentioned for each GCP provider are not the minimal necessary ones. Instead, we mention the available admin/owner level roles that could contain unnecessary permissions for Guardian to access the services. Proposing to list the required GCP permissions (plus the recommended role(s) that contains all the required permissions) so user can even create a custom role to only give the necessary permissions.
Existing docs:
- BigQuery: https://goto.github.io/guardian/docs/providers/bigquery#prerequisites
roles/bigquery.dataOwner
- GCS: https://goto.github.io/guardian/docs/providers/gcs#prerequisites
roles/storage.admin
- Gcloud IAM: https://goto.github.io/guardian/docs/providers/gcloud_iam#prerequisites
roles/iam.securityAdmin
- Dataplex: N/A
Proposed update:
- BigQuery [WIP]
- Required permissions:
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.datasets.update bigquery.tables.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.setIamPolicy
- Recommended predefined role:
- Required permissions:
- GCS [WIP]
- Required permissions:
- Recommended predefined role:
- Gcloud IAM [WIP]
Project:- Required permissions:
iam.roles.get iam.roles.list resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy
- Recommended predefined role:
roles/resourcemanager.projectIamAdmin
+roles/iam.roleViewer
- Required permissions:
- Dataplex [WIP]
- Required permissions:
bigquery.dataPolicies.get bigquery.dataPolicies.list bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.setIamPolicy datacatalog.taxonomies.list
- Recommended predefined role:
- Required permissions:
*) will test if the listed permissions above are sufficient for Guardian needs
For dataplex provider, these permissions also would be needed -
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
Have granted only these permissions to guardian SA for gcloud_iam provider and it works fine.
iam.roles.get
iam.roles.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
@bsushmith are there any GCP predefined roles that only include those permissions?
There's no predefined role with this set of persmissions. we had to create a custom role for this with a name like - project.iamManager