Update required permissions for GCP providers

Question

Update required permissions for GCP providers

rahmatrhd opened this issue a year ago · comments

In existing docs, the required roles mentioned for each GCP provider are not the minimal necessary ones. Instead, we mention the available admin/owner level roles that could contain unnecessary permissions for Guardian to access the services. Proposing to list the required GCP permissions (plus the recommended role(s) that contains all the required permissions) so user can even create a custom role to only give the necessary permissions.

Existing docs:

BigQuery: https://goto.github.io/guardian/docs/providers/bigquery#prerequisites
- roles/bigquery.dataOwner
GCS: https://goto.github.io/guardian/docs/providers/gcs#prerequisites
- roles/storage.admin
Gcloud IAM: https://goto.github.io/guardian/docs/providers/gcloud_iam#prerequisites
- roles/iam.securityAdmin
Dataplex: N/A

Proposed update:

BigQuery [WIP]

Required permissions:

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.tables.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.setIamPolicy

Recommended predefined role:

GCS [WIP]
- Required permissions:
- Recommended predefined role:
Gcloud IAM [WIP]
Project:
- Required permissions:
```
iam.roles.get
iam.roles.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
```
- Recommended predefined role: roles/resourcemanager.projectIamAdmin + roles/iam.roleViewer

Dataplex [WIP]

Required permissions:

bigquery.dataPolicies.get
bigquery.dataPolicies.list
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.setIamPolicy
datacatalog.taxonomies.list

Recommended predefined role:

*) will test if the listed permissions above are sufficient for Guardian needs

sushmith · Answer 1 · Mon Mar 27 2023 14:43:03 GMT+0800 (China Standard Time)

For dataplex provider, these permissions also would be needed -

bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy

sushmith · Answer 2 · Fri Jun 09 2023 00:50:36 GMT+0800 (China Standard Time)

Have granted only these permissions to guardian SA for gcloud_iam provider and it works fine.

iam.roles.get
iam.roles.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

Rahmat Hidayat · Answer 3 · Fri Jun 09 2023 11:55:05 GMT+0800 (China Standard Time)

@bsushmith are there any GCP predefined roles that only include those permissions?

sushmith · Answer 4 · Fri Jun 09 2023 13:44:51 GMT+0800 (China Standard Time)

There's no predefined role with this set of persmissions. we had to create a custom role for this with a name like - project.iamManager