Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GCP grant a service account permission to write in a GCS bucket with Deployment Manager

In a Deployment Manager Jinja template I'm trying to create log sinks:

- name: {{ ALOGSINK }}
  type: gcp-types/logging-v2:projects.sinks
  properties:
    sink: {{ ALOGSINK }}
    parent: projects/{{ PROJECT }}
    uniqueWriterIdentity: true
    outputVersionFormat: V2
    destination: storage.googleapis.com/{{ LOGGINGBUCKET }}
    filter: >-
      resource.type="deployment" AND
      resource.labels.name="{{ DEPLOYMENT }}"

I would prefer to configure them to use "unique writer identity" when writing to the destination, a GCS bucket.

This means that a specific service account will be created automatically for every log sink.

And it's necessary to grant permissions to this service account to write to the specified (and already existing) bucket.

So in the section of the template which grants the permissions I could refer to the service accounts identities (email addresses) using $(ref.logsink>.writerIdentity).

And now for the interesting part - the only reliable method to add binding to a bucket's ACL is by using the insert method of the BucketAccessControls object:

- name:  {{ LOGGINGBUCKET }}-{{ ALOGSINK }}-acl
  action: gcp-types/storage-v1:storage.BucketAccessControls.insert
  properties:
    bucket: $(ref.bucket-name)
    entity: user-$(ref.{{ ALOGSINK }}.writerIdentity}
    role: WRITER

And the problem is the writerIdentity is in the form of serviceAccount:<email>, but the entity expected by the insert method should be in the form of user-<email>.

And can't find a way to fit the former into the latter.

like image 868
Milen A. Radev Avatar asked Jun 25 '19 17:06

Milen A. Radev


People also ask

How do I give a bucket permission in GCP?

In the Google Cloud console, go to the Cloud Storage Buckets page. Click the Bucket overflow menu ( ) associated with the bucket to which you want to grant a principal a role. Choose Edit access. Click the + Add principal button.


1 Answers

Probably you want to use bucket IAM policies, that do support Service Accounts:

https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy

I do agree is a bit misleading, and it's natural to think BucketAccessControls should also support Service Accounts...

like image 149
caba Avatar answered Oct 08 '22 02:10

caba