search

F5Networks / f5-google-gdm-templates

Google Deployment Templates for quickly deploying BIG-IP services in Google Cloud Platform
28 stars 45 forks source link

Documentation Update: Pub-Sub permissions required for autoscale GCP template #36

Closed JeffGiroux closed 3 years ago

JeffGiroux commented 4 years ago

Do you already have an issue opened with F5 support?

No

Description

I did a test deployment using experimental autoscale template. The README does not state exact permissions. I had my svc account originally loaded with computer Admin and storage admin. After install, I received errors related to pub-sub rights as well.

autoscale.log 2020-01-08T18:39:49.337Z info: [pid: 28423] [lib/gceCloudProvider.js] setupTopicsAndSubscriptions error: Cannot read property '0' of undefined 2020-01-08T18:39:49.339Z error: [pid: 28423] [scripts/autoscale.js] autoscaling error: Cannot read property '0' of undefined 2020-01-08T18:39:49.342Z info: [pid: 28423] [lib/util.js] Autoscale finished. 2020-01-08T18:39:49.339Z info: [pid: 28423] [lib/gceCloudProvider.js] masterElected error Cannot read property '0' of undefined 2020-01-08T18:39:49.335Z info: [pid: 28423] [gcClients/pubSub.js] getTopics error: https://pubsub.googleapis.com/v1/projects/f5-4136-mspteam-dev/topics status code 403, status message Forbidden 2020-01-08T18:40:02.588Z info: [pid: 28656] [scripts/autoscale.js] /config/cloud/gce/node_modules/@f5devcentral/f5-cloud-libs/scripts/autoscale.js called with /usr/bin/f5-rest-node /config/cloud/gce/node_modules/@f5devcentral/f5-cloud-libs/script s/autoscale.js --cloud gce --provider-options storageBucket:f5-bigip-jg-f5-autoscale1-37032,mgmtPort:8443,serviceAccount:svc-jgiroux@f5-4136-mspteam-dev.iam.gserviceaccount.com,instanceGroup:jg-f5-autoscale1-igm --host localhost --port 8443 --use r cluster_admin --password-url file:///config/cloud/gce/.adminPassword --password-encrypted --device-group autoscale-group --cluster-action update --log-level silly --output /var/log/cloud/google/autoscale.log 2020-01-08T18:40:03.204Z silly: [pid: 28656] [lib/util.js] shellCommand: /bin/ps -eo pid,etime,cmd | grep autoscale.js | grep -E 'cluster-action update|-c update|cluster-action join|-c join' | grep -v 'grep autoscale.js' | awk '{ print $1"-"$2 }'

My workaround was to modify my svc account and add "pub sub admin" role. I think that is probably too much access, but it did the trick for now.

Please update docs with pub-sub permission requirements.

Template

https://github.com/F5Networks/f5-google-gdm-templates/tree/master/experimental/autoscale/waf/via-lb/existing-stack/payg

Severity Level

3

shyawnkarim commented 4 years ago

Thanks for reaching out to us with this issue. I have gone ahead and created Jira issue #1749 to get these added.

JeffGiroux commented 4 years ago

I did some testing and exported audit logs from GCP console. Here's the pub-sub calls. Can this info be added to the README for recommended minimum permissions? Thx,

| protoPayload.methodName | protoPayload.resourceName | protoPayload.request.@type |
| --- | --- | --- |
| google.pubsub.v1.Subscriber.CreateSubscription | projects/xxxxx/subscriptions/JOIN_myLab-bigip-3l2w | type.googleapis.com/google.pubsub.v1.Subscription |
| google.pubsub.v1.Subscriber.CreateSubscription | projects/xxxxx/subscriptions/SYNC_COMPLETE_myLab-bigip-77px | type.googleapis.com/google.pubsub.v1.Subscription |
| google.pubsub.v1.Subscriber.CreateSubscription | projects/xxxxx/topics/JOIN_myLab-igm | type.googleapis.com/google.pubsub.v1.Subscription |
| google.pubsub.v1.Publisher.CreateTopic | projects/xxxxx/topics/JOIN_myLab-igm | type.googleapis.com/google.pubsub.v1.Topic
| google.pubsub.v1.Subscriber.CreateSubscription | projects/xxxxx/topics/SYNC_COMPLETE_myLab-igm | type.googleapis.com/google.pubsub.v1.Subscription
| google.pubsub.v1.Publisher.CreateTopic | projects/xxxxx/topics/SYNC_COMPLETE_myLab-igm | type.googleapis.com/google.pubsub.v1.Topic
shyawnkarim commented 3 years ago

Closing.

This issue was resolved with Release 3.11.0.