GoogleCloudPlatform / cloud-logging-data-source-plugin

https://grafana.com/grafana/plugins/googlecloud-logging-datasource/
Apache License 2.0
17 stars 13 forks source link

Support IAM SA impersonation to avoid using keys for authentication #45

Closed OsamaMM closed 1 year ago

OsamaMM commented 1 year ago

Context

There is a need among GCP customers to be able to impersonate IAM service accounts in the data sources instead of using service account JSON keys, as these keys may represent a security risk in case they are leaked or compromised. This will come very handy in multi-tenant GKE clusters (hosting multiple apps maintained by different teams), where multiple Cloud Logging data sources will be created (one per tenant project), as this raises the need for using different service accounts to isolate tenants (one service account per data source that will only have read access to the tenant's project log buckets).

Impact

Many customers block the creation of SA keys using the constraints/iam.disableServiceAccountKeyCreation org policy, so these customers cannot use the plugin today if they want to isolate their tenants and have a SA per scope as opposed to giving the GCE's default SA read access to all log buckets in all apps' GCP projects.

Workarounds explored

Suggestions

Add a feature to support the impersonation of IAM service accounts, similar to what can be done with the gcloud CLI using the --impersonate-service-account flag. This way, the GCE default SA can impersonate a specific SA (via the roles/iam.serviceAccountTokenCreator IAM role) for each data source that has only IAM access to the tenant's project logs.

xiangshen-dk commented 1 year ago

Implemented the feature in v1.4.0.