search

GoogleCloudPlatform / k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources
https://cloud.google.com/config-connector/docs/overview
Apache License 2.0
894 stars 226 forks source link

Support referencing Google-managed service accounts in memberFrom.serviceAccountRef fields #722

Closed jmymy closed 1 year ago

jmymy commented 2 years ago

Checklist

Describe the feature or resource

Would be awesome to be able reference Google-managed service accounts in IAM resources.

for example, if i add a PubSubTopic and use a Customer Managed Encryption key on it, I would like to add a IAMMemberPolicy that just refrences the google managed account so I dont need to hardcode a project number in it. serviceAccount:service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com

How this could work:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-pubsub-kms
spec:
  memberFrom:
    serviceAccountRef: 
      external:
        googleManaged: gcp-sa-pubsub
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
  resourceRef:
    kind: KMSCryptoKey
    name: kmscryptokey

And that would add serviceAccount:service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com to it automatically without hardcoding the project number

Additional information

https://cloud.google.com/iam/docs/service-agents

gcloud storage service-agent --project=PROJECT_IDENTIFIER

Importance

Will become a blocker as currently in TF i can use a data source to grab thee default service Accounts.

jcanseco commented 2 years ago

Thanks for the request @jmymy. Agree that this would be great. This had been requested previously and is currently in our backlog. We'll update you when we have more info.

jenshonkan84 commented 1 year ago

We have a similar issue with cloudbuild. Any news on this?

diviner524 commented 1 year ago

@jenshonkan84 We are actively working on this feature. It will likely be implemented in two steps:

  1. GCP Service agents will be supported as a new resource type in Config Connector. (It will be based on the terraform resource google_project_service_identity)
  2. We will enable IAMPolicyMember/IAMPartialPolicy to support referencing this new type of resource in field memberFrom.