Open fmichaelobrien opened 1 year ago
Procedure test: developer account has minimal permissions but has access to a project and gcs bucket\ developer account has no workspace account - just cloud identity set a notification in a new alerting policy in cloud monitoring on any GCS api call above the 0 baseline
use case is identity user without workspace is set as the notification on a bucket alert policy - email is forwarded to an external email system - in this case AWS workspace where the forwarding mail comes from a GCP domain tied to the policy org
Fix 1 - email forwarding directly on the organization domain hosting workspace or another IdP - user is without a real email address without the alias
Set alias - enable dual workspace/forwarding apis
configure notifications
upload
and
event in
3rd party email received for devel@ol.dev (cloud identity user on org) with email forwarding on the domain
Fix 2 - alternate email on a different unrelated domain : essentially put any email into the notifications channel https://console.cloud.google.com/monitoring/alerting/notification Add that channel to the Alerting policy on the bucket
Then enable email forwarding on the domain you will be using to send the email alias (here lz.ca - forwards to ol.cloud)
Don't change your workspace settings on your main domain if enabled (or enable both workspace and forwarding on the domain)
sending to 2 emails - this one is a workspace enabled account
{
"displayName": "any-gcs-bucket-event",
"documentation": {
"content": "event on gcs bucket",
"mimeType": "text/markdown"
},
"userLabels": {},
"conditions": [
{
"displayName": "GCS Bucket - Request count",
"conditionThreshold": {
"filter": "resource.type = \"gcs_bucket\" AND metric.type = \"storage.googleapis.com/api/request_count\"",
"aggregations": [
{
"alignmentPeriod": "120s",
"crossSeriesReducer": "REDUCE_NONE",
"perSeriesAligner": "ALIGN_MEAN"
}
],
"comparison": "COMPARISON_GT",
"duration": "0s",
"trigger": {
"count": 1
},
"thresholdValue": 0
}
}
],
"alertStrategy": {
"autoClose": "604800s"
},
"combiner": "OR",
"enabled": true,
"notificationChannels": [
"projects/anthos-ol/notificationChannels/278200572621676368"
]
}
See also #270 Requirements
Workarounds
Options
Discussion for workspace we get 4 MX records on the domain - those match, for non-workspace the emails may match depending on whether the 3rd party AAD or AWS Workmail are on the same domain as the GCP org
Notes
References
225
182