The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31
stars
28
forks
source link
Investigate role related lockdown for read only security personnel with selective service account impersonation for any temporary IAM roles above the baseline - target cloud shell access #525
Is your feature request related to a problem? Please describe.
Need way to limit cloud shell access to specific read-only users - like security personnel using ssc-p
Or at least lock down permissions in a service account and not give them service account token creator impersonation access
This is a visibility issue - in that even though shell access is benign and already truncated - as in the users will likely not have api enabled services on the project or IAM role access to spin up services or infrastructure - we still need to review any cloud shell limitation we can add.
Look also at local gcloud SDK options.
Describe the solution you'd like
A set of group specific permissions in IAM related packages as well as readme writup of the limited shell access
Describe alternatives you've considered
We already have project level service lockdown and limitations on IAM role permissions - just need to do a review for this specific use case
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe. Need way to limit cloud shell access to specific read-only users - like security personnel using ssc-p Or at least lock down permissions in a service account and not give them service account token creator impersonation access This is a visibility issue - in that even though shell access is benign and already truncated - as in the users will likely not have api enabled services on the project or IAM role access to spin up services or infrastructure - we still need to review any cloud shell limitation we can add. Look also at local gcloud SDK options.
Describe the solution you'd like A set of group specific permissions in IAM related packages as well as readme writup of the limited shell access
Describe alternatives you've considered We already have project level service lockdown and limitations on IAM role permissions - just need to do a review for this specific use case
Additional context Add any other context or screenshots about the feature request here.