search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

Investigate role related lockdown for read only security personnel with selective service account impersonation for any temporary IAM roles above the baseline - target cloud shell access #525

Open fmichaelobrien opened 1 year ago

fmichaelobrien commented 1 year ago

Is your feature request related to a problem? Please describe. Need way to limit cloud shell access to specific read-only users - like security personnel using ssc-p Or at least lock down permissions in a service account and not give them service account token creator impersonation access This is a visibility issue - in that even though shell access is benign and already truncated - as in the users will likely not have api enabled services on the project or IAM role access to spin up services or infrastructure - we still need to review any cloud shell limitation we can add. Look also at local gcloud SDK options.

Describe the solution you'd like A set of group specific permissions in IAM related packages as well as readme writup of the limited shell access

Describe alternatives you've considered We already have project level service lockdown and limitations on IAM role permissions - just need to do a review for this specific use case

Additional context Add any other context or screenshots about the feature request here.

cartyc commented 1 year ago

Looks like disabling Cloud Shell needs to be done at the Cloud Identity Level.

Should we add this as an optional step in the documentation?