Limit user and service account privileges in Google Cloud

[cameel]

This task depends on #368. In that issue we have determined which roles we need for our service accounts. Now we need to Configure our Google Cloud project accordingly.

Contact someone who has an Owner role in the project and ask him to make the following modifications:

1. Create a separate service account for concent-deployment-server.
2. Adjust privileges of service accounts:
   • Service account used on concent-builder: Concent Deployer privileges.
     • Access only to the dev and CI clusters.
   • Service account used on concent-deployment-server: Concent Cloud Admin privileges.
     • Access to all the clusters.
   • Service account used on machines running Geth (#305), if any: minimal necessary privileges; no privileges if possible.
   • Remove Editor role from the service accounts listed above.
     • There are currently a few other service accounts with Editor privileges that look like they were created automatically. Check what is using them and see if lower privileges would be OK. But don't spend too much time on it. It's fine to leave them as is for the time being if they're on machines managed by Google.
3. Adjust user privileges:
   • Developers from our team:
     • Should have Viewer privileges. They only need to view logs and deployment is always performed from concent-builder using its service account.
     • Should have roles/compute.osLogin role for concent-builder machine (see Managing Instance Access Using OS Login; this is necessary for #370).
   • DevOps people from our team:
     • Should have Editor privileges. They need to be able to do anything our service accounts can. Anything beyond that does not really affect Concent so there's no point in limiting it.
     • Should have roles/compute.osAdminLogin role for concent-builder, concent-deployment-server and the Geth machines.
   • Golem's people who are not Owners in the organization account on Google Cloud:
     • May want to limit their privileges to Viewer. But it's fine to keep them at Owner since they own the project anyway and are 100% trusted. The point of lower privileges would be to limit potential damage in case of a credential leak.
       • Note that owners of the organization get owner privileges in the project automatically and privileges in Google Cloud can't be limited at the lower level, only enhanced.
4. Remove users who no longer work on the project.

[bartoszbetka]

The second step must be modify after researched. Roles can not be grant to google cloud clusters. We decide to create three service accounts that will be attach to dev, staging and testnet, mainnet environments. Then, we will add privileges to this service accounts for our "concent-deployer" and "concent-cloud-admin" service accounts.

[bartoszbetka]

The solution with service accounts also not works. Problem was solved by granting roles on kubernetes level by using Kubernetes RBAC.

[cameel]

@bartoszbetka Could your summarize which steps you actually performed? Was it all done exactly as in the description (except for the stuff you mentioned in the comments above) or did you have to do anything differently?

[cameel]

As for Kubernetes - RBAC is fine but I want to have the configuration documented in README. Either put the role configuration here or put it in a file in cloud/ and just mention it in README.

[bartoszbetka]

Steps that already done: 1, 2 a) b), 3 a) b) , 4, where for example a) is interpret as first dash.

[cameel]

So what about the remaining stuff?

[bartoszbetka]

All step already done. Like we decided without:

• Remove Editor role from the service accounts listed above.
• Golem's people who are not Owners in the organization account on Google Cloud