search

goto / guardian

Guardian is a tool for extensible and universal data access with automated access workflows and security controls across data stores, analytical systems, and cloud products.
https://goto.github.io/guardian/
Apache License 2.0
3 stars 4 forks source link

Update required permissions for GCP providers #10

Open rahmatrhd opened 1 year ago

rahmatrhd commented 1 year ago

In existing docs, the required roles mentioned for each GCP provider are not the minimal necessary ones. Instead, we mention the available admin/owner level roles that could contain unnecessary permissions for Guardian to access the services. Proposing to list the required GCP permissions (plus the recommended role(s) that contains all the required permissions) so user can even create a custom role to only give the necessary permissions.

Existing docs:

Proposed update:

*) will test if the listed permissions above are sufficient for Guardian needs

bsushmith commented 1 year ago

For dataplex provider, these permissions also would be needed - 

bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bsushmith commented 1 year ago

Have granted only these permissions to guardian SA for gcloud_iam provider and it works fine.

iam.roles.get
iam.roles.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
rahmatrhd commented 1 year ago

@bsushmith are there any GCP predefined roles that only include those permissions?

bsushmith commented 1 year ago

There's no predefined role with this set of persmissions. we had to create a custom role for this with a name like - project.iamManager