search

hashicorp / vault-plugin-secrets-gcp

Mozilla Public License 2.0
52 stars 24 forks source link

Feature: Support IAM Conditions #70

Open lawliet89 opened 4 years ago

lawliet89 commented 4 years ago

I would like to request for support of Cloud IAM conditions in the rolesets. Conditions are attached to the IAM bindings themselves and would be useful to further restrict what the rolesets can and cannot do.

Suggested HCL Syntax

resource "projects/X" {
    roles = [
        "roles/viewer",
    ]

       condition "roles/viewer" {
        title = "A conditional IAM title"
        description = "A conditional IAM description"
        expression = "ResourceA==ResourceB"
       }

       condition "roles/editor" {
        title = "A conditional IAM title"
        description = "A conditional IAM description"
        expression = "ResourceA==ResourceB"
       }
}
cvolante54 commented 3 years ago

I think this feature would be very beneficial. My understanding is that only work on the hcl parsing needs to be done to support this feature since https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77 already updated the policy object