Apparently Google has a limit of 1500 IAM members on a policy. We are hitting that limit with the members we're adding to the -- program folders. I think we need to get together ASAP to talk through our options.
thxg00g
Teammate 1
@teammate2 Do you happen to know how Vault works? There are a bunch of SAs that are prefixed with deleted: and I'm wondering if those are being generated by Vault.
Perhaps there's an option to have it clean up better?
I'm also only seeing 548 members on the folder, so I don't understand where they're getting 1500
When you delete a service account, its role bindings are not immediately deleted. Instead, the role bindings list the service account with the prefix deleted:. For an example, see Policies with deleted members.
Teammate 1
well shit
Director 1
do we need help from google?
Teammate 1
Probably, I'm really concerned about it.
teammate3 looked into this in the past, I think they disappear after 3 days. I wish I could find the old thread about it
Teammate 1
Google Max IAM Members
Apparently Google has a limit of 1500 IAM members on a policy. We are hitting that limit with the members we're adding to the -- program folders. I think we need to get together ASAP to talk through our options.
thxg00g
Teammate 1
@teammate2 Do you happen to know how Vault works? There are a bunch of SAs that are prefixed with deleted: and I'm wondering if those are being generated by Vault.
Perhaps there's an option to have it clean up better?
I'm also only seeing 548 members on the folder, so I don't understand where they're getting 1500
yes. https://cloud.google.com/iam/docs/understanding-service-accounts#deleting_and_recreating_service_accounts
it's a gcp thing
When you delete a service account, its role bindings are not immediately deleted. Instead, the role bindings list the service account with the prefix deleted:. For an example, see Policies with deleted members.
Teammate 1
well shit
Director 1 do we need help from google?
Teammate 1
Probably, I'm really concerned about it.
teammate3 looked into this in the past, I think they disappear after 3 days. I wish I could find the old thread about it