GCE: the iam.serviceAccountUser role is unused

maelvls commented 3 years ago

The GCE provisioner requires a GCP service account with two roles:

roles/compute.admin
roles/iam.serviceAccountUser

The first role makes sense, but the second one was a surprise to me. Looking at gce.go, I discovered that the VM is created with a "service account VM" (a service account that is mounted into the VM and allows for GCP API calls):

https://github.com/inlets/cloud-provision/blob/9626406375488183630d2b3904deeaf12445531e/provision/gce.go#L94-L101

Should we drop this mounted service account and update the documentation (see sections inlets-operator and inletsctl) to only require roles/compute.admin?

alexellis commented 3 years ago

If it still works as designed when removed, then I would be supportive of the change to reduce scope.

@jsiebens @utsavanand2

jsiebens commented 3 years ago

Yes, that would work.

My suggestion:

drop the usage of the "default" service account (it's by default overprivileged), an instance can be created without a service account
if someone prefers to use a service account, add an extra optional flag to provide a service account.

The first will be the default behaviour of the provisioner, and only roles/compute.admin will be required.

inlets / cloud-provision

GCE: the iam.serviceAccountUser role is unused #4