padok-team / terraform-google-bastion

Terraform module that sets up a minimal VM to access private network over IAP
Apache License 2.0
0 stars 0 forks source link

IAM for user access to bastion is broken by default #17

Open piaverous opened 8 months ago

piaverous commented 8 months ago

Issue description

When deploying a bastion using this module, with minimal configuration and by following the examples provided in the repo, permissions are non-sufficient for users to access the bastion.

Steps to reproduce

Observed behaviour

Expected behaviour

Cause

In order to connect to a GCE instance, a user needs to have actAs permissions on the Google Service Account bound to the GCE instance.

By default, the bastion module binds no Google Service Account to the bastion. Therefore, the Compute Engine default service account is assigned by GCP.

However, the test user had no permissions on the project, so he does not have the actAs permission on the Compute Engine default service account.

How to fix

I see two possible ways of fixing this.

  1. Option 1 : if no service-account is provided by the caller, create a service-account with no permissions whatsoever for the bastion instance. Then, add all members as roles/iam.serviceAccountUser on this service-account.
  2. Option 2 : if no service-account is provided by the caller, fetch the Compute Engine default service account using a data source. Then, add all members as roles/iam.serviceAccountUser on this service-account.

My recommendation is to go with Option 1. I'm happy to open a PR once we decide on the better option :)

Notes

Additionally I think we should include this in the README as well, so that a user of this module that wishes to use a custom service-account for the bastion would know that this permission is required for members to access the bastion.

Alan-pad commented 8 months ago

Option 1 seems to be better !