When deploying a bastion using this module, with minimal configuration and by following the examples provided in the repo, permissions are non-sufficient for users to access the bastion.
in the "members" field, add a user which has no permissions whatsoever on the Project
Observed behaviour
The user which had no permissions on the Project cannot access the bastion using gcloud compute ssh --tunnel-over-iap
Expected behaviour
The user which had no permissions on the Project can access the bastion using gcloud compute ssh --tunnel-over-iap
Cause
In order to connect to a GCE instance, a user needs to have actAs permissions on the Google Service Account bound to the GCE instance.
By default, the bastion module binds no Google Service Account to the bastion. Therefore, the Compute Engine default service account is assigned by GCP.
However, the test user had no permissions on the project, so he does not have the actAs permission on the Compute Engine default service account.
How to fix
I see two possible ways of fixing this.
Option 1 : if no service-account is provided by the caller, create a service-account with no permissions whatsoever for the bastion instance. Then, add all members as roles/iam.serviceAccountUser on this service-account.
Option 2 : if no service-account is provided by the caller, fetch the Compute Engine default service account using a data source. Then, add all members as roles/iam.serviceAccountUser on this service-account.
My recommendation is to go with Option 1.
I'm happy to open a PR once we decide on the better option :)
Notes
Additionally I think we should include this in the README as well, so that a user of this module that wishes to use a custom service-account for the bastion would know that this permission is required for members to access the bastion.
Alan-pad
commented
8 months ago
Issue description
When deploying a bastion using this module, with minimal configuration and by following the examples provided in the repo, permissions are non-sufficient for users to access the bastion.
Steps to reproduce
Observed behaviour
gcloud compute ssh --tunnel-over-iapExpected behaviour
gcloud compute ssh --tunnel-over-iapCause
In order to connect to a GCE instance, a user needs to have
actAspermissions on the Google Service Account bound to the GCE instance.By default, the bastion module binds no Google Service Account to the bastion. Therefore, the Compute Engine default service account is assigned by GCP.
However, the test user had no permissions on the project, so he does not have the
actAspermission on the Compute Engine default service account.How to fix
I see two possible ways of fixing this.
membersasroles/iam.serviceAccountUseron this service-account.membersasroles/iam.serviceAccountUseron this service-account.My recommendation is to go with Option 1. I'm happy to open a PR once we decide on the better option :)
Notes
Additionally I think we should include this in the README as well, so that a user of this module that wishes to use a custom service-account for the bastion would know that this permission is required for members to access the bastion.