search

serverless / serverless-google-cloudfunctions

Serverless Google Cloud Functions Plugin – Adds Google Cloud Functions support to the Serverless Framework
https://www.serverless.com
MIT License
272 stars 127 forks source link

feat: configure custom IAM roles with set permissions #298

Closed ericrav closed 1 year ago

ericrav commented 1 year ago

secures capabilities of cloud functions by creating custom iam roles for their function identity. takes a different approach from #223 by using Google Deployment Manager to create a service account and custom IAM role(s), and assigning those roles to service account. The deployment manager templates are based on these iam examples: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/dm/templates/iam_custom_role/README.md and https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/dm/templates/iam_member/README.md

Usage

# serverless.yaml
provider:
  name: google
  iam:
    permissions:
    - storage.objects.create
    - storage.objects.delete

functions:
  first:
    handler: http
    events:
      - http: true

This will create a service account and an IAM role that includes the 2 permissions, set the service account as a member of the role, and assign the service account to the cloud function.

# serverless.yaml
provider:
  name: google
  iam:
    permissions:
    - bucket: my-storage-bucket
      permissions:
      - storage.objects.create
      - storage.objects.delete
    - folderId: my-folder-id
      permissions:
      - iam.roles.get
      - iam.roles.list

functions:
  first:
    handler: http
    events:
      - http: true

This will do same as above, but create 2 IAM roles and bind them with those specific resources. That is, the storage permissions will only apply to my-storage-bucket and no other bucket, etc.

Existing behavior

TODO

I will add tests if this approach and the configuration setup looks OK