GCS Publish: 'storage.buckets.get' denied

sigstore / root-signing-staging

Staging TUF repository for Sigstore trust root

https://tuf-repo-cdn.sigstage.dev/

Apache License 2.0

3 stars 6 forks source link

GCS Publish: 'storage.buckets.get' denied #67

Closed jku closed 7 months ago

jku commented 7 months ago

After issue #64 was fixed and GCS publish was re-run:

ERROR: (gcloud.storage.rsync) User [tuf-gha@projectsigstore-staging.iam.gserviceaccount.com]
does not have permission to access b instance [tuf-root-staging] (or it may not exist):
tuf-gha@projectsigstore-staging.iam.gserviceaccount.com does not have storage.buckets.get
access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on
resource (or it may not exist).

jku commented 7 months ago

blocks #63

jku commented 7 months ago

Scaffolding gives the service account roles/storage.objectUser: https://github.com/sigstore/scaffolding/blob/main/terraform/gcp/modules/tuf/tuf.tf#L77
According to docs this role contains all the permissions rsync needs:
- https://cloud.google.com/storage/docs/access-control/iam-roles
- https://cloud.google.com/storage/docs/access-control/iam-gcloud

I guess we can add a role like roles/storage.legacyBucketReader but would be cool to actually know why that is needed ...

jku commented 7 months ago

I believe this is a bug in gcloud sdk and we do need roles/storage.legacyBucketReader https://issuetracker.google.com/issues/323465176

haydentherapper commented 7 months ago

PR has been merged and terraform applied in staging and prod.