The base assumption for this Issue is that a reference implementation should implement the Least Privilege approach as a way to showcase a more secure deployment OOB and also inform users who want/need to relax security controls about the minimum set of permissions required, in this case, for Flyte.
The current GCP implementation is more permissive than necessary, specifically:
When it creates the GCS bucket for metadata, it grants both GSAs (Google Service Accounts) flyte-worker and flyte-binary the admin role.
It does so by configuring a google_storage_bucket_iam_binding; an authoritative resource that leaves other members (GSAs in this case) without the possibility of using the legacyBucketReader role for that bucket. This could be inconvenient, especially if an organization as other tools that require access to metadata, especially in combination with ACLs.
It's not clear why Flyte's GSA should be both admins and also inherit the legacyBucketReader role.
According to Google's recommendations, each Flyte service should have it's own GSA and use a CustomRole with specific permissions
Previous versions of the documentation and recent experiments of Flyte users indicate that it's possible to use a set of more granular permissions for Flyte services.
The working combination that implements the least privilege approach should be used.
The base assumption for this Issue is that a reference implementation should implement the Least Privilege approach as a way to showcase a more secure deployment OOB and also inform users who want/need to relax security controls about the minimum set of permissions required, in this case, for Flyte.
The current GCP implementation is more permissive than necessary, specifically:
flyte-workerandflyte-binarythe admin role.legacyBucketReaderrole.Previous versions of the documentation and recent experiments of Flyte users indicate that it's possible to use a set of more granular permissions for Flyte services.
The working combination that implements the least privilege approach should be used.