Closed matthewfischer closed 5 years ago
cdutra
commented
5 years ago Hi @matthewfischer, thanks for the PR!
We're trying to reproduce this issue, could you list the steps to reproduce that, please? Also, what version of PAS are you using?
Thanks,
cc @joshzarrabi
matthewfischer
commented
5 years ago I was using the new beta of 2.4.0. The steps to repro are a fairly normal GCP install with external storage configured using the storage service account.
This is what the docs say about these roles:
roles/storage.objectAdmin Full control over objects, including listing, creating, viewing, and deleting objects. Does not grant permission to read or edit bucket metadata. | storage.objects.*
So I do not believe that you can list buckets with that role alone. I was able to confirm that outside of a PCF installation using gsutil.
cdutra
commented
5 years ago @matthewfischer Thanks for the clarification. I believe you don't need both roles/storage.admin and roles/storage.objectAdmin in that case since the first one should be admin of top level resource storage. Can you confirm that, please?
Thanks again!
cdutra
commented
5 years ago We confirmed that we only need roles/storage.admin. Thanks for the PR!
We'll merge and remove roles/storage.objectAdmin
cdutra
commented
5 years ago @matthewfischer We merged: https://github.com/pivotal-cf/terraforming-gcp/commit/372c688ce46ffe32c9adcb488cf47865de6a3259
Thanks again!
storage.admin is needed to list buckets which the cloud controller requires. The existing role of storage.objectAdmin only gives access to objects and not buckets. Without this new role, you get the following errors in cloud controller during the deployment:
forbidden: does not have storage.buckets.get access to -buildpacks.