Service accounts need more role permissions for PKS

vmware-archive / terraforming-gcp

use terraform, deploy yourself a pcf

Apache License 2.0

71 stars 87 forks source link

Service accounts need more role permissions for PKS #115

Closed carlhejiayu closed 5 years ago

carlhejiayu commented 5 years ago

The terraform for PKS iam roles differ from the documentation. Currently, out of box, we were unable to create a cluster after the infrastructure is deployed with terraform. The additional changes needed from the documentation for successful cluster creation was to add more roles to the ops manager and master PKS service accounts. (https://docs.pivotal.io/runtimes/pks/1-1/gcp-service-accounts.html)

Ops Manager:

compute.instanceAdmin.v1
iam.serviceAccountUser

PKS Master:

compute.instanceAdmin.v1
iam.serviceAccountTokenCreator
iam.serviceAccountUser

It should also be noted that there are inconsistencies with the usage of ServiceAccountUser role. This role is being deprecated, and should be replaced with ServiceAccountActor. To get the equivalent of ServiceAccountUser, we would need in addition to ServiceAccountActor, to include ServiceAccountTokenCreator.

carlhejiayu commented 5 years ago

Additional information: Our current terraforming-gcp version is 0.28.0

After further testing, we also noticed that the service account "master" for PKS created through terraform, is unable to compute.zones.list. However, if we manually create service accounts with the same roles through the web browser, we are able to run gcloud compute zones list for our manually created account. The terraform created account errors when we run the same command with:

ERROR: (gcloud.compute.zones.list) Some requests did not succeed:
 - Required 'compute.zones.list' permission for <PROJECT NAME>

matthewfischer commented 5 years ago

I've seen similar before. Can you check that in your browser whether you granted instanceAdmin.v1 or instanceAdmin beta?

oahcran commented 5 years ago

I have noticed the same issue that the PKS IAM roles is different to PKS documents, including both Ops Manager SA and PKS Master node SA. I have used v0.54.0 as well as the master branch to see the errors.

for example, the Ops Manager SA Roles from Docs -

ROLE
roles/compute.instanceAdmin.v1
roles/compute.networkAdmin
roles/compute.storageAdmin
roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountUser
roles/storage.admin

and Ops Manager SA roles from terraform

ROLE
roles/compute.instanceAdmin
roles/compute.networkAdmin
roles/compute.storageAdmin
roles/iam.serviceAccountActor
roles/storage.admin

I corrected those with the repo (https://github.com/oahcran/terraforming-gcp/tree/pks-iam-roles) and let me know if PR is accepted.

zachgersh commented 5 years ago

@oahcran we'd gladly accept a PR for this. Sorry for the delay!

oahcran commented 5 years ago

@zachgersh not a problem. I noticed the doc updated to replace roles/iam.serviceAccountKeyAdmin with roles/iam.serviceAccountTokenCreator. Will create a PR after the changes and test.