GCP grant a service account permission to write in a GCS bucket with Deployment Manager

Question

In a Deployment Manager Jinja template I'm trying to create log sinks:

- name: {{ ALOGSINK }}
  type: gcp-types/logging-v2:projects.sinks
  properties:
    sink: {{ ALOGSINK }}
    parent: projects/{{ PROJECT }}
    uniqueWriterIdentity: true
    outputVersionFormat: V2
    destination: storage.googleapis.com/{{ LOGGINGBUCKET }}
    filter: >-
      resource.type="deployment" AND
      resource.labels.name="{{ DEPLOYMENT }}"

I would prefer to configure them to use "unique writer identity" when writing to the destination, a GCS bucket.

This means that a specific service account will be created automatically for every log sink.

And it's necessary to grant permissions to this service account to write to the specified (and already existing) bucket.

So in the section of the template which grants the permissions I could refer to the service accounts identities (email addresses) using $(ref.logsink>.writerIdentity).

And now for the interesting part - the only reliable method to add binding to a bucket's ACL is by using the insert method of the BucketAccessControls object:

- name:  {{ LOGGINGBUCKET }}-{{ ALOGSINK }}-acl
  action: gcp-types/storage-v1:storage.BucketAccessControls.insert
  properties:
    bucket: $(ref.bucket-name)
    entity: user-$(ref.{{ ALOGSINK }}.writerIdentity}
    role: WRITER

And the problem is the writerIdentity is in the form of serviceAccount:<email>, but the entity expected by the insert method should be in the form of user-<email>.

And can't find a way to fit the former into the latter.

Looking at the [API reference](https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls/insert) there's no mention for service account, even though there's a mention for groups (`group-email`). One possibility is to create a group under your GSuite organization and add the service account to that group — manasouza, Jul 04 '19 at 19:16
There's already a group ([cloud-logs@google.com](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#using_the_shared_writer_identity)) that could be used for all log sinks when they are set to use the "shared writer identity" (the opposite of the "unique writer identity"). The problem is I would like to avoid using the "shared writer identity". And if I have to add a service account to a group in a DM template, the deployment manager's service account needs even more permissions/roles. — Milen A. Radev, Jul 12 '19 at 08:06
@MilenA.Radev have you managed to solve this? Have a similar case: I already have a Container Registry up (it is created outside of Deployment Manager), and it's associated bucket; I would like to add ACL bucket binding for my Kubernetes service account (whole k8s infrastructure is deployed via Deployment Manager, even apps deployment is automated via Flux, so having this manual step of associating binding by hand is unacceptable to me) — Ivan, Jul 12 '19 at 15:47

score 2 · Answer 1 · answered Oct 23 '19 at 15:03

2

Probably you want to use bucket IAM policies, that do support Service Accounts:

https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy

I do agree is a bit misleading, and it's natural to think BucketAccessControls should also support Service Accounts...

answered Oct 23 '19 at 15:03

caba

31
3

Links to external resources are encouraged, but please add context around the link so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. See: [How to anwser](https://stackoverflow.com/help/how-to-answer). – Eduardo Baitello Oct 23 '19 at 15:22
Already tried that - it overwrites the current bindings with the one supplied. Which means you need to "call" [`getIamPolicy`](https://cloud.google.com/storage/docs/json_api/v1/buckets/getIamPolicy), add new bindings and "call" `setIamPolicy` with that. Which is a bit problematic. – Milen A. Radev Oct 23 '19 at 21:44
sorry, not using the API directly/via Ansible but with Terraform, that gives you different primitives (hope via API you have something equivalent) depending if you want to override or just incorporate: https://www.terraform.io/docs/providers/google/r/storage_bucket_iam.html – caba Oct 24 '19 at 16:31

GCP grant a service account permission to write in a GCS bucket with Deployment Manager

1 Answers1