K8s-config-connector: Support IAMPolicyBinding (IAM Policy project level - misses out on auto generated bindings for enabled APIs)

Created on 3 Apr 2020  路  6Comments  路  Source: GoogleCloudPlatform/k8s-config-connector

Appreciate that there are warnings that are associated when using IAMPolicy at the project level (and we assume it will be similar against a particular resource, that it will simply overwrite iam at the project or resource level)

IAM Policy Project Level

With KCC, we went ahead and used IAMPolicy at project level, and observed that the auto-generated service accounts and bindings that are generated when certain google APIs are enabled were lost. And when we activated KCC these all got deleted.

The reason we want to use IAMPolicy at a project level is to avoid writing sheer number of IAMPolicyMember objects (which is a resource per member per role). It would be nice to be able to fully manage project-level IAM within that single resource.

So, any guidance would help on how we can effectively use IAMPolicy against a project?
For instance when we enable new APIs we need to add a binding as such (or are there other methods where such iam role bindings for auto-generated resources can be preserved).

This would help.

We would also like to know more about other such auto generated bindings (like when we enable APIs). We are concerned if we use KCC (IAM Policy at project level) we need to be extra-cautious on how not to miss out to add a binding the project level IAM Policy (which is normally auto-generated).

Best Regards

enhancement resource request

Most helpful comment

Hi @govinda-attal,

The reason we want to use IAMPolicy at a project level is to avoid writing sheer number of IAMPolicyMember objects (which is a resource per member per role)

How do you feel about the IAMBinding concept which allow you to specify one role with a list of members within a single resource. Will that satisfy your use case?

All 6 comments

Hi @govinda-attal,

The reason we want to use IAMPolicy at a project level is to avoid writing sheer number of IAMPolicyMember objects (which is a resource per member per role)

How do you feel about the IAMBinding concept which allow you to specify one role with a list of members within a single resource. Will that satisfy your use case?

Yes, sounds fantastic! Is it something which exists currently, or are we expecting soon?

This will be a new feature/CRD besides IAMPolicy and IAMPolicyMember. We are discussing the priority and the work effort and will update here when we have more information.

Hello @xiaobaitusi. Would IAMBinding be cumulative with IAMPolicy? For example, I'd like to bind roles/datafusion.serviceAgent to my SA along with enabling the service. But I don't want to add it to the IAMPolicy as well. Managing both is, well, un-manageable.

IAMPolicy should not be used together with IAMPolicyBinding or IAMPolicyMember as they will fight over what your policy should be.

See the detailed explanation from the terraform doc about this concept: https://www.terraform.io/docs/providers/google/r/pubsub_subscription_iam.html

Thanks for the detailed explanation. Love the one source of truth with IAMPolicy. Was just hoping for another option to supplement it.

Was this page helpful?
0 / 5 - 0 ratings