Skip to content

Commit f5be6fd

Browse files
henrybellhenrybell
authored
Add further IAM detail to documentation (#17)
This adds additional background and detail to the documentation on IAM configuration in `README.md`.
1 parent ef558ea commit f5be6fd

1 file changed

Lines changed: 73 additions & 44 deletions

File tree

README.md

Lines changed: 73 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -156,50 +156,6 @@ jobs:
156156
There are a few ways to authenticate this action. The caller must have
157157
permissions to access the secrets being requested.
158158

159-
You will need to authenticate to Google Cloud as a service account with the
160-
following roles:
161-
162-
- Cloud Deploy Releaser (`roles/clouddeploy.releaser`)
163-
- Can create and retrieve releases and rollouts
164-
165-
This service account needs to be a member of the service account used by Cloud
166-
Deploy, with role `Service Account User`. To grant a user permissions for a
167-
service account, use one of the methods found in [Configuring Ownership and
168-
access to a service account](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_user_for_a_service_account)
169-
170-
By default, Cloud Deploy itself will use the `Compute Engine default service
171-
account`, `(PROJECT_NUMBER-compute@developer.gserviceaccount.com)` as described
172-
in the documentation for [IAM within Cloud Deploy][cd-iam]. This service
173-
account must have the `roles/clouddeploy.jobRunner` role in the Cloud Deploy
174-
project. Alternatively you may choose to configure Cloud Deploy to use a custom
175-
service account [as detailed in the Cloud Deploy documentation][cd-custom-sa].
176-
177-
The service account used by Cloud Deploy additionally needs permisisons that
178-
allow deployment of a service to your target runtime, [GKE][gke] or
179-
[Cloud Run][cloud-run], as described in the following sections.
180-
181-
### Cloud Run Authorization
182-
183-
To deploy to Cloud Run, the service account used by Cloud Deploy needs the following permissions:
184-
185-
- Cloud Run Developer (`roles/run.developer`)
186-
- Read and write access to all Cloud Run resources.
187-
188-
The service account additionally needs to be a member of the service account
189-
used by Cloud Run, with role `Service Account User`. This may be the `Compute
190-
Engine default service account,
191-
(PROJECT_NUMBER-compute@developer.gserviceaccount.com)` or a custom service
192-
account, depending on your configuration. To grant a user permissions for a
193-
service account, use one of the methods found in [Configuring Ownership and
194-
access to a service account](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_user_for_a_service_account)
195-
196-
### GKE Authorization
197-
198-
To deploy to GKE, the service account used by Cloud Deploy needs the following permissions:
199-
200-
- Kubernetes Engine Developer (`roles/container.developer`)
201-
- Provides access to Kubernetes API objects inside clusters.
202-
203159
### Via google-github-actions/auth
204160

205161
Use [google-github-actions/auth](https://github.com/google-github-actions/auth)
@@ -250,6 +206,78 @@ jobs:
250206
The action will automatically detect and use the Application Default
251207
Credentials.
252208

209+
### Cloud Deploy Release Creation
210+
211+
To use the default Cloud Deploy configuration you will need to authenticate to
212+
Google Cloud as a service account with the following roles:
213+
214+
- Cloud Deploy Releaser (`roles/clouddeploy.releaser`)
215+
- To create and retrieve releases and rollouts
216+
- Cloud Storage Admin (`roles/storage.admin`)
217+
- To write release packages
218+
219+
This is in addition to any other roles that may be needed earlier in the
220+
pipeline, for example `roles/artifactregistry.writer` to allow images to be
221+
pushed to Artifact Registry.
222+
223+
By default, Cloud Deploy itself will use the `Compute Engine default service
224+
account`, `PROJECT_NUMBER-compute@developer.gserviceaccount.com` as described
225+
in the documentation for [IAM within Cloud Deploy][cd-iam], though for
226+
production use-cases it's recommended that you create one or more dedicated service
227+
accounts [as detailed in the Cloud Deploy documentation][cd-custom-sa]. A custom
228+
service account can be granted the `roles/clouddeploy.jobRunner` role in the Cloud
229+
Deploy project to enable required permissions.
230+
231+
You may find that Organizational Policy rules prevent certain permissions being
232+
assigned to default service accounts. In this case please consult with your
233+
organization administrators.
234+
235+
By default the service account used by Cloud Deploy requires the following roles:
236+
237+
- Cloud Logging Writer (`roles/logging.logWriter`)
238+
- To write logs
239+
- Cloud Storage Viewer (`storage/object.viewer`)
240+
- To read Cloud Deploy artifacts
241+
- Cloud Storage Creator (`storage/object.creator`)
242+
- To write Cloud Deploy artifacts
243+
244+
Depending on your Cloud Deploy configuration you may choose to create more
245+
granular roles for custom resources, rather than relying on the default.
246+
247+
The service account used by Cloud Deploy additionally needs permisisons that
248+
allow deployment of a service to your target runtime, [GKE][gke] or
249+
[Cloud Run][cloud-run], as described in the following sections. This could be:
250+
251+
- The default compute service account
252+
- The same custom service account you created for release creation, or
253+
- A separate custom service account dedicated to deployment.
254+
255+
### Cloud Run Authorization
256+
257+
To deploy to Cloud Run, the service account used by Cloud Deploy needs the
258+
following permissions:
259+
260+
- Cloud Run Developer (`roles/run.developer`)
261+
- Read and write access to all Cloud Run resources.
262+
263+
The service account additionally needs to be a member of the service account
264+
used by Cloud Run, with role `Service Account User`. This may be the `Compute
265+
Engine default service account, (PROJECT_NUMBER-compute@developer.gserviceaccount.com)`
266+
or a custom service account, depending on your configuration. To grant
267+
`iam.serviceAccounts.actAs` permissions for a service account, use one of the methods
268+
found in [the IAM documentation][sa-ownership-and-access].
269+
270+
### GKE Authorization
271+
272+
To deploy to GKE, the service account used by Cloud Deploy needs the following permissions:
273+
274+
- Kubernetes Engine Developer (`roles/container.developer`)
275+
- Provides access to Kubernetes API objects inside clusters.
276+
277+
In all cases, you should follow the principle of least privilege when assigning
278+
IAM roles. When possible, grant roles at the resource level as opposed to the
279+
project level.
280+
253281
## Example Workflows
254282

255283
- [Example workflows][examples] for `create-cloud-deploy-release`
@@ -291,5 +319,6 @@ This is not an officially supported Google product.
291319
[examples]: https://github.com/google-github-actions/example-workflows/tree/main/workflows/create-cloud-deploy-release
292320
[gke]: https://cloud.google.com/kubernetes-engine
293321
[sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts
322+
[sa-ownership-and-access]: https://cloud.google.com/iam/docs/manage-access-service-accounts#grant-single-role
294323
[skaffold-output]: https://skaffold.dev/docs/workflows/ci-cd/#traditional-continuous-delivery
295324
[wif]: https://cloud.google.com/iam/docs/workload-identity-federation

0 commit comments

Comments
 (0)