GCP: create/use IAM role with minimal set of permissions

Signed-off-by: Steve Kriss <steve@heptio.com>
2018-04-16 15:11:44 -07:00 · 2018-04-16 15:11:44 -07:00 · 6549ef8075
parent 71e1e2990e
commit 6549ef8075
1 changed files with 21 additions and 4 deletions
--- a/docs/gcp-config.md
+++ b/docs/gcp-config.md
@ -44,12 +44,29 @@ To integrate Heptio Ark with GCP, create an Ark-specific [Service Account][15]:
 3. Attach policies to give `heptio-ark` the necessary permissions to function:

    ```bash
+    BUCKET=<YOUR_BUCKET>
+    
+    ROLE_PERMISSIONS=(
+        compute.disks.get
+        compute.disks.create
+        compute.disks.createSnapshot
+        compute.snapshots.get
+        compute.snapshots.create
+        compute.snapshots.useReadOnly
+        compute.snapshots.delete
+        compute.projects.get
+    )
+
+    gcloud iam roles create heptio_ark.server \
+        --project $PROJECT_ID \
+        --title "Heptio Ark Server" \
+        --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"    
+
    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
-        --role roles/compute.storageAdmin
-    gcloud projects add-iam-policy-binding $PROJECT_ID \
-        --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
-        --role roles/storage.admin
+        --role projects/$PROJECT_ID/roles/heptio_ark.server
+
+    gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
    ```

 4. Create a service account key, specifying an output file (`credentials-ark`) in your local directory: