From 6549ef8075d2b67bbc23d2fec870a333a9052eb1 Mon Sep 17 00:00:00 2001
From: Steve Kriss <steve@heptio.com>
Date: Mon, 16 Apr 2018 15:11:44 -0700
Subject: [PATCH] GCP: create/use IAM role with minimal set of permissions

Signed-off-by: Steve Kriss <steve@heptio.com>
---
 docs/gcp-config.md | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/docs/gcp-config.md b/docs/gcp-config.md
index faa12d8b8..aac2273ff 100644
--- a/docs/gcp-config.md
+++ b/docs/gcp-config.md
@@ -44,12 +44,29 @@ To integrate Heptio Ark with GCP, create an Ark-specific [Service Account][15]:
 3. Attach policies to give `heptio-ark` the necessary permissions to function:
 
     ```bash
+    BUCKET=<YOUR_BUCKET>
+    
+    ROLE_PERMISSIONS=(
+        compute.disks.get
+        compute.disks.create
+        compute.disks.createSnapshot
+        compute.snapshots.get
+        compute.snapshots.create
+        compute.snapshots.useReadOnly
+        compute.snapshots.delete
+        compute.projects.get
+    )
+
+    gcloud iam roles create heptio_ark.server \
+        --project $PROJECT_ID \
+        --title "Heptio Ark Server" \
+        --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"    
+
     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
-        --role roles/compute.storageAdmin
-    gcloud projects add-iam-policy-binding $PROJECT_ID \
-        --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
-        --role roles/storage.admin
+        --role projects/$PROJECT_ID/roles/heptio_ark.server
+
+    gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
     ```
 
 4. Create a service account key, specifying an output file (`credentials-ark`) in your local directory: