Reputation: 19312
Google Cloud Platform: Minimal IAM permissions for gcloud command
I am trying to find in the official GCP documentation the exact permission (not Role) that corresponds to the ability to invoke this command
gcloud container clusters resize
The list does not include such a permission.
Any suggestion about the least privilege that needs to be granted for such an operation?
Upvotes: 0
Views: 533
Answers (1)
Reputation: 11237
gcloud container clusters resize operation probably needs the caller to have container.clusters.update permission. You can find this permission in the following predefined roles :
- Kubernetes Engine Admin (
roles/container.admin) - Kubernetes Engine Cluster Admin (
roles/container.clusterAdmin)
See Kubernetes Engine roles. I have not listed other roles containing this permission because they are too broad (roles/owner, roles/editor) or not appropriate (roles/composer.worker).
Based on the principle of least privilege and if you want to keep things simple using predefined roles, your user only needs to be granted roles/container.clusterAdmin because roles/container.clusterAdmin role contains a subset of roles/container.admin permissions.
Additionally, if you want/need to be more restrictive, you could also create a custom role with only the permission you need.
Upvotes: 1
Related Questions
- How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI?
- IAM role condition not applying
- service account permission issue while deploying cloud function
- How to resolve GCloud permissions?
- What IAM permissions do I need for a service key that can run "gcloud builds submit" and "gcloud run deploy"?
- Can't figure out OS Login IAM permissions
- How to give permission for an IAM service account to run a docker container within a GCP VM?
- How to set service account permission from IAM api
- Google Cloud permissions
- Problems with permissions on Google Cloud IAM