Reputation: 2869
GCP limit service account to have conditional access to a single instance
I'd like to set up an instance schedule and apparently this requires the service account to have compute.instances.start/stop permissions. The only way to do this is to enable the service account to have admin privileges which adds a whole host of (in my case) unnecessary permissions that come associated with the role.
So I'd like to keep the default role as "Compute Engine Service Agent" and add the admin role with a condition that it only applies to a single VM. So I tried setting the condition as:
resource.type == "compute.googleapis.com/Instance"
resource.name == "//compute.googleapis.com/projects/<project>/zones/<zone>/instances/<name>"
however I still get an IAM error when I try to apply the schedule. Should this approach work, and what format does 'name' need to be?
Also what are the security risks of setting an unconditional role here? The documentation basically says "set it" without any further qualification.
EDIT: This condition (above) doesn't seem to scope correctly at all, all VMs show that my service account has the admin role. It's like the resource.name is ignored.
I can correctly set this role, scoped to a single VM, using the "Permissions" tab on the Compute Engine Instances page, but still two questions:
- It seems like the Compute Admin (beta) conditions aren't sufficient, even though they contain instance start/stop. v1 does work though, when set via instance permissions. What's the difference?
- How can I set the condition correctly as an IAM rule, rather than manually per instance?
Upvotes: 1
Views: 1150
Answers (1)
Reputation: 1691
A better approach would be to create a custom role with just the start/stop permissions and then bind that role to the Compute Engine Service Agent service account.
To create the custom role:
gcloud iam roles create Scheduler --project=$YOUR_PROJECT_ID \
--title=Scheduler \
--description="Schedule a VM instance to start/stop" \
--permissions=compute.instances.start,compute.instances.stop
And to bind the custom role to the Compute Engine Service Agent:
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:[email protected]" \
--role="projects/$PROJECT_ID/roles/Scheduler"
This way you avoid the conditional part and just grant the start/stop permissions as I believe was your original intention.
Upvotes: 2
Related Questions
- How to give service account only access to one bucket (Google Cloud)?
- Can I restrict access to a Google Cloud SQL instance to specific service account?
- GCS limit bucket access to an existing service account
- Restricting user access for VM in gcp
- How to allow a GCP Identity to modify specific service accounts
- Restricting key creation for specific GCP Service account in specific project belonging to an organization
- Limiting Access to GCP Resources with Google Identity and IAM
- Limiting access of a GCP Cloud IAM custom role only to a bucket
- How to restrict accessing resource from a service account in GCP
- How do I restrict a Google service account?