refactor: restrict Token Creator role to self-impersonation in setup script#530
Open
DavidAPierce wants to merge 1 commit into
Open
refactor: restrict Token Creator role to self-impersonation in setup script#530DavidAPierce wants to merge 1 commit into
DavidAPierce wants to merge 1 commit into
Conversation
shift IAM Grant from project level to service account level Signed-off-by: David Pierce <davidapierce@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR updates the
setup_workload_identity.shscript to align the service account configuration with the principle of least privilege.Why
The script previously granted the
Service Account Token Creatorrole (roles/iam.serviceAccountTokenCreator) to the triage service account at the project level. This project-wide grant is broader than necessary for the CLI's token management needs. Restricting this role to the service account resource itself (allowing self-impersonation) is sufficient and follows Google Cloud best practices.Changes
gcloudcommand insetup_workload_identity.shto usegcloud iam service-accounts add-iam-policy-bindingtargeting the specific service account resource, rather thangcloud projects add-iam-policy-binding.