gcp: support projects with no default permissions #3656

3u13r · 2025-02-20T19:29:50Z

Context

When creating VMs we used to rely on the following points:

The default project service account is automatically attached to every VM in the project, which doesn't override it
The default service account used to have many permissions due having the Editor role attached by default (see: https://cloud.google.com/iam/docs/service-account-types#default)
Though, the scopes added to the VM filtered how this service account could be used

Since GCP now doesn't give the project service account Editor by default, we need to create our own service account with minimal permissions. Note that the filtering over scopes is deprecated, one should simply attach a service account with minimal permissions and maximum scope.

Not only the Bootstrapper on the VM but also the constellation-operator and join-service automatically used the project service account per default, since we didn't explicitly set the service account already create for (and used by) other cluster components.
Since we want the VMs permissions to be as narrow as possible, we need to pass the in-cluster service account to also the constellation-operator and join-service.

Proposed change(s)

Create a second very narrow, read-only service account and attach it to VMs
Don't filter via scope anymore
Attach the in-cluster service account to the constellation-operator and join-service

Checklist

Run the E2E tests that are relevant to this PR's changes
- ~~e2e upgrade. gcp, snp: https://github.com/edgelesssys/constellation/actions/runs/13443379097~~
- ~~e2e upgrade. gcp, snp: https://github.com/edgelesssys/constellation/actions/runs/13755459817~~
- ~~https://github.com/edgelesssys/constellation/actions/runs/13762021363~~
- https://github.com/edgelesssys/constellation/actions/runs/13763556980
Update docs
Add labels (e.g., for changelog category)
Is PR title adequate for changelog?
Link to Milestone

How to test:

Create/upgrade your gcp iam credentials
Successfully start a cluster, neither the bootstrapper, operator or the joinservice should error

netlify · 2025-02-20T19:31:48Z

✅ Deploy Preview for constellation-docs ready!

Name	Link
🔨 Latest commit	`760bbea`
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/67e2a67a7a53e60009fac6bf
😎 Deploy Preview	https://deploy-preview-3656--constellation-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

cli/internal/cloudcmd/iam.go

daniel-weisse

Does the new service account attached to the VMs have sufficient permissions for the GCP CSI driver?

cli/internal/cloudcmd/iamupgrade.go

cli/internal/cmd/iamcreategcp.go

docs/docs/getting-started/first-steps.md

elchead

owned files lgtm

terraform-provider-constellation/examples/full/gcp/main.tf

daniel-weisse

Getting an error when running e2e tests during constellation iam create:

 An error occurred: terraform apply: exit status 1
Error: "account_id" ("e2e-13852850608-1-fe70a4d4-sa-vm") must be between 6 and 30 characters long
  with google_service_account.service_account_vm,
  on main.tf line 22, in resource "google_service_account" "service_account_vm":
  22:   account_id   = local.sa_vm_name
Attempting to roll back.
Rollback succeeded.
Error: terraform apply: exit status 1
Error: "account_id" ("e2e-13852850608-1-fe70a4d4-sa-vm") must be between 6 and 30 characters long
  with google_service_account.service_account_vm,
  on main.tf line 22, in resource "google_service_account" "service_account_vm":
  22:   account_id   = local.sa_vm_name

https://github.com/edgelesssys/constellation/actions/runs/13852850608/job/38763459800

terraform/infrastructure/iam/gcp/main.tf

cli/internal/cloudcmd/iamupgrade.go

3u13r · 2025-03-14T13:59:26Z

Thanks for the review!
New e2e tests:
gcp, sev-snp, nop: https://github.com/edgelesssys/constellation/actions/runs/14056297468
gcp, sev-snp, upgrade: https://github.com/edgelesssys/constellation/actions/runs/14022672132
gcp, sev-es, upgrade: https://github.com/edgelesssys/constellation/actions/runs/14048525890

msanft

Ignored all the nits for now so we can get this PR through with.

My only observation is that we seem to (partly) attach the roles on K8s resource level now. Wouldn't it be enough to just attach the accounts to the VMs on Terraform level?
Just for my understanding.

Otherwise, good to merge for me.

This service account is used in the following commits and is attached to the VMs

… config

github-actions · 2025-03-25T13:05:48Z

Coverage report

Package	Old	New	Trend
cli/internal/cloudcmd	63.90%	63.70%	↘️
cli/internal/cmd	57.90%	57.80%	↘️
cli/internal/terraform	69.60%	69.80%	↗️
internal/config	77.10%	77.20%	↗️

github-actions · 2025-03-25T13:07:24Z

Coverage report

Package	Old	New	Trend
cli/internal/cloudcmd	63.90%	63.70%	↘️
cli/internal/cmd	57.90%	57.80%	↘️
cli/internal/terraform	69.60%	69.80%	↗️
internal/config	77.10%	77.20%	↗️

3u13r added the feature This introduces new functionality label Feb 20, 2025

3u13r added this to the v2.21.0 milestone Feb 20, 2025

msanft reviewed Feb 20, 2025

View reviewed changes

cli/internal/cloudcmd/iam.go Outdated Show resolved Hide resolved

3u13r added the breaking change Change breaks existing API or configuration. label Feb 20, 2025

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch 2 times, most recently from b1b1b65 to 29cab93 Compare March 10, 2025 10:08

3u13r added the iam upgrade Indicate that a cluster upgrade requires `iam upgrade apply` label Mar 10, 2025

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch 3 times, most recently from 8c8587b to ce22bed Compare March 10, 2025 13:14

3u13r marked this pull request as ready for review March 10, 2025 13:21

3u13r requested review from elchead, burgerdev, derpsteb, thomasten and daniel-weisse as code owners March 10, 2025 13:21

daniel-weisse reviewed Mar 10, 2025

View reviewed changes

cli/internal/cloudcmd/iamupgrade.go Outdated Show resolved Hide resolved

cli/internal/cmd/iamcreategcp.go Show resolved Hide resolved

cli/internal/cmd/iamcreategcp.go Outdated Show resolved Hide resolved

docs/docs/getting-started/first-steps.md Outdated Show resolved Hide resolved

elchead approved these changes Mar 10, 2025

View reviewed changes

terraform-provider-constellation/examples/full/gcp/main.tf Outdated Show resolved Hide resolved

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch from ce22bed to 6b0ae20 Compare March 12, 2025 14:17

3u13r requested review from daniel-weisse and msanft March 12, 2025 14:18

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch from 6b0ae20 to e1175a7 Compare March 12, 2025 14:47

daniel-weisse reviewed Mar 14, 2025

View reviewed changes

terraform/infrastructure/iam/gcp/main.tf Outdated Show resolved Hide resolved

terraform/infrastructure/iam/gcp/main.tf Outdated Show resolved Hide resolved

terraform/infrastructure/iam/gcp/main.tf Outdated Show resolved Hide resolved

msanft reviewed Mar 14, 2025

View reviewed changes

cli/internal/cloudcmd/iamupgrade.go Show resolved Hide resolved

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch 2 times, most recently from 26ffa8d to f778d4e Compare March 14, 2025 13:56

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch 2 times, most recently from 64d6c30 to 697a986 Compare March 23, 2025 20:21

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch from 697a986 to 34b62f6 Compare March 25, 2025 00:07

msanft approved these changes Mar 25, 2025

View reviewed changes

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch from 34b62f6 to 76170d4 Compare March 25, 2025 09:38

3u13r added 5 commits March 25, 2025 13:40

helm/gcp: use service account in operator and joinservice

1cc195d

helm: format operator testdata

1033501

terraform/iam: create additional service account for VMs

dbe7f50

This service account is used in the following commits and is attached to the VMs

config: pass VM service account from iam create to cluster create via…

44d829b

… config

cli/iamcreate: limit name prefix length

8924d24

3u13r force-pushed the euler/feat/gcp/vm-serviceaccount branch from 76170d4 to 8924d24 Compare March 25, 2025 12:41

3u13r modified the milestones: v2.21.0, v2.22.0 Mar 25, 2025

docs: add minimal gcp IAM permissions

760bbea

3u13r merged commit 66815a4 into main Mar 25, 2025
13 checks passed

3u13r deleted the euler/feat/gcp/vm-serviceaccount branch March 25, 2025 13:13

heilerich mentioned this pull request Apr 15, 2025

GCP: VM SA created with official terraform module is missing permissions #3766

Open

msanft mentioned this pull request Apr 22, 2025

terraform: make GCP SA id optional #3777

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gcp: support projects with no default permissions #3656

gcp: support projects with no default permissions #3656

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gcp: support projects with no default permissions #3656

gcp: support projects with no default permissions #3656

Uh oh!

Conversation

Uh oh!

Context

Proposed change(s)

Checklist

Uh oh!

Uh oh!

✅ Deploy Preview for constellation-docs ready!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Coverage report

Uh oh!

Coverage report

Uh oh!

Uh oh!

Uh oh!