provider-gcp icon indicating copy to clipboard operation
provider-gcp copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

Allow the use of delegated service accounts in ProviderConfig

Open lewismarshall opened this issue 3 years ago • 0 comments

What problem are you facing?

I would like to use specific and least privileged access for provisioning GCP resources without managing additional credentials in crossplane wherever possible.

How could Crossplane help solve your problem?

Adding a field e.g. impersonateServiceAccount to the ProviderConfig would allow GCP service accounts to impersonate other service accounts for specific GCP access.

This would work from both workload identity ( see #173 ) AND credentials and would allow for only the highly specific access service accounts to be created and used.

As only a single workload identity service account or credential would be required, extra permissions can be added as and when an organisation starts using new resources and crossplane would not need redeploying to use them.

An example use of impersonateServiceAccount in the ProviderConfig spec below e.g.:

apiVersion: gcp.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: cloudsql
spec:
  credentials:
    impersonateServiceAccount: "[email protected]" 
    ...

And to consume the correct access for provisioning a specific resource:

apiVersion: database.gcp.crossplane.io/v1beta1
kind: CloudSQLInstance
metadata:
  name: my-db
spec:
  providerConfigRef:
    name: cloudsql
  ...

This provides a similar capability to the related issue - https://github.com/crossplane/provider-aws/issues/606

lewismarshall avatar Mar 26 '21 14:03 lewismarshall