IAM Policy bindings are limited to 1500

Open oliverchang opened this issue 3 years ago • 2 comments

https://cloud.google.com/iam/quotas#limits

This causes issues for OSS-Fuzz, because we create a service account and grant metrics writer + logging roles for each project. This counts as 2x number of oss-fuzz projects

Sep 09 '22 01:09 oliverchang

Groups count as a single binding -- the fix would be to add these service account to a group instead of individually.

Sep 09 '22 02:09 oliverchang

Some challenges with this:

A public @googlegroups.com group does not have an API to add members problematically.

As a way to stem the bleeding for now, I might manually migrate the existing service accounts to this group, and have new ones use the old mechanism.

Sep 09 '22 03:09 oliverchang