guardian icon indicating copy to clipboard operation
guardian copied to clipboard

Published 20 hours ago verified publisher icon raystack

Ability to configure roles for `gcloud_iam` provider

Open bsushmith opened this issue 2 years ago • 2 comments

Summary At the moment, for every provider one can configure a set of roles with permission sets. It enables one to control the access roles to which a user can raise appeals for.

Bigquery example - https://odpf.github.io/guardian/docs/providers/bigquery#yaml-representation which has roles and permission set for each resource type.

This is not true for gcloud_iam provider. Only this provider does not have a way to take in the configured roles/permissions from the provider config file. Due to which if the gcloud_iam is exposed as a provider to users, the GetRoles method will fetch every iam role available in GCP. If one wants to restrict users to only a certain roles through guardian like other providers, they cannot currently., and the user would be able to raise an appeal for any role in gcp.

Proposed solution Modify the gcp provider to

  • get roles from the provider config if roles are provided, and use them as the only roles available for appeals.
  • continue as it is in the current form if the roles are not provided in the provider config.

bsushmith avatar Jun 21 '22 16:06 bsushmith

@bsushmith @rahmatrhd is this duplicate of #218?

ravisuhag avatar Aug 02 '22 00:08 ravisuhag

@ravisuhag not initially, but now the discussion for this also happens in #218

rahmatrhd avatar Aug 02 '22 06:08 rahmatrhd

Covered in #218

ravisuhag avatar Aug 15 '22 11:08 ravisuhag