datasette icon indicating copy to clipboard operation
datasette copied to clipboard
verified publisher icon simonw

feature request: document minimum permissions for service account for cloudrun

Open fgregg opened this issue 4 years ago • 4 comments

Thanks again for such a powerful project.

For deploying to cloudrun from github actions, I'd like to create a service account with minimal permissions.

It would be great to document what those minimum permission that need to be set in the IAM.

fgregg avatar Aug 03 '21 13:08 fgregg

I would love to know this too! I always find figuring out minimal permissions to be really difficult.

simonw avatar Aug 19 '21 21:08 simonw

https://github.com/ahmetb/cloud-run-faq#how-do-i-continuously-deploy-to-cloud-run suggests the following:

  • roles/run.admin to deploy applications
  • roles/iam.serviceAccountUser on the service account that your app will use

It also links to https://cloud.google.com/run/docs/reference/iam/roles

simonw avatar Aug 19 '21 21:08 simonw

This would be great! I just went through the process of figuring out the minimum permissions for a service account to run datasette publish cloudrun for PUDL's datasette deployment. These are the roles I gave the service account (disclaim: I'm not sure these are the minimum permissions):

  • Cloud Build Service Account: The SA needs this role to publish the build on Cloud Build.
  • Cloud Run Admin for the Cloud Run datasette service so the SA can deploy the build.
  • I gave the SA the Storage Admin role on the bucket Cloud Build creates to store the build tar files.
  • The Viewer Role is required for storing build logs in the default bucket. More on this below!

The Viewer Role is a Basic IAM role that Google does not recommend using:

Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.

If you don't grant the Viewer role the gcloud builds submit command will successfully create a build but returns exit code 1, preventing the script from getting to the cloud run step:

ERROR: (gcloud.builds.submit)
The build is running, and logs are being written to the default logs bucket.
This tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.

The default logs bucket is always outside any VPC-SC security perimeter.
If you want your logs saved inside your VPC-SC perimeter, use your own bucket.
See https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.

long stack trace...

CalledProcessError: Command 'gcloud builds submit --tag gcr.io/catalyst-cooperative-pudl/datasette' returned non-zero exit status 1.

You can store Cloud Build logs in a user-created bucket which only requires the Storage Admin role. However, you have to pass a config file to gcloud builds submit, which isn't possible with the current options for datasette publish cloudrun.

I propose we add an additional CLI option to datasette publish cloudrun called --build-config that allows users to pass a config file specifying a user create Cloud Build log bucket.

bendnorman avatar Sep 22 '22 22:09 bendnorman

thanks for documenting this @bendnorman! got stuck at exactly the same point gcloud builds submit ... returned non-zero exit status 1, without a clue why this was happening. i now managed to get the github action to deploy datasette by assigning the following roles to the service account: roles/run.admin, roles/storage.admin, roles/cloudbuild.builds.builder, roles/viewer, roles/iam.serviceAccountUser.

jimmybutton avatar Nov 05 '23 16:11 jimmybutton