Refactor service account usage for GCP to follow best practices
Hello
I am trying to deploy a hybrid environment in GCP using GET.
During the preparation it asks me to create a service account on GCP:
Proceed to create an account with a descriptive name like
gitlab-qa
and give it the IAM roles ofCompute Admin
,Kubernetes Engine Admin
,Storage Admin
andService Account User
. (source)
From what I understand the service-account requested above (and its permissions) is necessary for me to be able to create all the resources correctly on my GCP project.
I should also be able to skip this step and use my own user application credentials if I have the same permissions. Am I thinking right?
Later, when I am running Ansible to perform the configuration, the documentation instructs me to pass the same service-account-key to the GitLab workloads:
gcp_service_account_host_file` GCP only - Local path to the Service Account file. This is the same one created in Setup Provider Authentication - Service Account. The Toolkit uses this to configure GitLab's Object Storage access.
But I think that the GitLab workloads don't need the Compute Admin
, Kubernetes Engine Admin
, Storage Admin
and Service Account User
permissions, right?
I was also wondering if in a scenario where RCE is possible, if this key would be accessible for download.
I was wondering if it would make sense to create a dedicated service account in terraform for this just with the necessary permissions. What do you think?