CloudGCPBestPracticeIAM

1-GCP-IAM-ServiceAcct

文章目录
  1. 1. 1-GCP-IAM-ServiceAcct
    1. 1.1. Impersonation
      1. 1.1.1. background
      2. 1.1.2. Steps

1-GCP-IAM-ServiceAcct

Impersonation

background

RBAC policies must use Cloud Identity Groups, rather than individual users for human-user access.

But Google Groups are not supported by company as an authentication mechanism due to the organisation level permissions required.

A workaround, we require that K8S RBAC permissions are granted to GCP service accounts and then groups used to manage service account impersonation.

permission -> sa -> groups to impersonate the sa

Steps

  1. create a service account, in sot/service_accounts.auto.tfvars.json