This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Organization Admin (roles/apigee.admin) IIAM role when Apigee Control Plane created with IaC

Posted on 11-10-2022 07:37 PM
aramkrishna6
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi,

When we have a process of creating Apigee Control Plane using Terraform (automation) only similar to cloud-foundation-fabric/modules/apigee-organization at master · GoogleCloudPlatform/cloud-foundation... .

For use case where Google project is created newly for Apigee hybrid Org and we understand that GCP project maps to Apigee Control Plane Org in 1:1 fashion, then in that situation, sill we have to create the Apigee Organization Admin role under IAM Roles ?

Having such role will enable can enable some one to update Apigee Control Plane manually or accidently , without using IaC (which can lead us out of sync) hence

If situation is to use Terraform with  build process to create Apigee Control plane, then IAM Roles should be read only permission in IAM and should not have "Apigee Organization Admin " to avoid updating without IaC (accidently?)  or still we require such role Apigee Organization Admin in IAM for any reasons?

We do understand Listed SA roles are required About service accounts  |  Apigee X  |  Google Cloud

But IAM basic and predefined roles reference  |  IAM Documentation  |  Google Cloud 

Apigee Organization Admin (roles/apigee.admin) can be avoided for IAM role for such situations?

@dino  @strebel @kidiyoor 

Solved Solved
1 4 262
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
strebel
Staff
In response to aramkrishna6
Reply posted on --/--/---- --:-- AM

Can you create a FR in the github repository for this please?

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
strebel
Staff
Reply posted on --/--/---- --:-- AM

I understand your concern following best practices creating custom roles with only a subset of required permissions is definitely a sensible thing to do for a production hardened setup.

For the control plane you should definitely include CRUD permissions on the following resources for your custom role:
 
apigee.organization
apigee.envgroups
apigee.environments
apigee.envgroupattachments

Read-only permissions won't be enough for the terraform SA.
The guidance here would be to limit access to the service account to prevent other users to use its permissions.

Jump to Solution

Posted on --/--/---- --:-- AM
aramkrishna6
Bronze 5
Bronze 5
In response to strebel
Reply posted on --/--/---- --:-- AM

@strebel   Looks like for Apigee Hybrid Control Plane creation using cloud-foundation-fabric/modules/apigee-organization at master · GoogleCloudPlatform/cloud-foundation... will require additional roles not just read only mode.

Please update what type of  CRUD permissions on the following resources is required ? to justify ..  I am not sure, if those details may be also included to cloud-foundation-fabric/README.md at master · GoogleCloudPlatform/cloud-foundation-fabric (github.co... as a best practice ?

Listed link provides predefined roles for Apigee IAM basic and predefined roles reference  |  IAM Documentation  |  Google Cloud
 

For Such use cases what should be the such role (to be defined) if specifically required by terraform ? If read only is not enough.


apigee.organization
apigee.envgroups
apigee.environments
apigee.envgroupattachments

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
strebel
Staff
In response to aramkrishna6
Reply posted on --/--/---- --:-- AM

Can you create a FR in the github repository for this please?

Jump to Solution

Posted on --/--/---- --:-- AM
aramkrishna6
Bronze 5
Bronze 5
In response to strebel
Reply posted on --/--/---- --:-- AM

@strebel Created FR Apigee Control Plane created with IaC with least priveledge. Update in Read me · Issue #971 · Google...

Jump to Solution
0 Likes
Top Solution Authors
View all