惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Simon Willison's Weblog
Simon Willison's Weblog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
About on SuperTechFans
Last Week in AI
Last Week in AI
月光博客
月光博客
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Check Point Blog
U
Unit 42
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
小众软件
小众软件
P
Palo Alto Networks Blog
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
S
Secure Thoughts
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
Recorded Future
Recorded Future
O
OpenAI News
S
Securelist
云风的 BLOG
云风的 BLOG
H
Help Net Security
T
Troy Hunt's Blog

Rc-2020 on Julia Evans

Day 57: Trying to set up GitHub Actions Day 56: A little WebAssembly Day 53: a little nginx, IPv6, and wireguard Day 52: testing how many Firecracker VMs I can run Day 51: Fixed my logging and made a couple of puzzles Day 50: Building some tarballs for puzzles, and trying to make a kernel boot faster Day 49: making the VMs boot faster Day 48: Another Go program, and a little vim configuration Day 47: Using device mapper to manage Firecracker images Day 46: debugging an iptables problem Day 44: Building my VMs with Docker Day 43: Building VM images Day 42: Writing a Go program to manage Firecracker VMs Day 41: Trying to understand what a bridge is Day 40: screen flickering & a talk about containers Day 39: Customizing gotty's terminal Day 38: Modifying gotty to serve many different terminal applications at once Day 37: A new laptop and a little Vue Day 35: Launching my VMs more reliably Day 34: Learning about qemu Day 33: pairing is magic and beautiful git diffs Day 32: A Rails model that doesn't use the database with ActiveHash Day 24: a short talk about blogging myths, and a debugging tip Day 23: a little Rails testing Day 22: getting OAuth to work in Rails Day 21: wrangling systemd & setting up git deploys to a VM Day 19: Clustering faces (poorly) using an autoencoder Day 18: an answer to an autoencoder question Day 17: trying to wrap my head around autoencoders Day 13: BPTT, and debugging why a model isn't training is hard Day 11: learning about learning rates Day 10: Training an RNN to count to three Day 9: Generating a lot of nonsense with an RNN Day 8: Start with something that works Day 5: drawing lots of faces with sketch-rnn Day 3: an infinitely tall fridge Day 2: Rails associations & dragging divs around Day 1: a confusing Rails error message I'm doing another Recurse Center batch!
Day 20: trying to figure out how Google Cloud IAM works
Julia Evans · 2020-12-05 · via Rc-2020 on Julia Evans

Hello! I spent all day on Friday trying to run a Rails app in Google Cloud run and I partially succeeded, so I wanted to write down the main points I found confusing.

Google Cloud’s IAM is different from AWS IAM

I’ve worked with AWS IAM a lot, and GCP’s IAM seems pretty different. The way I’m used to IAM working in AWS is:

  1. You create an IAM role for a service/machine/whatever
  2. You give permissions to that IAM role (like “this role can access this S3 bucket”)
  3. That’s it

As far as I can tell, with Google Cloud both the terminology used in IAM and the way it works is different.

Here are the mappings (as far as I can tell) from GCP IAM concepts to AWS IAM concepts

  • an “IAM role” in Google Cloud is like a “permission” in AWS (NOT like an AWS IAM role). So for example roles/cloudsql.client lets you access SQL instances
  • a “service account” in Google Cloud is kiiiind of like a “IAM role” in AWS – it’s the identity of a service. I think there are some pretty significant differences though.

So “IAM role” in GCP and “IAM role” in AWS have completely different meanings. Cool, that’s fine, we can work with that.

how to assign a GCP IAM role to a service account

Like I said before, assigning an AWS permission to an AWS IAM role is pretty simple (here’s the terraform to do it.

I thought it would be the same in GCP (“just assign a role to a service account”), but it’s completely different.

Instead of there being 1 single way to assign a permission to an identity (like “this service can do X and Y and Z”), the way you give a service account access to a resource is different depending on the kind of resource.

For example. Let’s say I want to give my service account access to a secret. Here’s the command line incantation to do that:

gcloud beta secrets add-iam-policy-binding rails-master-key
--member=serviceAccount:refrigerator-poetry@refrigerator-poetry.iam.gserviceaccount.com
--role=roles/secretmanager.secretAccessor ```

or in Terraform:

resource "google_secret_manager_secret_iam_binding" "binding" {
  project   = "refrigerator-poetry"
  secret_id = google_secret_manager_secret.railsmaster.secret_id
  role      = "roles/secretmanager.secretAccessor"
  members = [
    "serviceAccount:${google_service_account.fridge.email}"
  ]
}

The general gcloud command line rule here seems to be (from the GCP documentation on granting access):

gcloud GROUP add-iam-policy-binding RESOURCE --member=MEMBER --role=ROLE-ID

Okay, this isn’t what I’d hoped for (a single JSON file or something where I can specify everything my service account can access), but at least there’s a pattern. We can work with that!

ok, so what if we want to give a service account access to a SQL database?

I used the above approach to give my service account access to the secrets it needed access to. Hooray!

Next I wanted to give a service account access to a SQL database. The pattern from before is:

gcloud GROUP add-iam-policy-binding RESOURCE --member=MEMBER --role=ROLE-ID

which seems like it should translate to something like

gcloud sql instances add-iam-policy-binding my-db --member=serviceAccount:my-account@whatever --role=roles/cloudsql.client

But it doesn’t. gcloud sql instances add-iam-policy-binding doesn’t exist, and gcloud sql add-iam-policy-binding doesn’t exist either. So it seems like if you want to give access to a SQL instance, you need to do something different.

At this point it was like 11:30PM so I gave up and granted my service account very broad permissions on the project (roles/editor) because I just wanted to get something to work.

Here’s what I ran:

gcloud projects add-iam-policy-binding  PROJECT_NAME \
                              --member=serviceAccount:account-email@whatever --role=roles/editor

and that worked! I still don’t know the correct way to grant access to a SQL instance but that’s a fight for another day. At least I know you need to do something different than for other types of resources.

the terraform IAM resources are apparently generated with ERB

I spent many hours with Kamal trying to understand how this works, and he went and figured out how the Terraform resources that assign roles to service accounts work. I was really surprised by this so here it is!

In the GCP Terraform provider, there are dozens of different resources to assign a role to an identity, one for each different kind of GCP resource. (in contract with AWS, where it’s just aws_iam_role, aws_iam_policy, aws_iam_role_policy).

Here are just a few.

google_folder_iam_binding
google_healthcare_dataset_iam_binding
google_healthcare_dicom_store_iam_binding
google_healthcare_fhir_store_iam_binding
google_iap_tunnel_iam_binding
google_iap_tunnel_instance_iam_binding
google_iap_web_backend_service_iam_binding
google_iap_web_iam_binding
google_iap_web_type_compute_iam_binding
google_kms_crypto_key_iam_binding
google_kms_key_ring_iam_binding
google_project_iam_binding

So if you want to give a service account access to a google_iap_web_backend (whatever that is), you use a google_iap_web_backend_service_iam_binding. Okay!

But there are all of these almost identical things, so how are they generated? As promised in the section heading, it seems to be a bunch of Go code templated with ERB.

Kamal did a bunch of digging and found this ERB template which generates a giant Go program that defines all these resources. So I guess that’s how they generate a lot of resources that are very similar.

I still don’t really understand how this works

My guess is that there are some upsides to the GCP approach to identity management that I don’t understand yet – I’ve only used it for like 4 hours and I’ve spent a LOT more time using AWS IAM.

But I still don’t really understand how to use it – I feel like there should be a way to define “here are all the things this service account is allowed to do” in a single place, but I haven’t found it yet. Maybe I’ll figure it out soon!