Red Hat Bugzilla – Bug 1311878
Ansible installer for GCE needs to allow API access to all Google Cloud services
Last modified: 2017-03-16 16:04:45 EDT
Description of problem:
GCE project access should be enabled when launching GCE instances since API access is used a lot.
For example, if you write an application that reads and writes files on Google Cloud Storage, it must first authenticate to the Google Cloud Storage API.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Launch GCE environment via openshift-ansible.
2.Check the instances' project permission on web console.
Service accounts are not enabled for this instance.
This instance has full API access to all Google Cloud services.
at least, we need the API access to the storage.
Hi Xia Liang,
Can you tell us what playbook you are running and how you a provisioning the openshift environment?
Alex fixed this in our SCALE-CI.
yeah, basically, when starting instance from console with the option "Allow API access to all Google Cloud services in the same project", the instance is actually launched with an additional option (YAML representation):
- :email: "email@example.com"
I think in REST API it is called serviceAccount, the above is from ruby client library.
When running without the option, the permissions are more limited:
# - https://www.googleapis.com/auth/cloud.useraccounts.readonly
# - https://www.googleapis.com/auth/devstorage.read_only
# - https://www.googleapis.com/auth/logging.write
# - https://www.googleapis.com/auth/monitoring.write
# - https://www.googleapis.com/auth/servicecontrol
# - https://www.googleapis.com/auth/service.management
In AOS ansible I think we can select exactly the permissions we need. i.e. `https://www.googleapis.com/auth/cloud-platform` looks too broad to me. I'd vote to only select the scopes OpenShift actually needs.
Thank to Liang Xia for obtaining the correct scopes.
bin/cluster and any GCE specific playbooks are only community supported and not part of OSE. At a min this bug should move to the origin product. I am not sure from the above whether the current state is blocking anything or trying to improve the security setup of the install?
I couldn't understand the exact use case above. I only changed our scripts to launch instances on GCE. But if this use case involves creating instances from a playbook, then that playbook needs to specify the required option (because my change will not have any effect):
- :email: default
I‘m OK with the current solution.
We need the option enabled when launching GCE instance to support some storage testing.
The reason we want the 'allow API access' option from installer is that, openshift/kubernetes needs the api access to provision GCE PDs. But ansible launched instances do not have the access. We think people deploying openshift on GCE would more prefer to use GCE PDs instead of other storages as their persistent volume.
Yes, that configuration cannot be added after instances are launched. So whatever is launching instances, it needs to set the above option. QE launcher already sets that.
I'd like to stres again though that ideallyt we should use a service account with proper permissions for the tasks OpenShift needs to perform. Not a good idea to grant full access if it only needs to create volumes.
(In reply to Aleksandar Kostadinov from comment #9)
> Yes, that configuration cannot be added after instances are launched. So
> whatever is launching instances, it needs to set the above option. QE
> launcher already sets that.
> I'd like to stres again though that ideallyt we should use a service account
> with proper permissions for the tasks OpenShift needs to perform. Not a good
> idea to grant full access if it only needs to create volumes.
Hi, was this addressed. I'm running into this issue right now with the GCE openshift-ansible installer. I can spin up an Openshift cluster just find, but all instances do not have Gcloud API access to connect to GCE persistent disks, and Gcloud doesn't allow changing those instance permissions once it is created.