GCP Roles and Service Accounts

Summary of the least privileged roles for service accounts

IAM basic and predefined roles reference  |  IAM Documentation  |  Google CloudGoogle Cloud

List of Available Roles

Users

There will be two user roles in Backend GCP accounts both in staging and production.

• Owner

• Backend Engineers

The following tables state the roles of every user persona in each environment. In the Production environment, this schema is mandatory. In the Staging environment, this schema is flexible, and periodically it is set back to this role.

Persona	Roles in Staging	Roles in Production
Owner	roles/owner	roles/owner
Backend Engineers	roles/editor	roles/viewer roles/secretmanager.secretVersionAdder

Service Accounts

Service accounts will be needed for the system infra to be automated and to allow microservices to authenticate with GCP resources. We will have these service accounts:

• Infra

  • github-actions-infra: elevated permissions to be able to deploy new GCP resources. Access to it will be secure with tight github rules and environments. Responsible of creating other service accounts and assigned them IAM roles. Everything through Github Actions and Infra as Code.

  • github-actions-gateway: in charge of deploying api-gateway related resources like certificates, kubernetes ingresses, configure clusterRoleBindings, etc.

  • github-actions: in charge of pushing images to a registry and deploy microservices to the cluster.

• Microservices

  • Every Microservice will have its own SA, with minimal roles to perform it functions, like access a secret, or publish to a pubsub topic.

Infra SA's

This table shows the roles that each SA will have to perform it's actions. Since they have elevated roles, strict GitHub rules and protection branches will be in place. Each SA will be impersonated by a set of repositories within our Github Organization.

Infra Service Accounts	Roles	Repos
github-actions-infra	roles/editor roles/iam.securityAdmin roles/iam.workloadIdentityPoolAdmin	cb_infra
github-actions-gateway	roles/container.clusterAdmin	cb_api-gateway
github-actions	roles/artifactregistry.createOnPushWriter roles/container.clusterAdmin	cb_price-oracle cb_borrower cb_identity cb_ltv-monitor cb_notification cb_sc-execution cb_sc-monitor

Microservices SA's

This table shows the roles that each SA will need. Every SA will be available to be impersonated by the Kubernetes service account for every individual namespace.

Microservices SA	Roles
common to all	roles/secretmanager.secretAccessor
cb_price-oracle	roles/redis.dbConnectionUser
cb_borrower	roles/pubsub.subscriber roles/cloudsql.client roles/pubsub.publisher
cb_identity	roles/cloudsql.client roles/cloudkms.cryptoKeyEncrypter
cb_ltv-monitor	roles/cloudsql.client roles/pubsub.subscriber
cb_notification	roles/redis.dbConnectionUser roles/pubsub.subscriber
cb_sc-execution	roles/cloudsql.client roles/cloudkms.cryptoKeyEncrypter roles/pubsub.subscriber
cb_sc-monitor	roles/pubsub.publisher