GCP Least Privileged and Restricted Permission for Aviatrix

Aviatrix controller provides unified control and management plane for Google Cloud. Aviatrix allows enterprises to on-board hundreds of GCP projects/accounts into the controller. Once these projects are on-boarded, Aviatrix controller is intelligent to control and manage networking and security across those projects.

On the Aviatrix document page one of the options is to use the “Editor” service account to on-board the project.

https://docs.aviatrix.com/HowTos/CreateGCloudAccount.html

This might not be desirable for many enterprises as they would want to use least privileged service account credentials. In such a situation Aviatrix recommendation is to have at least following roles assigned to service account so that Aviatrix can perform its functions properly. For instance managing the compute resources, route tables, firewall rules, shared service vpc network etc.

  • Compute Admin
  • Service Account User
  • Organization Administrator (optional and required for Shared VPC)
  • Project IAM Admin (optional and required for Shared VPC)

Compute Admin role

NameDescriptionPermissions
roles/compute.adminFull control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
https://cloud.google.com/compute/docs/access/iam#compute.admin

Service Account User role

NameDescriptionPermissions
roles/iam.serviceAccountUserRun operations as the service account.iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
https://cloud.google.com/compute/docs/access/iam#iam.serviceAccountUser

Leave a Reply

Your email address will not be published. Required fields are marked *