Problem Statement

By default GCP Compute Service Account permissions are wide open with the Editor role. Here is how you can see the problem yourself.

Create a new GCP Project

Notice the “Service Accounts” area and notice that there is no account there yet.

Enable Compute API for PCI Service Project

Default GCP Service Account

A default Compute Engine GCP service account (845482233226-compute@developer.gserviceaccount.com) is created as you can see from the following diagram

More details about this default compute engine service account can be seen in the following diagram

IAM Permissions For Default Compute Account

If you go back to IAM area, notice the the default compute account is there. By default it comes with “Editor” permission. Editor is a wide open permission and should not be used in production for a service account

How to Fix this Problem?

The fix is not difficult. There is an automated way and a manual way. I will explain the manual method and have provided URL for the automated way as well.

Change the permission on GCP Default Compute Service Account

When a VM (such as Aviatrix Egress FDQN, User-VPN, Transit, Spoke GW etc.) is deployed in the GCP Project, the GCP project automatically associates a Default Service Account with it. It is the default GCP behavior and cannot be changed. Notice that this account is different than the account we created to on-board the GCP project into Aviatrix Controller

There are two methods to restrict the permission for the default service account

1- Automated Method: Global IAM setting to disable automatic role grant for Default Service Account

2- Manual Method: Change the permission for Default Service Account

1- Automated Method: Global IAM Setting to disable automatic role grant

GCP recommends production customers to disable automatic role grant to default service accounts

https://cloud.google.com/iam/docs/service-accounts

“When a default service account is created, it is automatically granted the Editor role (roles/editor) on your project. This role includes a very large number of permissions. To follow the principle of least privilege, we strongly recommend that you disable the automatic role grant by adding a constraint to your organization policy, or by revoking the Editor role manually.”

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants

Some Google Cloud services automatically create default service accounts. When a default service account is created, it is automatically granted the Editor role (roles/editor) on your project.

To improve security, we strongly recommend that you disable the automatic role grant. Use the iam.automaticIamGrantsForDefaultServiceAccounts boolean constraint to disable the automatic role grant.

2- Manual Method: Change the permission for Default Service Account

In my setup I used the manual method to change the permission for default service account. I assigned the least possible access role to this new member PCI. Aviatrix at minimum would need

  • Compute Admin
  • Service Account User
  • Organization Admin and
  • Project IAM Admin role.

Note: Organization Admin and Project IAM Admin roles are only needed for “Shared VPC”. Skip those roles if you are not planning to use “Shared VPC”

Following screen shows the example of editing the permission for a memeber

After you save, it should look like following

Now select/click this “Service Account” area under “IAM & Admin”

Now “Create new key” key for this service account.

The type must be Json

The new key is created and downloaded on your machine now

This Jason key is what we will use to on-board the GCP account in the Aviatrix Controller

Following is the sample of how it looks like

{
  "type": "service_account",
  "project_id": "service-project-pci",
  "private_key_id": "746b9729f7aaeb0762e637e443941a960542124f",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1aWbZnR+GHCrM\ncL1ETvam4Q2bb7nXbEtT8aOj6SIt3zJMIN0ycJ40W7QqBS57bBYhF/mskkOEbP60\nkfkKp1ygM5eg5q7+bXINGm5rpDu0VvK7BWvA+lKOGpvJSA3SOEMN+kvr5p3H+iRl\ngE802d0OzR981bWGRodqan3+i3u52K5b4c/25e2nxq0WvTGD+/LcIYZKVTx6PM1X\nfuPNaHhKIk8lMt7HOlT/Y+CJ9/qdPtct/sZak6B0BM5AiurIBYV4Pk87PuhIF+W8\nz0WGtDQ50YvrRWOK6qKFOcs6Z1lZDx1bIUDfj80ItIDw64z9f1wHNC1SEuOHqaJ+\nItFrvBCzAgMBAAECggEAMjL7ceZHrd2nf0xjIz7Sg/UsxcFR5Kmj4pOwG5BMk/L6\nQRSrAOUm8ggaP7J1XVPYf8nZngZPRpq+lIr8JhWPzQjZwX10GRWCBNw2h/THTKzu\nuA/U9G6QX6A/UaBtqqlE7N5BGgMT0B2I6slpoY9T21+pgerFM2Xa3Pig6soAL7mt\nbPY7soSVFshf0EcV3ZkYTxuBXaDdJtLftoimsyJBFYomWHg3WTF/Gp2ua5XC27U1\nDhQ6bR2urQcbcusL+xMeS5ZBo1HyBzJKkQSuHixG7OY62VTct8o89vWIg18oSUaA\nqvcD3WIjh1jNDVHx2JgE1b5INvoLHVZoPGDlZOCa6QKBgQDlgsrBygZLEdtvI9IG\nXcRqIgMI+H3XbIZKYYA4G1Qo+ummsMzIWJyOjotEfanh3SNt/nabUyQjvTezsOHS\n2xvU+R+ISi6GhNLrF+zzvktgwOA8IoCn21gWRLsad4ergDAYDZ6B7q2KWLP9O+DE\nyiN5o/l9l+PATUy7XYaHkhhQVwKBgQDKWXRwmRXnZc3Jb/2sTeJp77i0N163mKVL\n0RNONMFJ2W5i7+Fz9hQ4o/bnGdcPtZbncDHlXCkJEBqx0UfKd6IAW16tvF+gS9OV\n9j9JrqCgaT44mOduMSWkyIqOP4L7Wpp49y36xkfXzkbkmaDShrQpc+KHydmBrNM0\nMQpCD6YZBQKBgQCmQRKDQsdARhVA8x/HANGxWCX+r5LpJHI7G1n4SsOyU+BBob0W\nPCpckiGMYcNYHAr4OObOKXH6ea0J+836IkKNClGvNp1xUHJBXrmE74pG8jD9Hrk3\n3wp2Rx+KUp/yug8cvXDfCninyQ3JGUD/DLaZ/RBTzF1tBhHZgCxdtJTsTQKBgHQM\njb0t7uQA/N60PdYd7OY4t8OTpdzBzLsIs3u8wcXqz2YqkTCCRuKdFrM/nJnD2UHu\nlI8oJdiuxcCJeBTkO6LcxBX73RP/qN9ulKlbX3/gG/E1sDUANsikwuIGBsbFFaae\njF4wbW+VPA9LFHLpElZbweWCnB3E0nQyU+HDO81JAoGBAJ+FLYEqEDwHeskO/us7\nR4pG0A55QpGduQaDtJcW2rQZXhwLOZklucUWVtilUiOGQt9Kk3v31n9R4zhfyS2c\n+RfIs1fHgvEzBhrEUxKchvkcVOSwIOqklk1+wjXvIVlb5zLklyV+cIqaDi7wp26g\nOwMtNj72PO+5w28/4b0rnqTW\n-----END PRIVATE KEY-----\n",


  "client_email": "pciserviceaccount@service-project-pci.iam.gserviceaccount.com",
  "client_id": "106577340982754556535",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/pciserviceaccount%40service-project-pci.iam.gserviceaccount.com"
}

Now under Aviatrix Controller –> Access Account, onboard the GCP Project as shown in the following diagram. Leave the Project ID filed blank. Controller will automatically pick the name

Following diagram shows that on-boarding GCP project was a success

Deploy Aviatrix Gateway For GCP Project

Now when I deploy the Aviatrix GW, it will be using the restricted permission to connect to GCP and then when the GW is deployed.

GW Deployment Progress on GCP

Controller shows the following output

[12:39:07] Starting to create GW gcp-spk-gw1-pci.
[12:39:08] Connected to GCE.
[12:39:13] Project check complete.
[12:39:14] License check is complete.
[12:39:23] Updating IGW for new gateway…
[12:39:31] Launching compute instance in GCE….
[12:40:34] GCE compute instance created successfully.
[12:40:34] Updating DB.
[12:40:34] Added GW info to Database.
[12:40:36] AVX SQS Queue created.
[12:40:36] Creating Keys.
[12:41:03] Initializing GW…..
[12:41:03] Copy configuration to GW gcp-spk-gw1-pci done.
[12:41:04] Copy new software to GW gcp-spk-gw1-pci done.
[12:41:05] Copy misc new software to GW gcp-spk-gw1-pci done.
[12:41:05] Copy scripts to GW gcp-spk-gw1-pci done.
[12:41:05] Copy sdk to GW gcp-spk-gw1-pci done.
[12:41:10] Copy libraries to GW gcp-spk-gw1-pci done.
[12:41:10] Installing software ….
[12:41:11] Issuing certificates …
[12:41:27] Issue certificates done

Instance creation can now show you following

On the GCP VM Instance notice that Aviatrix does not assign any service account or allow access to any GCP Cloud API for additional security.

Categories:

Tags:

Comments are closed