Skip to content

Commit

Permalink
Merge pull request #3 from BishopFox/newfeat-readmeupdates
Browse files Browse the repository at this point in the history 
updated documentation for new custom role permissions
  • Loading branch information
Andrzej Komarnicki authored Jan 16, 2024
2 parents 65198dd + f08323d commit d1ff2d9
Showing 1 changed file with 24 additions and 2 deletions.
26 changes: 24 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

This repo provides terraform code for customers looking to implement Google Cloud connector support for the Bishop Fox Cosmos platform.

There is a dependency on Workload Identity Federation (WIF) being enabled inside the designated project and _values.tfvars_ or env variables must be filled out with values for the following variables:
There is a dependency on Workload Identity Federation (WIF) being enabled inside the designated project and _values.tfvars_ or env variables must be filled out with values for the following variables related to said project:

- _projectID_
- _projectNumber_
Expand All @@ -19,7 +19,29 @@ gcloud projects describe $(gcloud config get-value core/project) --format=value\
- AWS_iamRole1
- AWS_iamRole2

Once the Workload Identity Pool, Workload Identity Pool AWS provider and [Connected] Service Account are provisioned you can add the service account as a principal with _Compute Viewer role_ to IAM permissions of one or more GCP projects, at the folder-level or at the organization-level.
Once the Workload Identity Pool, Workload Identity Pool AWS provider and [Connected] Service Account are provisioned you can add the service account as a principal with a _Custom Role_ to IAM permissions of one or more GCP projects, at the folder-level or at the organization-level.

_Custom Role_ permissions:

```bash
• compute.forwardingRules.get
• compute.forwardingRules.list
• compute.globalForwardingRules.get
• compute.globalForwardingRules.list
• compute.instances.get
• compute.instances.list
• compute.projects.get
• compute.regions.get
• compute.regions.list
• compute.zones.get
• compute.zones.list
• resourcemanager.projects.get
• resourcemanager.projects.list
• serviceusage.services.get
• serviceusage.services.list
• storage.buckets.getIamPolicy
• storage.buckets.list
```

The customer also needs to provide Bishop Fox with the WIF credentials file that is exported using the following command:

Expand Down

0 comments on commit d1ff2d9

Please sign in to comment.