Skip to content

Project setup script authorizes GCE to use Cloud KMS keys on the dev project. #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 25, 2020
Merged

Project setup script authorizes GCE to use Cloud KMS keys on the dev project. #590

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion deploy/setup-project.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@

# This script will setup the given project with a Service Account that has the correct
# restricted permissions to run the gcp_compute_persistent_disk_csi_driver and download
# the keys to a specified directory
# the keys to a specified directory. This script also authorizes GCE to encrypt/decrypt
# using Cloud KMS keys for the CMEK feature.

# WARNING: This script will delete and recreate the service accounts, bindings, and keys
# associated with ${GCE_PD_SA_NAME}. Great care must be taken to not run the script
Expand All @@ -12,6 +13,7 @@
# PROJECT: GCP project
# GCE_PD_SA_NAME: Name of the service account to create
# GCE_PD_SA_DIR: Directory to save the service account key
# ENABLE_KMS: If true, it will enable Cloud KMS and configure IAM ACLs.


set -o nounset
Expand All @@ -24,6 +26,7 @@ source "${PKGDIR}/deploy/common.sh"
ensure_var PROJECT
ensure_var GCE_PD_SA_NAME
ensure_var GCE_PD_SA_DIR
ensure_var ENABLE_KMS

# If the project id includes the org name in the format "org-name:project", the
# gCloud api will format the project part of the iam email domain as
Expand All @@ -38,6 +41,7 @@ fi
readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes"
readonly BIND_ROLES=$(get_needed_roles)
readonly IAM_NAME="${GCE_PD_SA_NAME}@${IAM_PROJECT}.iam.gserviceaccount.com"
readonly PROJECT_NUMBER=`gcloud projects describe ${PROJECT} --format="value(projectNumber)"`

# Check if SA exists
CREATE_SA=true
Expand Down Expand Up @@ -91,6 +95,15 @@ do
gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"${IAM_NAME}" --role "${role}"
done

# Authorize GCE to encrypt/decrypt using Cloud KMS encryption keys.
# https://cloud.google.com/compute/docs/disks/customer-managed-encryption#before_you_begin
if [ "${ENABLE_KMS}" = true ];
then
gcloud services enable cloudkms.googleapis.com --project="${PROJECT}"
gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com" --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
fi


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this script is for user to set up their cluster, if they do not use cmek feature, this part is not needed.
Is it better to give an option? If user enable this option, then set it up?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not a bad point. My thought was that it's better to have this stuff on by default as, eg for testing it makes everything more consistent.

But maybe we don't want to add policy bindings by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a parameter called ENABLE_KMS.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

I think it's good to have to explicitly specify KMS, that's better than having a default that won't be noticed until it's too late.

# Export key if needed
if [ "${CREATE_SA}" = true ];
then
Expand Down