GAE CI/CD Service Account Permissions
45 views
Skip to first unread message
Mike Hardy
Aug 6, 2017, 12:09:53 PM8/6/17
to Google App Engine
Hi, we are using Bitbucket Pipelines for our CI/CD engine, and it works great with Google App Engine. However, there appears to be one significant security flaw with GCP.
We need to permission a service account to deploy our application and the only permission that appears to work is Project Owner. The keys are secured, but if, somehow, someone were to gain access to this service account, they could delete our entire project, which also includes our database and a few other mission critical resources.
We need to permission a service account to deploy our application and the only permission that appears to work is Project Owner. The keys are secured, but if, somehow, someone were to gain access to this service account, they could delete our entire project, which also includes our database and a few other mission critical resources.
It would be much safer if we could deploy our application with granular permissions like GAE Deployer and GCS Admin, which we have tried to use unsuccessfully. We also tried to create a custom App Engine role, which granted all permissions, but the permissions still failed us. Does anyone have any suggestions?
Thanks,
Mike
Thanks,
Mike
Shivam(Google Cloud Support)
Aug 7, 2017, 4:13:46 PM8/7/17
to Google App Engine
You’ve reported the same issue at public issue tracker here. For better management and tracking reasons, we’ll post updates on the issue tracker.
Thank you
Reply all
Reply to author
Forward
0 new messages