Hi, we are using Bitbucket Pipelines for our CI/CD engine, and it works great with Google App Engine. However, there appears to be one significant security flaw with GCP.
We need to permission a service account to deploy our application and the only permission that appears to work is Project Owner. The keys are secured, but if, somehow, someone were to gain access to this service account, they could delete our entire project, which also includes our database and a few other mission critical resources.
It would be much safer if we could deploy our application with granular permissions like GAE Deployer and GCS Admin, which we have tried to use unsuccessfully. We also tried to create a custom App Engine role, which granted all permissions, but the permissions still failed us. Does anyone have any suggestions?
Thanks,
Mike