Re: Github Enterprise (GHE) VM GCP Service Account

Espresso-Junkie · 12-16-2021 06:11 AM

We run GHE via a VM on GCP.

The default service account that GCP creates is very insecure, and we need to create a new one to use. However, we are having a very hard time finding the correct permissions/roles to assign for this new Service Account, taking into account that we want to assign it the least possible access.

Has anyone done this? If so, could you please help? We want to define this service account via Terraform.

Thank you!

Sami

I have not done it in prod, but from some testing the steps will be:

Add github token to secret manager
Create a service account with Secret Manager Secret Accessor
Provide the service account permission to read the Github secret "Basic, Viewer"
Assign the VM the service account

$ gcloud secrets versions access 1 --secret="github_token"

Terraformer is interesting way to create the tf files.

abdelfettah

Regardless of what kind of app you deploy on GCE VM's, you will need at least these permissions:

roles/logging.logWriter
roles/monitoring.metricWriter
roles/monitoring.viewer
roles/stackdriver.resourceMetadata.writer

For Cloud Monitoring and Logging to work properly

The rest will depend on your requirements, if your node needs to talk to Cloud Storage for example you might need to add some storage permissions...You can figure this one out trough experimentation

Hope this helps