We run GHE via a VM on GCP.
The default service account that GCP creates is very insecure, and we need to create a new one to use. However, we are having a very hard time finding the correct permissions/roles to assign for this new Service Account, taking into account that we want to assign it the least possible access.
Has anyone done this? If so, could you please help? We want to define this service account via Terraform.
Thank you!
I have not done it in prod, but from some testing the steps will be:
$ gcloud secrets versions access 1 --secret="github_token"
Terraformer is interesting way to create the tf files.
Regardless of what kind of app you deploy on GCE VM's, you will need at least these permissions:
For Cloud Monitoring and Logging to work properly
The rest will depend on your requirements, if your node needs to talk to Cloud Storage for example you might need to add some storage permissions...You can figure this one out trough experimentation
Hope this helps