Use custom service account for search dataform#3800
Conversation
emmalowe
force-pushed
the
SCH-1778-Create-custom-dataform-service-account
branch
from
ebcf0cb to
e237f69
Compare
|
Since this is Terraform, I assume the approach to testing is to get this merged and then test it out on integration before applying the changes in production. |
aaronfowles
left a comment
aaronfowles
left a comment
There was a problem hiding this comment.
The terraform plan looks like it failed with what could be a transient error. Might be worth triggering a retry from the UI to see if that resolves...
Thanks @aaronfowles ! I reran the plan and it looks like it's working now. |
hannako
left a comment
hannako
left a comment
There was a problem hiding this comment.
This makes sense to me based on the confluence documentation and my reading of the gcp docs. But as discussed with @emmalowe in person, our roll out approach will be to merge, apply the change in integration and confirm all looks as expected before applying the change in production
emmalowe
force-pushed
the
SCH-1778-Create-custom-dataform-service-account
branch
2 times, most recently
from
e9c171e to
06e96b1
Compare
GCP is enforcing a new access control model for Dataform called "strict act-as mode" [1]. As part of this, GCP is disabling the ability for Dataform instances to be run using the Default Dataform service Account. All Dataform workflows must switch to a custom service account, which the Dataform Service Agent is given permissions on [2]. Steps covered: - Change BigQuery internal project permissions from default service account to custom service account - Give default service account permissions to impersonate custom service account - Add custom service account to repo set up (to use this as the default account for running workflows) - Give custom service account secrets permissions to connect to our dataform Github repo [1] https://docs.cloud.google.com/dataform/docs/strict-act-as-mode [2] https://docs.cloud.google.com/dataform/docs/access-control#grant-roles-auto-workflows
emmalowe
force-pushed
the
SCH-1778-Create-custom-dataform-service-account
branch
from
06e96b1 to
1756975
Compare
5 participants
GCP is enforcing a new access control model for Dataform called "strict act-as mode". As part of this, GCP is disabling the ability for Dataform instances to be run using the Default Dataform service Account, so all Dataform workflows must switch to a custom service account, which the Dataform Service Agent is given permissions on. The custom service account must include the iam.serviceAccounts.actAs permission to configure Dataform workflows.
Steps covered here:
See:
Note that we don't need read permissions on other projects. GA4 data is written to our project from a different project - that project will need to add write permissions to our project when they come to switch their accounts:
https://github.com/alphagov/govuk-infrastructure/blob/main/terraform/deployments/search-api-v2/events_ingestion.tf#L27