Support assigning IAM roles to users

[theHilikus]

SUMMARY

Right now it's not possible to bind an IAM role with a user in an ansible-friendly way. This use case should be supported since roles are only created to be assigned to users. A role without users is useless

ISSUE TYPE

• Feature Idea

COMPONENT NAME

Either add the functionality to the gcp_iam_role module to be able to create and bind roles in one task or create a new module to exclusively bind roles to users

ADDITIONAL INFORMATION

There's no use on creating roles if they can't be added to a user. Right now my workaround is to use the command module to add the role using gcloud

name: assign role to user
command: gcloud projects add-iam-policy-binding {{gcp_project}} --member "serviceAccount:myAccount@{{gcp_project}}.iam.gserviceaccount.com" --role  "projects/{{gcp_project}}/roles/myRole"

But that has a lot of requirements. You need to have gcloud locally, you need to be authenticated, it is not idempotent, etc etc

The simplest way that I can think for this new feature would be to add a parameter bindings to the gcp_iam_role module to be able to bind the role to a list of users
e.g.

- name: Create and bind my role
      gcp_iam_role:
        name: "myRole"
        title: Dummy role
        project: "{{gcp_project}}"
        included_permissions:
          - compute.addresses.create
          - compute.addresses.get
        bindings: # new parameter
          - serviceAccount:myAccount@{{gcp_project}}.iam.gserviceaccount.com

[alexgeek]

I'd appreciate this too.

[alexgeek]

Currently have to do this ugly/unportable mess:

     - name: Ensure the externaldns service account exists
       google.cloud.gcp_iam_service_account:
         name: "{{ service_account_email }}"
         display_name: External DNS service account
         project: "{{ google_project_name }}"
         auth_kind: application
         state: present
       tags:
       - google

     - name: Check if the service account has the correct policy bindings
       shell: "gcloud projects get-iam-policy {{ google_project_name }} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:{{ service_account_email}}' | grep roles/dns.admin"
       register: service_account_roles
       ignore_errors: true
       tags:
       - google

     - name: Assign roles/dns.admin policy
       shell: "gcloud projects add-iam-policy-binding {{ google_project_name }} --member:{{ service_account_email }} --role roles/dns.admin"
       when: (service_account_roles.stdout_lines|length == 0) or (service_account_roles.stdout_lines[0] != "roles/dns.admin")
       tags:
       - google

[alexgeek]

The simplest way that I can think for this new feature would be to add a parameter bindings to the gcp_iam_role module to be able to bind the role to a list of users
e.g.

- name: Create and bind my role
      gcp_iam_role:
        name: "myRole"
        title: Dummy role
        project: "{{gcp_project}}"
        included_permissions:
          - compute.addresses.create
          - compute.addresses.get
        bindings: # new parameter
          - serviceAccount:myAccount@{{gcp_project}}.iam.gserviceaccount.com

If this is to be implemented I don't think that is the correct approach, there should be a separate role binding module. At the moment the "state" parameter of gcp_iam_role is clear, this role should exist. If we had a gcp_iam_role_binding module then the state would indicate whether the given account should have the given role.

[Chaffelson]

Bindings may also have Conditions, which would be too complex to implement without a separate module.
I would quite like to see this done as well, so I don't have to drop to CLI for this task.

[dannysauer]

Weird that this isn't assigned to anyone after two years. I didn't think I'd be the first person ever who wanted to provision users to GCP users with Ansible. :D

/off to see if it's easier to write this module or convert to a different automation platform 🤷

[Chaffelson]

This collection is effectively abandoned and is being removed from the main Ansible family, see here for details.

The problem would be that PRs are not being reviewed and merged that I can see, so even if you wrote it you'd still be installing your own fork.

[dannysauer]

Looks like now it's potentially unabandoned based on the current information in that thread. Maybe.

[toumorokoshi]

This collection is effectively abandoned and is being removed from the main Ansible family, see ansible-community/community-topics#105 for details.

At the time of writing I think it's accurate to say it was abandoned, but we've done work recently to try to get it into better shape and review PRs.

If someone wants to send a contribution I'd be happy to review it and merge assuming proper testing, etc.

I'll label this as a feature, but unfortunately we don't have the bandwidth to do much more than maintenance. Again, happy to accept PRs!

[toumorokoshi]

For the approach: doing the bindings via the role doesn't match with the API, which exposes setIamPolicy on a service account.

I'd argue it's surprising for users when a client doesn't match the resource structure of an API. e.g. you can't infer the ansible approach from the docs that speak to API / GCloud / etc.

I'd actually suggest this is a feature of gcp_iam_service_account, or perhaps it's own resource since it has set/get around iam policy.

[alexgeek]

Funnily enough I've just run into this again. I may be able to find time this week to implement it.

I would just do something like:

gcp_iam_policy_binding:
  project: "{{ google_project_name }}"
  member: "{{ service_account_email }}"
  role: "roles/dns.admin"
  state: present

And just use add-iam-policy-binding, remove-iam-policy-binding, get-iam-policy.

Not really used conditions tbh, guess wouldn't be hard to add either:

gcp_iam_policy_binding:
  project: "{{ google_project_name }}"
  member: "{{ service_account_email }}"
  role: "roles/dns.admin"
  conditions:
    expression: 'expression=request.time < timestamp("2019-01-01T00:00:00Z")'
    title: 'expires_end_of_2021'
    description: 'Expires at midnight on 2021-12-31'
  state: present

@toumorokoshi that seem fine?

edit: changed example name to 'gcp_iam_policy_binding'

[toumorokoshi]

Hi! I That should work fine, it seems to map to the SetIamPolicy API: https://cloud.google.com/iam/docs/reference/rpc/google.iam.v1#google.iam.v1.SetIamPolicyRequest.

[alexgeek]

Hi! I That should work fine, it seems to map to the SetIamPolicy API: https://cloud.google.com/iam/docs/reference/rpc/google.iam.v1#google.iam.v1.SetIamPolicyRequest.

Hmm I'm a bit lost with this, are there any examples of using RPC APIs in the codebase atm?
Struggling to find any docs for it.

[alexgeek]

Bit closer now, I did find the REST equivalent of what you linked.

But that's actually the wrong API for this, that's the IAM API where you can add a policy giving users access to service accounts.

It's actually a cloud resource manager API that is needed, this gives a list of bindings of members to role (makes sense since above the command gcloud projects not cloud iam - took me a while to notice that).

So it'll actually be:

gcp_resourcemanager_iam_policy_binding:
  project: "{{ google_project_name }}"
  member: "{{ service_account_email }}"
  role: "roles/dns.admin"
  state: present

So should be good:

state: present

• If there's a binding that has member and role -> good no change
• If there's a binding with the role but member is missing -> add member to role
• If there's no binding with the role -> add new binding with member and role

state: absent

• If there's a binding that only has one member and the role -> remove the binding
• If there's a binding that has multiple members including the one specified and the role -> remove the member
• If there's no binding with the role -> good no change

[alexgeek]

@toumorokoshi I've pushed an implementation here.

It's not tested at all yet, I haven't run it.

Bit confused with the contributions here, the testing seems tricky to setup. I'm a bit weary to run them as I don't know exactly it will do or how much it could cost. Is there no CI that can run this?

Is the documentation wrong anyway? It says:

mkdir -p $TARGET_DIR/ansible_collections/google
git clone <url> $TARGET_DIR/collections/google/cloud

Should that be?:

mkdir -p $TARGET_DIR/ansible_collections/google
git clone <url> $TARGET_DIR/ansible_collections/google/cloud

Also with the changelog, am I supposed to make a new fragments directory like the linked docs say? Because in this repo there is only a changelog.yaml with fragments inside under releases.