[iris] Drop implicit SA fallback from SSH impersonation#4382
Conversation
|
Claude finished @rjpower's task in 1m 9s —— View job PR Review: Drop implicit SA fallback from SSH impersonation
Verdict: Looks good — clean, focused removal of the implicit fallback. The change is well-motivated and correctly applied across all call sites. What this doesRemoves the Review notes
No issues found. Ship it. |
|
this still needed if #4381 was merged? |
|
this is more cleaning up the path that shouldn't have been there, i'll rebase |
…rvice_account Remove the service_account parameter from ssh_impersonate_service_account() so it only returns a value when impersonate_service_account is explicitly set in SshConfig. In metadata mode the controller's ambient VM identity is used for gcloud SSH — no impersonation needed. OS Login setups that need impersonation must set ssh.impersonate_service_account explicitly.
d15bac5 to
4bbf326
Compare
Remove the service_account parameter from ssh_impersonate_service_account() so impersonation only happens when explicitly configured in SshConfig. Previously the function fell back to the worker/controller service_account, which caused metadata-mode SSH commands to include --impersonate-service-account unnecessarily, requiring the controller SA to hold iam.serviceAccountUser on every worker SA. Now metadata mode uses the VM's ambient identity and OS Login setups must set ssh.impersonate_service_account explicitly.
Remove the service_account parameter from ssh_impersonate_service_account()
so impersonation only happens when explicitly configured in SshConfig. Previously
the function fell back to the worker/controller service_account, which caused
metadata-mode SSH commands to include --impersonate-service-account unnecessarily,
requiring the controller SA to hold iam.serviceAccountUser on every worker SA.
Now metadata mode uses the VM's ambient identity and OS Login setups must set
ssh.impersonate_service_account explicitly.