App Engine – Restrict deploy to specific service
Question
We have two services running on Google App Engine.
We would like to restrict deployment to only specific users to the default (prod) target, but allow any devs to deploy to dev target.
Can't figure out the IAM conditions for it.
App engine doesn't seem to be an official resource type here https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name
and it's consistent with the service filter dropdown
I've tried using the name i get from gcloud app services describe dev :
resource.name == 'apps/my-project/services/dev'
Bt that doesn't seem to work either, it just gives access denied so guessing that's not the right resource name filter.
Is there a way to limit this as above?
3 answers
solution1
1 ACCPTED 2021-06-07 05:25:56
App Engine permissions are granted at the project level and cannot be filtered for each different service of the application.
There is an open feature request https://issuetracker.google.com/115904598 to allow specific deployments of versions that I recommend you to star and follow.
Separating your prod and dev environments (I understand that this can be inconvenient sometimes) in different GCP projects could be the only viable alternative for the time being.
solution2
0 2021-06-07 05:07:00
AFAIK, you can't restrict permissions to deploy to specific service because users can create custom services per GCP account.
Two options that I can suggest:
Create a different GCP project for prod. If you're using CLI, the prod devs can simply change the GCP project and deploy.
Use CICD with Cloud Build, and only grant merge access to prod branch to prod devs. No dev in this case would need access to your GCP projects.
solution3
0 2022-09-22 19:22:42
For anyone still looking for options, it is possible to accomplish deployment isolation via gcloud config . It allows the creation of named configuration for each environment, for example.
Configuration governs the behavior of gcloud CLI.
Usage example:
Deploy to DEV (default) environment:
deploy:
image: google/cloud-sdk:alpine
stage: deploy
environment: Development
script:
- cp $GAE_ENV_VARIABLES ./env_variables.yaml
- echo $GAE_SERVICE_ACCOUNT > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud app deploy app.yaml --project $GCP_PROJECT_ID --version $CI_COMMIT_SHORT_SHA --image-url=us.gcr.io/$GCP_PROJECT_ID/$IMAGE_NAME:$CI_COMMIT_REF_NAME-$CI_COMMIT_SHORT_SHA
Deploy to TEST environment:
you can make it a requirement to have a specific service account to create/activate this environment and even a dedicated app.yaml like app_test.yaml with different service name .
deploy_test:
image: google/cloud-sdk:alpine
stage: deploy
environment: Test
only:
- master
script:
- cp $GAE_ENV_VARIABLES ./env_variables.yaml
- echo $GAE_SERVICE_ACCOUNT > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config configurations create test --quiet --project $GCP_PROJECT_ID
- gcloud config configurations activate test --quiet --project $GCP_PROJECT_ID
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json #activate service account under the new configuration
- gcloud app deploy app_test.yaml --project $GCP_PROJECT_ID --version $CI_COMMIT_SHORT_SHA --promote --image-url=us.gcr.io/$GCP_PROJECT_ID/$IMAGE_NAME:$CI_COMMIT_REF_NAME-$CI_COMMIT_SHORT_SHA
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.