Comments (5)
Observations:
- it always occurs with a service account that targets a single role
roles/storage.admin
- it affects pulumi, or non-pulumi service accounts without an identified pattern
- it does appear correlated to my prototyping in a separate cluster but same gcp project
- all service accounts for pulumi are independent of the current production service accounts
From a set of stacks (identity, infrastructure, app) that were up with verified roles, I destroy
ed each and rechecked roles, still there. Left the identity
stack in place.
From existing identity stack, up
ped identity
and app
stacks, roles still good.
Continued prototyping more deployment/service/ingress (which had failures) and eventually found that a non-pulumi sa had the role missing again.
Unfortunately I could never narrow this further and cause it to happen directly.
from pulumi-gcp.
Another observation. The following was created with two roles:
export const ciApp = new Identity(
'ciApp',
{
project,
iamRoles: [
// for deploying new services/deployments
'roles/container.developer',
// for pushing new images to gcr
'roles/storage.admin',
],
},
{ protect },
)
We found non-pulumi iam had lost roles/storage.admin
and found a pulumi managed iam had lost only roles/storage.admin
:
So it is something specific to roles/storage.admin
or so it seems.
from pulumi-gcp.
Title should change
- Provider is removing roles from non-Pulumi-managed accounts
+ Provider is removing roles from Pulumi and non-Pulumi-managed accounts
from pulumi-gcp.
@jen20 were you able to reproduce this? I don’t believe we’ve seen this again since the initial reports, and I’m not exactly sure how to reproduce or diagnose further.
from pulumi-gcp.
We haven't been able to reproduce this and haven't seen any other reports of this. If it is possible for this to happen, it is almost certainly an issue in the upstream provider, and we're love to try and pinpoint that issue and report/fix it upstream, but have not been able to due to the inability to reproduce. Closing out - but if anyone sees this and can share a reproduction - happy to re-open.
from pulumi-gcp.
Related Issues (20)
- Upgrade terraform-provider-google-beta to v5.35.0
- Workflow failure: master HOT 1
- GCP: Major version upgrade in upstream provider
- Warning getting regions list when using OIDC HOT 5
- GKE cluster gets created with default service account even though I specified a different one HOT 9
- Upgrade terraform-provider-google-beta to v5.36.0 HOT 1
- Panic on successive updates of gcp.cloudrun.Service HOT 7
- Auto naming does not work for gcp cloudrun Service HOT 1
- Consider default lowercasing all names when autonaming resources in GCP
- Empty indexConfig in gcp.firestore.Field shows changes on every update HOT 4
- permadiff for requesterJustificationConfig.unstructured in gcp.privilegedaccessmanager.Entitlement HOT 3
- Upgrade terraform-provider-google-beta to v5.37.0 HOT 1
- OauthIDPConfig throws RPC error even though quota project is set HOT 4
- Workflow failure: cron
- Workflow failure: cron
- identityplatform OauthIdpConfig does not support code flow grant types
- Firestore database auto-naming incorrect
- Workflow failure: master HOT 1
- Workflow failure: cron HOT 1
- Upgrade terraform-provider-google-beta to v5.38.0 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pulumi-gcp.