Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcloud: support GCE_ZONE_ID to bypass zone list #2081

Merged
merged 4 commits into from
Jan 18, 2024
Merged

gcloud: support GCE_ZONE_ID to bypass zone list #2081

merged 4 commits into from
Jan 18, 2024

Conversation

philpennock
Copy link
Contributor

The GCloud IAM permission system permits a zone to grant access to an actor, without the project granting any access. This can be used with Service Accounts to let an SA edit DNS in one particular zone, and nothing more.

Remove the need for the caller to have project-level role access granting the dns.managedZones.list permission, in exchange for the caller telling us the explicit zone ID to use, via the GCE_ZONE_ID environment variable.

PR comment: sorry, I'm going to need help figuring out the test rig and how to set it up to fail the managedzones list call but succeed on zone edits, to add a test for this logic.

PR comment 2: this is #2073 redone from a personal repo at the request of a member of go-acme/lego

@philpennock philpennock mentioned this pull request Jan 13, 2024
Closed
@ldez ldez added this to the v4.15 milestone Jan 13, 2024
ldez
ldez approved these changes Jan 18, 2024
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez force-pushed the phil/gcloud-specified-zone branch from 1a04d51 to 71fd89b Compare January 18, 2024 20:38
@ldez ldez enabled auto-merge (squash) January 18, 2024 20:38
philpennock and others added 4 commits January 18, 2024 22:11
@philpennock @ldez
gcloud: support GCE_ZONE_ID to bypass zone list
cb9e80d 
The GCloud IAM permission system permits a zone to grant access to an actor,
without the project granting any access.  This can be used with Service
Accounts to let an SA edit DNS in one particular zone, and nothing more.

Remove the need for the caller to have project-level role access granting the
`dns.managedZones.list` permission, in exchange for the caller telling us the
explicit zone ID to use, via the `GCE_ZONE_ID` environment variable.
@philpennock @ldez
gcloud: reduce complexity for linters
951bb8d 
Restructure to reduce complexity, rename variables for compatibility, and use
`golangci-lint run --fix` before check-in.
@ldez
review
2c083cd
@ldez
review: doc
e0df42c
@ldez ldez force-pushed the phil/gcloud-specified-zone branch from 71fd89b to e0df42c Compare January 18, 2024 21:11
@ldez ldez merged commit 143aa4f into go-acme:master Jan 18, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldez ldez ldez approved these changes

Assignees
No one assigned
Labels
area/dnsprovider enhancement
Milestone
v4.15
Development

Successfully merging this pull request may close these issues.
2 participants
@philpennock @ldez