The service account has to have owner role? It's not too much?
Why adding the other roles if the service account is owner?
This highly granted role is simply base64 encoded and let in "clear" in environment variable!
Why do not simply consider this:
Rely on Cloud Run identity and grant the sufficient role on it
If you really need an additional/external service account, you maybe can consider berglas. If your code is in Go or in Python, you can easily use it (I wrote the Python lib for reading secrets from bucket)
CTO at Zenika, Julien is also Google Developer Expert Cloud. He loves cloud technologies to get result quickly using managed services. He funded the GDG Nantes & organized DevFest Nantes
Thanks for your feedback. 👍
I invite you to report the error on the github of the project here.
For the service account and the ownerrole, I just followed the documentation here.
Perhaps we could use the Cloud Run service account.
This first tutorial on "how to backup your Firestore data" is described to show a simple usecase. I understand your advices on security management. Your idea to use KMS is interesting.
Security still can be higher, with private Cloud Run, and Cloud Scheduler with a service account identity and the role run.invoker granted on it for calling the Cloud Run.
Unrelated comment: I hope you enjoy your GDE Summit weekend!
Best
Guillaume
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for this great idea!
However, I'm skeptical about security management:
ownerrole? It's not too much?Why do not simply consider this:
Hi Guillaume 👋
Thanks for your feedback. 👍
I invite you to report the error on the github of the project here.
For the service account and the
ownerrole, I just followed the documentation here.Perhaps we could use the
Cloud Runservice account.This first tutorial on "how to backup your Firestore data" is described to show a simple usecase. I understand your advices on security management. Your idea to use KMS is interesting.
Thank you.
I created the issue #7 and the pull request #8
Security still can be higher, with private Cloud Run, and Cloud Scheduler with a service account identity and the role run.invoker granted on it for calling the Cloud Run.
Unrelated comment: I hope you enjoy your GDE Summit weekend!
Best
Guillaume