Skip to content

refactor: restrict Token Creator role to self-impersonation in setup script#530

Merged
DavidAPierce merged 1 commit into
mainfrom
davidapierce/workloadIdentity
Jul 6, 2026
Merged

refactor: restrict Token Creator role to self-impersonation in setup script#530
DavidAPierce merged 1 commit into
mainfrom
davidapierce/workloadIdentity

Conversation

@DavidAPierce

Copy link
Copy Markdown
Collaborator

Description

This PR updates the setup_workload_identity.sh script to align the service account configuration with the principle of least privilege.

Why

The script previously granted the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the triage service account at the project level. This project-wide grant is broader than necessary for the CLI's token management needs. Restricting this role to the service account resource itself (allowing self-impersonation) is sufficient and follows Google Cloud best practices.

Changes

  • IAM: Modified the gcloud command in setup_workload_identity.sh to use gcloud iam service-accounts add-iam-policy-binding targeting the specific service account resource, rather than gcloud projects add-iam-policy-binding.

shift IAM Grant from project level to service account level

Signed-off-by: David Pierce <davidapierce@google.com>
@DavidAPierce DavidAPierce requested review from a team as code owners June 29, 2026 21:44
@DavidAPierce DavidAPierce merged commit f5a5775 into main Jul 6, 2026
16 checks passed
@DavidAPierce DavidAPierce deleted the davidapierce/workloadIdentity branch July 6, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants