Hi, what is the least privilege for nomad-autoscaler in GCP MIG,
we want to supply it with the serviceaccount json, with least privilege,
didn’t find right documentation for it, checking in here but not mentioned.
or is there anything that I didn’t know for configuring the nomad-autoscaler for GCP MIG ?
Thanks
That’s a good questions, and something we should document. Looking at the code, the GCP plugin only calsl get, list and deleteInstances from the Compute API, so I created a role with only these two permissions and it seems to have been enough:
compute.instanceGroupManagers.get
compute.instanceGroupManagers.update
Could give this a try and let us know if it works for you as well? If it does, we’ll update the docs with this new information.
Thank you.
Okay, thanks, will try and let you know
Hi, not sure why it’s not fully working, but we use this terraform our terraform code, as we deploy nomad-autoscaler outside GCP
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 3.0"
project_id = var.gcp_project_id
names = [substr(local.service_account_name,0,30)]
display_name = local.service_account_name
generate_keys = true
project_roles = [
format("%s=>roles/compute.instanceAdmin.v1", var.gcp_project_id),
]
}
How are you passing the service credentials to the Autoscaler?
we are using the service account json
Hum…then I’m not sure. I tested with only those two permissions in a service account and it worked.
Do you have any extra details as to which API was throwing the error?
Maybe try all permissions for compute.instanceGroupManagers and reduce one at a time?
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use