Allow troubleshooting group memberhip #1695
Description
https://console.cloud.google.com/iam-admin/troubleshooter and gcloud policy-troubleshoot iam are pretty useful to figure out why someone does or does not have permissions to a specific resource. However, we lack permission to look at group membership, so this tool is really only useful for service accounts at the moment.
https://cloud.google.com/iam/docs/troubleshooting-access#troubleshooting_group_membership says we need to be granted groups.read privilege to do this. They recommend making a custom role including just that privilege, and then assigning to a user.
Since our contributors are not gsuite members, we setup (via #228):
- a
[email protected]user - a
[email protected]service account - but these both have more than readonly privileges
- and lack many other cloud roles to effectively use troubleshooter (I'd like to keep it that way)
https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account describes how to do this. I think I'd like to give [email protected] some readonly scopes to be able to use the troubleshooter. Based on my read of https://developers.google.com/admin-sdk/directory/v1/guides/authorizing..
https://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.group.member.readonlyhttps://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
/wg k8s-infra
/area access
/area infra/auditing
/priority backlog
/committee steering
/assign @dims
Since I need someone with an scN@ account, and I helped dims out last time we tried getting access to the admin api