From 347107d04d98838cfe56b1c57a55050bc29119f0 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 05:31:42 +0000 Subject: [PATCH] feat: Refine monitoring permissions for least privilege This commit refines the IAM permissions granted to the service account in the Workload Identity Federation setup script. The `roles/monitoring.editor` role has been replaced with the more restrictive `roles/monitoring.metricWriter` role. This change adheres to the principle of least privilege, ensuring the service account has only the necessary permissions to write metric data to Cloud Monitoring, thereby enhancing the security of the setup. The user-facing output in the script has also been updated to accurately reflect this change. --- scripts/setup_workload_identity.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh index 5be2626d..d7ac8485 100755 --- a/scripts/setup_workload_identity.sh +++ b/scripts/setup_workload_identity.sh @@ -388,9 +388,9 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ --condition=None # Grant monitoring permissions to the service account -print_info "Granting 'Monitoring Editor' role to Service Account..." +print_info "Granting 'Monitoring Metric Writer' role to Service Account..." gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ - --role="roles/monitoring.editor" \ + --role="roles/monitoring.metricWriter" \ --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \ --condition=None @@ -436,7 +436,7 @@ print_header "Permissions Granted" echo "" print_success "The following permissions have been automatically granted to your repository:" echo "• roles/logging.logWriter - Write logs to Cloud Logging" -echo "• roles/monitoring.editor - Create and update metrics in Cloud Monitoring" +echo "• roles/monitoring.metricWriter - Create and update metrics in Cloud Monitoring" echo "• roles/cloudtrace.agent - Send traces to Cloud Trace" echo "• roles/aiplatform.user - Use Vertex AI for model inference"