Users are deploying solutions (VM) using GCP marketplace. Once it is deployed and tested, they are trying to delete the deployment.
It asks following permissions - config.deployments.delete, iam.serviceAccounts.SetIamPolicy and resourcemanager.projects.setIamPolicy.
We are providing permission to users - config.deployments.delete but due to security concern not providing others too as we manage IAM roles assignment through controlled way that user request is approved , and user is from the department and asking for permissions and following least privilege security principle.
If we assign other two permissions, users themselves can assign to roles or permissions to any users in that particular project. We don’t want to give several permissions or role to users like IAM, and firewall rule , and network resources like VPC , subnet creation.
How to approach for this use case where we don’t want to provide such permissions but same time we don’t want to stop users doing their work.
Also, want to know how other organizations tackle such use case?
Step to reproduce -
- login into https://console.cloud.google.com/
- Select the project
- Click on GCP main menu (three lines in top left corner) → Solutions → Solutions Deployments → will find the list of deployments there → select a deployment for deletion