Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Support for Configuring Permissions for Cloud Run via Crossplane to Resolve 'Error: Forbidden #635

Open
noorulqumar opened this issue Oct 14, 2024 · 1 comment
Open

Feature Request: Support for Configuring Permissions for Cloud Run via Crossplane to Resolve 'Error: Forbidden #635

noorulqumar opened this issue Oct 14, 2024 · 1 comment
Labels
enhancement New feature or request needs:triage

Comments

@noorulqumar
Copy link

When creating Cloud Run services using Crossplane, I encountered the error: "Error: Forbidden - Your client does not have permission to get URL / from this server."
Screenshot from 2024-10-14 19-57-04

While I can resolve this issue manually via the GCP console by adjusting permissions,
Screenshot from 2024-10-14 19-58-18

After this, I'm able to access it successfully.
Screenshot from 2024-10-14 19-58-18

I would like to request a feature to handle these permissions directly through Crossplane configurations. This would streamline the process of managing Cloud Run services without requiring additional steps in the GCP console. Having this capability in Crossplane would significantly improve the user experience by ensuring all necessary permissions are handled declaratively.

This is the config I have right now to create a Cloud Run service.

apiVersion: cloudrun.gcp.upbound.io/v1beta1
kind: Service
metadata:
  annotations:
    meta.upbound.io/example-id: cloudrun/v1beta1/service
  labels:
    testing.upbound.io/example-name: cloudrun-service
  name: cloudrun-service
spec:
  providerConfigRef:
    name: providerconfig
  forProvider:
    location: us-central1
    template:
      - spec:
          - containers:
              - image: us-docker.pkg.dev/cloudrun/container/hello
              
    traffic:
      - latestRevision: true
        percent: 100

This is the Provider detail

https://marketplace.upbound.io/providers/upbound/provider-gcp-secretmanager/v1.8.3/resources/secretmanager.gcp.upbound.io/Secret/v1beta1#doc:spec-forProvider-annotations
@noorulqumar noorulqumar added enhancement New feature or request needs:triage labels Oct 14, 2024
@mattkirby
Copy link

Google documentation describes how to do this here https://cloud.google.com/run/docs/authenticating/public

The documentation tells you that you can create an IAM binding for permitting unauthenticated access by setting the role "roles/run.invoker" for the user "allUsers". See https://marketplace.upbound.io/providers/upbound/provider-gcp-cloudrun/v1.9.0/resources/cloudrun.gcp.upbound.io/ServiceIAMMember/v1beta1 for the ServiceIAMMember documentation. I have validated that this allows unauthenticated access to a Cloud Run deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattkirby @noorulqumar