Google Cloud CE: support a customer-provided service account instead of Forge creating one (to avoid requiring project-level setIamPolicy / Project IAM Admin) | Voters

Google Cloud CE: support a customer-provided service account instead of Forge creating one (to avoid requiring project-level setIamPolicy / Project IAM Admin)

Rob Syme

### Problem / motivation

Creating a Google Cloud compute environment (the single-VM

google-cloud

type, which is the only GCP CE that Studios supports) requires the provisioning credential to hold

resourcemanager.projects.setIamPolicy

— i.e. the "Project IAM Admin" role. Several customers consider this too broad to grant, since whoever holds it can bind any role to any principal across the whole project. There is currently no way to provision this CE type without it. for exactly this reason.

### Current behaviour

The

google-cloud

CE is always Forge-provisioned (

isForgeEnv

is unconditionally true). During creation, Forge:

Creates a new, per-CE service account (
iam.serviceAccounts.create
).
Grants it
roles/storage.objectAdmin
on the work-dir bucket (bucket-level
setIamPolicy
).
Edits the
project
IAM policy to grant that SA four roles —
logging.logWriter
,
monitoring.metricWriter
,
storage.bucketViewer
,
storage.objectViewer
— which is what requires
resourcemanager.projects.setIamPolicy
.

The same project-level

setIamPolicy

is invoked again at teardown to remove the bindings before deleting the SA.

GoogleCloudConfig.serviceAccountEmail

exists but is an output (populated by Forge), not an input — there is no path for a user to supply an existing SA and have Forge skip steps 1 and 3.

Code (platform/master):

modules/platform-compute-platforms/impl/src/main/groovy/io/seqera/tower/service/platform/gcp/GoogleCloudForgeClientImpl.groovy
— createServiceAccount L392; project setIamPolicy L520; removal L570
.../service/forge/GoogleCloudForgeDelegate.groovy
— isForgeEnv L125; serviceAccountEmail set from Forge result L68

### Requested behaviour

Add an option on the Google Cloud (single-VM) CE to use a customer-provided service account instead of creating one. When a service account is supplied:

Forge skips SA creation and skips the project-level IAM policy edit.
The customer is responsible for pre-granting that SA the required roles (we document the exact set).
Provisioning then only needs permissions to attach the existing SA to the VM, not
resourcemanager.projects.setIamPolicy
.

This mirrors how the Google Batch CE already behaves — it reuses the credential's own service account (

GoogleBatchPlatformProvider.groovy:717

) and never touches the project IAM policy.

### Acceptance criteria

A
google-cloud
CE can be created with a user-supplied service account and no use of
resourcemanager.projects.setIamPolicy
at create or delete time.
When no SA is supplied, behaviour is unchanged (Forge creates and binds as today), so this is backward compatible.
Docs list the exact roles the supplied SA must already hold.
Teardown does not attempt to remove project bindings it did not create.

### Notes / scope

This is the CE that GCP Studios runs on; there is no
GoogleBatchStudioProvider
, so customers can't sidestep it by switching CE type.
setIamPolicy
is inherently project-scoped, so a narrower-scope grant is not possible — a BYO-SA path is the only way to remove the requirement.

5 days ago