Publish GCP images with allUsers visibility

[MrBatschner]

What would you like to be added:

Garden Linux images on GCP are published with allAuthenticatedUsers permissions. This has to be changed to allUsers (also retroactively applied to all existing images) so that it is possible to list and consume the images for users authenticated through a federated IdP.

See the clear documentation at https://cloud.google.com/iam/docs/overview#all-authenticated-users.

Why is this needed:

Gardener will use IdP access to cloud platforms for future clusters which should still be able to consume Garden Linux image.

[MrBatschner]

Relevant code that needs to be adapted is here:

glci/glci/gcp.py

Lines 150 to 158 in 2442377

	iam_policies = images.getIamPolicy(
	project=gcp_project_name, resource=image_name
	).execute()
	if not 'bindings' in iam_policies:
	iam_policies = []
	iam_policies.append({
	'members': ['allAuthenticatedUsers'],
	'role': 'roles/compute.imageUser',
	})

[pnpavlov]

@Gchbg , can you please check if this is doable in Feb?

[Gchbg]

@MrBatschner

Unfortunately this doesn't seem to be possible. From the documentation:
"On images, you can't grant roles to the special member type allUsers."

Indeed when I tried to modify one of the existing images:
ERROR: (gcloud.compute.images.set-iam-policy) HTTPError 400: Member allUsers is invalid due to membership type restrictions on the resource.

[JordanJordanov]

@MrBatschner How is projects/suse-byos-cloud/global/images/sles-15-sp6-chost-byos-v20250122-x86-64 published so that it is accessible for allUsers?
Let's open a ticket to Google and ask what are the differences 🤔

[pnpavlov]

Initial feedback in Google in Case 57362784: Publishing images with useable by allUsers
Created by Georgi Chulkov [email protected]‎ for sap-se-gcp-gardenlinux on Feb 14, 2025, 5:09:05 PM

I have done further research internally and was able to confirm that indeed there is a restriction in place currently for assigning the role "roles/compute.imageUser" to “allUsers”, referring to our documentation [1]. So, we can confirm that the error that you are encountering now is working as intended.

“On images, you can't grant roles to the special member type allUsers.”

Additionally, I confirmed that the principal “allAuthenticatedUsers” does not include identities that come from external identity providers (IdPs) through identity federation [2]. Therefore, I believe the currently recommended method [3] of sharing custom images publicly by utilizing the command [4] does not work for your use case since your users are authenticated through a federated identity provider.

I have done further research internally keeping your use case in mind and was able to find that io assign a GCP role to all identities coming from external IdPs through Identity Federation in GCP, you need to configure a "Workload Identity Pool" and associate a specific GCP IAM role with it, effectively granting that role to any user authenticated through the federated identity provider(s) within that pool; this is achieved through the "Workload Identity Federation" feature in GCP IAM [5]. I would suggest you kindly review the "Workload Identity Federation" [5] feature and evaluate this further with the help of your Account team (TAM, CE etc.) if necessary before implementation. I am mentioning about the account team here since they are more familiar with your architecture and environment, also they are in a better position than Support to provide architectural advice regarding new implementation etc. I believe this will be helpful in achieving your end goal.

Please feel free to let me know if you have any questions or concerns regarding this and I will be happy to assist accordingly.

Have a great day!

Best regards,
Andalib C.
Google Cloud Support, Montreal
Working hours: 9:00 to 17:00 EST (UTC−05:00)
References:
[1] https://cloud.google.com/compute/docs/images/managing-access-custom-images#limitations
[2] https://cloud.google.com/compute/docs/reference/rest/v1/images/setIamPolicy
[3] https://cloud.google.com/compute/docs/images/managing-access-custom-images#share-images-publicly
[4]
gcloud compute images add-iam-policy-binding IMAGE_NAME
--member='allAuthenticatedUsers'
--role='roles/compute.imageUser'
[5] https://cloud.google.com/iam/docs/workload-identity-federation

[pnpavlov]

@MrBatschner How is projects/suse-byos-cloud/global/images/sles-15-sp6-chost-byos-v20250122-x86-64 published so that it is accessible for allUsers? Let's open a ticket to Google and ask what are the differences 🤔

@JordanJordanov , I would expect that @MrBatschner can not answer your question, as likely the policies and configuration of the project suse-byos-cloud is not visible to us?

Meanwhile I've added following reply in Case 57362784: Publishing images with useable by allUsers with Google:

Hi Andalib,

Thank you for your initial research on our problem.

With regards to business impact - As you may know, SAP is one of the biggest GCP accounts in Europe. We are currently in the process of performing a series of security changes and enhancements to our infrastructure. In order to complete some blocking work, we need to adjust the way we are sharing custom images publicly. As we currently can not proceed, we have significant part of our engineers and contractors blocked and waiting. This brings significant cost for us. Additionally we face business risks related to compliance during external audits in case we can not complete the planned work in the expected timeline.

Due to the multi cloud and multi vendor strategy of SAP we must provide our engineers unified experience across all supported infrastructure, and as part of that, our Garden Linux images must behave exactly same as the mentioned sles-15-sp6-chost-byos-v20250122-x86-64. We will evaluate with priority on Monday the proposed approach, meanwhile, could you please share with us how is projects/suse-byos-cloud/global/images/sles-15-sp6-chost-byos-v20250122-x86-64 published so that it is accessible for allUsers? Is it following same procedure you described?

Best Regards,
Pavel