Service Account & IAM
EZ-CDC creates a dedicated GCP Service Account in your project to run worker instances. This guide explains the permissions and how identity federation works.
Overview
| Component | Purpose | Created By |
|---|---|---|
| Worker Service Account | Identity for worker GCE instances | EZ-CDC (Terraform) |
| Workload Identity Federation | Allow EZ-CDC to deploy in your project | You (one-time setup) |
Worker Service Account
EZ-CDC automatically creates a Service Account for each deployment:
ez-cdc-wk-{deployment-hash}@YOUR_PROJECT.iam.gserviceaccount.com
The account ID is derived from your deployment ID to ensure uniqueness (GCP limits service account IDs to 30 characters).
Roles
The Service Account is granted minimal permissions:
| Role | Purpose |
|---|---|
roles/logging.logWriter | Write worker and daemon logs to Cloud Logging |
roles/monitoring.metricWriter | Write custom metrics to Cloud Monitoring |
GCS Access
Workers download binaries from the EZ-CDC releases bucket (ez-cdc-releases-gcp). This access is granted after deployment by the EZ-CDC control-plane using roles/storage.objectViewer scoped to the releases bucket only.
You do not need to configure GCS access manually. The control-plane grants the minimum required permissions to your Service Account after infrastructure provisioning completes.
Workload Identity Federation
EZ-CDC's control-plane runs in AWS and needs to deploy Terraform in your GCP project. This is done through Workload Identity Federation (WIF), which allows the AWS-based control-plane to authenticate to GCP without exported service account keys.
How It Works
EZ-CDC Control Plane (AWS)
│
├── AWS IAM Role → STS Token
│
└── GCP Workload Identity Federation
│
├── Validates AWS STS token
├── Maps to GCP Service Account
└── Issues short-lived GCP credentials
Security Benefits
- No exported keys: No long-lived service account JSON keys
- Short-lived tokens: GCP credentials are temporary and auto-rotate
- AWS identity verified: GCP validates the AWS caller identity
- Auditable: All access logged in Cloud Audit Logs
What the Service Account Can Do
✅ Allowed:
- Write logs to Cloud Logging
- Write metrics to Cloud Monitoring
- Download binaries from
ez-cdc-releases-gcpbucket
❌ Not Allowed:
- Access your Cloud Storage buckets
- Read or modify IAM policies
- Access your databases via IAM
- Access other GCP services
- Create or delete GCP resources
Verification
Check Service Account
gcloud iam service-accounts list \
--project=YOUR_PROJECT_ID \
--filter="email:ez-cdc-wk-*"
Check IAM Bindings
gcloud projects get-iam-policy YOUR_PROJECT_ID \
--flatten="bindings[].members" \
--filter="bindings.members:ez-cdc-wk-*" \
--format="table(bindings.role, bindings.members)"
Audit Access
Monitor Service Account usage in Cloud Audit Logs:
resource.type="service_account"
protoPayload.authenticationInfo.principalEmail="ez-cdc-wk-*@YOUR_PROJECT.iam.gserviceaccount.com"
Next Steps
- Create Deployment - Launch your workers
- GCP Infrastructure - Learn about worker infrastructure