Google Cloud Project Ownership and Compliance
- 3 comments
I've recently deployed terra.bio in my personal Google cloud account to test it out. One thing I was surprised by is that the Google cloud project that is created by terra is not owned by me, and I don't have permission to even view the IAM settings for it:
Is there any way for me to create a Google cloud project and corresponding workspace that I retain full administrative rights over? If I have a GCP organization can I have terra create its project within my organization? This is one way as I user I could retain admin privileges.
The existence of methods like this in the terra source code:
Makes me a little nervous.. when and why is terra creating service accounts? I might be misunderstanding, as this deployment model is totally new to me, but it seems like the third party (terra developers?) retains the ability to create service accounts and modify IAM permissions therein in the same project that I'm storing my sensitive data in. But generally I'm having a hard time understanding how this is all supposed to work and I couldn't find much in the way of documentation.
The model that I'm more used to/comfortable with would be, terra defines what permissions they need, I create a SA with those permissions and provide the credentials to terra, terra then sets up its resources in the project. This way I retain total control, and at any time I can just revoke the SA and continue working in my account. In the terra model if I wanted to migrate away it seems like I would need to manually transfer all my data to another project that I own or something and then delete the workspace and associated project. The data bucket for terra is created under the terra project, so I don't see how I could migrate off of terra in the future without that data bucket being deleted or me losing access to it.
Another issue is that on the project that terra creates, I do not have permission to view the audit logs:
Access to audit logs would at least show me what actions terra is taking in my account in regards to modifying any IAM permissions or service accounts. I think it would be a very good idea to enable this so that users have a record of which entities have access to their data, and can generally double check what is happening in the project which, after all, they are paying for.
In lieu of documentation I've been trying to piece together what is going on here exactly from looking at the various repos that comprise the terra project. If anyone else is curious, I believe this is the place in the codebase where the google cloud project terra uses is created and modified: https://github.com/DataBiosphere/terra-resource-buffer/tree/17f08a85c249546732975a998f3c7d261fa13e02/src/main/java/bio/terra/buffer/service/resource/flight
Thanks for writing in! The Terra platform is designed to help automate some of the tasks of hosting an analyzing data in the cloud. In order to do this, the application does take full control of the Google Projects that it creates for your workspaces. This allows you to control and mange access to the data from within the Terra UI and easily share that access with other Terra users across the system. Here is a link to our documentation that covers how sharing works from within our UI.
As for transporting data out of Terra, you're correct. Because the system has ownership of the bucket, you'd need to export your data out of the system if you wanted to remove it from Terra and retain a copy. You can read more about how Terra hosts your data here.
Please let me know if you have any questions.
Thanks for explaining, appreciate the quick response. I will say it is very quick and easy to get the platform up and running.
You're very welcome! I'm glad I could answer your questions.
Please sign in to leave a comment.