google_notebooks_instance doesn't honor google_compute_instance_iam_member bindings for Notebook permissions

[cm-wayfair]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Affected Resource(s)

• https://github.com/hashicorp/terraform-provider-google/releases/tag/v3.37.0

Terraform Configuration Files

resource "google_compute_instance_iam_member" "general-notebook-manager-dev" {
  provider = google-beta
  role          = "roles/notebooks.admin"
  instance_name = google_notebooks_instance.notebook-api-instance-b.name
  member        = "user:[email protected]"
  zone          = "us-central1-a"
}

resource "google_compute_instance_iam_member" "general-compute-manager-dev" {
  provider = google-beta
  role          = "roles/compute.admin"
  instance_name = google_notebooks_instance.notebook-api-instance-b.name
  member        = "user:[email protected]"
  zone          = "us-central1-a"
}

Debug Output

Panic Output

Expected Behavior

After applying the roles/notebooks.admin role at the instance level, I should be able to perform Notebook Admin permissions like notebooks.instances.stop.

However, applying roles/compute.admin to the Notebook instance at the instance level does allow me to perform compute.instances.stop, but only in a Compute Engine context.

The GCP documentation states that the Notebook roles/permissions can be applied at the Instance level.
https://cloud.google.com/iam/docs/understanding-roles#ai-notebooks-roles

This also affects any custom roles with notbook.* permissions.

Actual Behavior

notebooks-api-instance-b: Permission 'notebooks.instances.stop' denied on 'projects/wf-gcp-us-ae-general-dev/locations/us-central1-a/instances/notebooks-api-instance-b'

Steps to Reproduce

1. Create notebook instance with the above instance member bindings
2. Attempt to stop the Notebook on the Notebook Web Console (see error)
3. Attempt to stop the Notebook on the Compute Engine Web Console (it will succeed)

Important Factoids

References

https://cloud.google.com/iam/docs/understanding-roles#ai-notebooks-roles

• #0000

[edwardmedia]

@cm-wayfair when you say I should be able to perform Notebook Admin permission, I assume you were using the account [email protected]. Does this account have iam.serviceAccounts.actAs role?

The IAM policy appears to be created correctly via Terraform. To debug, you can create a custom role, add the notebooks.instances.stop to that role and bind that role to your account, then to see if that fix the problem. You can also using gcloud to do that same to verify where the problem is.

[cm-wayfair]

Ok, I will try gcloud. Our policy is actually to systematically use custom roles. We only use built-in roles in limited cases. So I have tested both custom and built-in via Web Console.

No, we don't generally apply iam.serviceAccounts.actAs in our custom roles. Only exception least privilege scenarios. In this case both testing with the custom role and built-in roles of compute.admin and notebooks.admin 'actAs' was not set.

[cm-wayfair]

Our custom role has notebook.instances.stop. Our custom role basically mirrors the built-in role with the exception of *.setIam

resource "google_organization_iam_custom_role" "tf-wf-ae-ent-notebook-manager" {
  role_id     = "tf_wf_ae_ent_notebook_manager"
  org_id      = "${data.google_organization.org.id}"
  title       = "AE notebook-manager manager entitlement"
  description = "Give administrative access to notebooks"
  permissions = [
    "compute.acceleratorTypes.list",
    "compute.diskTypes.list",
    "compute.machineTypes.list",
    "compute.subnetworks.list",
    "notebooks.environments.create",
    "notebooks.environments.delete",
    "notebooks.environments.get",
    "notebooks.environments.getIamPolicy",
    "notebooks.environments.list",
    "notebooks.instances.create",
    "notebooks.instances.delete",
    "notebooks.instances.get",
    "notebooks.instances.getIamPolicy",
    "notebooks.instances.list",
    "notebooks.instances.update",
    "notebooks.locations.get",
    "notebooks.locations.list",
    "notebooks.operations.cancel",
    "notebooks.operations.delete",
    "notebooks.operations.get",
    "notebooks.operations.list",
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "notebooks.instances.checkUpgradability",
    "notebooks.instances.reset",
    "notebooks.instances.setAccelerator",
    "notebooks.instances.setLabels",
    "notebooks.instances.setMachineType",
    "notebooks.instances.start",
    "notebooks.instances.stop",
    "notebooks.instances.upgrade",
  ]
}

[edwardmedia]

@cm-wayfair you have both roles bond to google_compute_instance but not to google_notebooks_instance. Unfortunately there is no google_notebooks_instance_iam_member available yet. That is the one you should use. You can file an enhancement for that so it will be triaged. I m closing this issue then. Feel free to reopen it if you see a need to continue the conversation. Thank you

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!