Identity & Access Management
Users
User provisioning is using Entra ID and Cloud Identity.
Service Accounts:
| Service Account Name | Purpose | Project |
|---|---|---|
[email protected] | Note: Service accounts with terraform cloud suffix are created manually to authenticate GCOP with terraform cloud, and later these are imported in the same infra workspaces. Service account for Terraform Cloud | aa-cp-npr-01 |
[email protected] | This service account has editor access to the project and can be attached to VMs. | aa-cp-npr-01 |
aa-sa-npr-dp-terraform-cloud@aa-dp-npr-01.iam.gserviceaccount.com | Note: Service accounts with terraform cloud suffix are created manually to authenticate GCOP with terraform cloud, and later these are imported in the same infra workspaces. Service account for Terraform Cloud | aa-dp-npr-01 |
[email protected] | This service account has required compute permission to the project and can be attached to VMs. | aa-dp-npr-01 |
aa-sa-boot-terraform-cloud@aa-boot-infra-01.iam.gserviceaccount.com | Note: Service accounts with terraform cloud suffix are created manually to authenticate GCOP with terraform cloud, and later these are imported in the same infra workspaces. Service account for Terraform Cloud | aa-boot-infra-01 |
[email protected] | Shared service account for Arthur CI/CD pipelines to publish images to GCP Artifact Registry | aa-boot-infra-01 |
[email protected] | This service account has editor access to the project and can be attached to VMs. | aa-boot-infra-01 |
Workload Identity Pools and Providers
Following pools and providers created to avoid SA key usage and enforce better security via WIF.
| Pool | Provider | Attribute Condition |
|---|---|---|
| arthur-ci-pool | arthur-auth-gitlab-provider | attribute.project_path=='ArthurAI/arthur-auth' |
| arthur-ci-pool | arthur-scope-gitlab-provider | attribute.project_path == 'ArthurAI/arthur-scope' |
| arthur-ci-pool | unify-frontend-gitlab-provider | attribute.project_path=='ArthurAI/unify-frontend' |
Updated 1 day ago