Background
Existing documentation for GCP does not clearly define the minimum set of storage permissions necessary to successfully run Nextflow (neither with GCSFuse, nor Fusion).
Google Batch
Current as of April 21/26, https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket has the following text re: permissions provisioning for the Service Account which will be used by Nextflow in GCP Batch:
If your Google Cloud project does not require access restrictions on any of its Cloud Storage buckets, you can grant project Storage Admin (roles/storage.admin) permissions to your service account to simplify setup. To grant access only to specific buckets, add the service account as a principal on each bucket individually. See Cloud Storage bucket below.
The advised role is overly empowered, and does not identify the minimum-required permission set.
GKE
Current as of April 21/26, the GKE page section of Fusion v2: https://docs.seqera.io/platform-cloud/compute-envs/gke#fusion-v2 has three specified:
- storage.objects.create
- storage.objects.get
- storage.objects.list
This list is too small. It is missing storage.buckets.get and storage.objects.delete (TBD on which buckets), and does not specify additional considerations on the way Fusion will interact with the buckets.
Google Cloud (single-VM)
Google Cloud (single VM) documentation does not identify that Platform uses its GCP credentials to create another GCP Service Account which is attached to the single VM instance. The Platform-created Service Account is granted the following roles:
# Project Level
# --------------------------------------
* roles/logging.logWriter
* roles/monitoring.metricWriter
* roles/storage.bucketViewer
* roles/storage.objectViewer
# Bucket Level (work-dir bucket)
# --------------------------------------
* roles/storage.objectAdmin
Reported Gap
A security-conscious customer attempted to minimize permissions granted, and limit Fusion's permissions to roles/storage.objectAdmin. This caused their Fusion-enabled runs to fail due to their Service Account not also having the IAM permission storage.buckets.get.
"error_code":"Forbidden","provider_http_status":403
"seqera-batch-dev@... does not have storage.buckets.get access to the Google Cloud Storage bucket"
"message":"Fusion authenticated successfully but lacks permission to access this resource.
Proposed Remediation
Update the GCP docs to separate necessary Fusion permissions from necessary non-Fusion permissions.
Background
Existing documentation for GCP does not clearly define the minimum set of storage permissions necessary to successfully run Nextflow (neither with GCSFuse, nor Fusion).
Google Batch
Current as of April 21/26, https://docs.seqera.io/platform-cloud/compute-envs/google-cloud-batch#cloud-storage-bucket has the following text re: permissions provisioning for the Service Account which will be used by Nextflow in GCP Batch:
The advised role is overly empowered, and does not identify the minimum-required permission set.
GKE
Current as of April 21/26, the GKE page section of Fusion v2: https://docs.seqera.io/platform-cloud/compute-envs/gke#fusion-v2 has three specified:
This list is too small. It is missing
storage.buckets.getandstorage.objects.delete(TBD on which buckets), and does not specify additional considerations on the way Fusion will interact with the buckets.Google Cloud (single-VM)
Google Cloud (single VM) documentation does not identify that Platform uses its GCP credentials to create another GCP Service Account which is attached to the single VM instance. The Platform-created Service Account is granted the following roles:
Reported Gap
A security-conscious customer attempted to minimize permissions granted, and limit Fusion's permissions to
roles/storage.objectAdmin. This caused their Fusion-enabled runs to fail due to their Service Account not also having the IAM permissionstorage.buckets.get.Proposed Remediation
Update the GCP docs to separate necessary Fusion permissions from necessary non-Fusion permissions.