Fencing/STONITH IAM configuration on Google Cloud Platform (GCP)

UPDATE 2024-01-28: The fence_gce agent now additionally requires the compute.zoneOperations.list permission in the list.instances IAM role. I have updated the code to reflect this change.

Having spent the better part of a day figuring this out, I thought it might be nice to save others some time.

My specific need was to configure STONITH for a Pacemaker cluster deployed on Google Cloud Platform, using fence_gce.

By far the trickiest part was figuring out Google’s extremely robust permissions system to meet this case in the most secure manner. The goal: to allow each node in a two-node cluster to fence the other node (by reset or poweroff), while restricting each node to only be able to fence its peer, and nothing else.

Below I’ll post some psuedo-code that should give you an idea about how to execute this for your particular needs. I deployed this solution using Terraform, but the concepts should be easily adaptable to other use cases.

In a nutshell:

Create two custom IAM Roles (I called them fencing and list.instances):
- fencing: permissions to reset or stop a server and get access to its state
- list.instances: Permissions to list the available instances in a project (this was a small security sacrific, I’d prefer that a node can’t see other nodes this way, but the fencing agent seems to require it, and as of this writing, there’s no clean way on GCP to restrict the nodes listed via the API)
For each instance in a cluster, create a Service Account, and configure the instance run as that service account, granting all the default scopes and the ‘compute-rw’ scope’
At the project level, add an IAM policy binding that binds all the instance service accounts to the list.instances role.
At the instance level, add an IAM policy binding that binds the fencing role to the instance service account for the instance that will fence the instance in question. For example, if you have data1 and data2 instances Then for the data1 instance you’ll bind data2’s service account to the fencing role, and vice-versa. This allows each node to fence its peer, but to have no other permissions for fencing, not even for itself.

Psuedo-code:

########################################### # IAM ROLES ########################################### resource "google_project_iam_custom_role" "fencing" { role_id = "fencing" title = "Fencing" permissions = [ # Allows instance status to be queried. "compute.instances.get", # HARD reset: immediate reset, not an orderly shutdown. "compute.instances.reset", # SOFT poweroff: Orderly shutdown at the OS level, with a 3 minute timeout # until a hard poweroff. "compute.instances.stop", # NOTE: As of this writing, GCP has no HARD poweroff API call. ] } resource "google_project_iam_custom_role" "list-instances" { role_id = "list.instances" title = "List instances" permissions = [ # All of these permissions are necessary for listing servers on a project. "compute.instances.list", "compute.zones.list", "compute.zoneOperations.get", "compute.zoneOperations.list", ] } ########################################### # IAM SERVICE ACCOUNTS ########################################### resource "google_service_account" "data1" { account_id = "data1" display_name = "data1" } resource "google_service_account" "data2" { account_id = "data2" display_name = "data2" } ########################################### # ATTACHING SERVICE ACCOUNT TO INSTANCE ########################################### resource "google_compute_instance" "data" { name = var.hostname # Other stuff... service_account { # Serivce account for this instance. email = "${var.hostname}@${var.project}.iam.gserviceaccount.com" scopes = [ # Custom service accounts don't include the default permissions unless # they are explicitly granted. # TODO: Get rid of these when # https://github.com/terraform-providers/terraform-provider-google/issues/1943 # is fixed. "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write", "https://www.googleapis.com/auth/pubsub", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/trace.append", #"default", "compute-rw", ] } } ########################################### # IAM INSTANCE-LEVEL BINDINGS ########################################### locals { # NOTE: This expects no more than two data servers per region. fencing_peer = var.hostname == "data1" ? "data2" : "data1" } resource "google_compute_instance_iam_binding" "fencing" { zone = var.zone instance_name = google_compute_instance.data.name role = "projects/${var.project}/roles/fencing" members = [ # Access to this instance's peer to allow fencing this instance. "serviceAccount:${local.fencing_peer}@${var.project}.iam.gserviceaccount.com", ] } ########################################### # IAM PROJECT-LEVEL BINDINGS ########################################### resource "google_project_iam_member" "list-instances" { project = var.project role = "projects/${var.project}/roles/list.instances" # Access for this instance to list other instances. member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com" } # Not strictly necessary, but adding a custom service account to the # instance removes this, and it's nice to have. resource "google_project_iam_member" "log-writer" { project = var.project role = "roles/logging.logWriter" member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com" }