Breakglass

We follow the Principle of Least Privilege whereby SREs don’t have default read/write access to Cells infrastructure in GCP. This helps limit blast radius in case of security incidents or misconfigurations of running scripts locally to production. We use Privileged Access Manager (PAM) to provide short lived access to GCP via the console or gcloud.

Topology Service Access

Read Only: Get read only access like reading logs.
Terminal window
```
gcloud beta pam grants create \
    --entitlement="readonly-entitlement-gitlab-runway-topo-svc-stg" \
    --requested-duration="1800s" \
    --justification="$ENTER_YOUR_JUSTIFICATION" \
    --location=global \
    --project="gitlab-runway-topo-svc-stg"
```
NOTE: For production use --entitlement="readonly-entitlement-gitlab-runway-topo-svc-prod" and --project="gitlab-runway-topo-svc-prod"

For example, after running this command will be given the requested access to the Topology Service project in the UI.
- staging project GCP page.
- production project GCP page.

Read/Write: Get read/write access requiring approval

gcloud beta pam grants create \
    --entitlement="readwrite-entitlement-gitlab-runway-topo-svc-stg" \
    --requested-duration="1800s" \
    --justification="$ENTER_YOUR_JUSTIFICATION" \
    --location=global \
    --project="gitlab-runway-topo-svc-stg"

NOTE: For production use --entitlement="readwrite-entitlement-gitlab-runway-topo-svc-prod" and --project="gitlab-runway-topo-svc-prod"

Breakglass: Only used by the On-Call Engineer when they need write access with no approval to fix a high severity incident

gcloud beta pam grants create \
    --entitlement="breakglass-entitlement-gitlab-runway-topo-svc-stg" \
    --requested-duration="1800s" \
    --justification="$ENTER_YOUR_JUSTIFICATION" \
    --location=global \
    --project="gitlab-runway-topo-svc-stg"

NOTE: For production use --entitlement="breakglass-entitlement-gitlab-runway-topo-svc-prod" and --project="gitlab-runway-topo-svc-prod"