[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Vagrant box CI/CD

On Mon, May 14, 2018 at 09:00:05PM +0200, Emmanuel Kasper wrote:
> @list: Do we have some official account for GCE like we have for Amazon
> ?

We don't need the same kind of single official account as Amazon has,
because GCP works on the notion of projects which is not tied to a
single set of credentials. Access and permissions can be managed based
on Google accounts for individual users and based on a couple different
models for groups of users.

Right now there exists a Google-paid "debian-cloud-experiments" project
with a small quota, meant for Debian project contributors to try
experiments related to supporting Debian in GCE, such as building cloud
images. Our Google contacts have historically been willing to manually
manage access for people doing this work, though see below about a
better long-term solution for later in 2018 or 2019.

The Debian images which Google currently builds and publishes are in a
Google-paid "debian-cloud" project, which Google's tooling makes easy
for users to find. Once Debian is building its own GCE images, I expect
Google will be willing to work with us to publish them in a visible way,
at least on par with other images built by prominent community distros,
maybe more than that if they end up meeting enough GCE product needs.

I defer to Zach for any corrections or additions, since I haven't worked
at Google since 2015.

Work is underway such that, some time later this year or next, Debian
itself will be able to provision Google accounts for our GCP work
through the Google Cloud Identity system and to take ownership of its
GCP projects as an organization. SPI is assisting DSA and the cloud team
with this due to its eligibility for G Suite for Nonprofits, which in
turn allows Debian to use Cloud Identity with debian.org. DSA will start
out with a manual process but may automate it later.

To be clear: none of this requires Debian to migrate its primary
accounts system to Google and no such migation is planned. Current
thinking is that we won't be enabling the broader G Suite feature set for
debian.org Google accounts either, since that's proprietary SaaS. Cloud
Identity is just identity-as-a-service.

Cloud Identity can tie in nicely to whatever permissions management and
auditing is desired for the various Debian-linked GCP projects and
resources. It would also help with billing of paid GCP usage and/or
tracking of sponsored GCP credit.

- Jimmy Kaplowitz

Reply to: