GCP Group | Security Labels
Caleb Whitaker
We would the ability to apply security labels to groups as they are created. This comes as a requirement from our Identity/Security teams.
M
Marius Kießling
Hey Jelle den Burger, we have the same issue at the moment. The 'security' label on a GCI group indicates to Google that the group is used for access control. Quoting from the Google Admin Console:
> For controlling access to sensitive data and resources. You can't remove this label.
This is e.g. required if you want to add a group as a member to another group. The membership operation will fail if the member group isn't labelled with the 'security' label.
Additionally, meshcloud groups are used to control access to GCP resources. It would therefore be in line with the spirit of GCI security groups.
We would appreciate if meshcloud labelled all GCI groups that it manages as 'security' groups.
Jelle den Burger
Marius Kießling: Hey Marius, thanks for reaching out! I had a deeper look into Google, and it seems you can programmatically set this flag using the very long
cloudidentity.googleapis.com/groups.security
label.This should then be possible with a cloud function on the landing zone.
It's still a cool idea that meshStack does it itself but I'll be frank with you that this is currently not planned for the roadmap so I wanted to suggest you this workaround.
M
Marius Kießling
Jelle den Burger Hey, thanks for the response and openness regarding the roadmap. We also set this label on other groups that we programmatically provision through non-meshcloud processes.
I was hoping that meshcloud could automatically set the label for all groups it manages but I can understand that this currently isn't planned. We will then implement this in the tenant replication Cloud Function call for now.
Jelle den Burger
Hey Caleb, thank you for your feature request. We would love to add this into the product for you and your team.
What is your current pain & workaround for groups not being able to be marked as Security Groups?