OSDOCS-17793#Reducing permissions for GCP #104792

lpettyjo · 2026-01-14T20:21:07Z

Version(s): 4.21+

Issue: https://issues.redhat.com/browse/OSDOCS-17793

Link to docs preview:
Storage content: https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/storage/container_storage_interface/persistent-storage-csi-gcp-pd.html#persistent-storage-csi-gcp-pd-reduce-permissions_persistent-storage-csi-gcp-pd
Link from Install: https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-account.html#installation-gcp-service-account_installing-gcp-account

QE review:

QE has approved this change.

Additional information:

PTAL: @dobsonj @chao007 @gcharot @bscott-rh

installing/installing_gcp/installing-gcp-account.adoc

ocpdocs-previewbot · 2026-01-14T20:32:55Z

🤖 Fri Jan 16 19:27:00 - Prow CI generated the docs preview:

https://104792--ocpdocs-pr.netlify.app/openshift-dedicated/latest/storage/container_storage_interface/persistent-storage-csi-gcp-pd.html
https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-account.html
https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-user-infra.html
https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-user-infra-vpc.html
https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-restricted-networks-gcp.html
https://104792--ocpdocs-pr.netlify.app/openshift-enterprise/latest/storage/container_storage_interface/persistent-storage-csi-gcp-pd.html

installing/installing_gcp/installing-gcp-account.adoc

modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc

storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc

modules/installation-gcp-service-account.adoc

modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc

bscott-rh · 2026-01-15T20:16:30Z

Install change LGTM. Thanks for handling this Lisa 🙇

chao007 · 2026-01-16T02:53:19Z

modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc

+CMD="gcloud iam service-accounts add-iam-policy-binding \"${MASTER_NODE_SA}\" --project=\"${GOOGLE_PROJECT_ID}\" --member=\"serviceAccount:${SERVICE_ACCOUNT_EMAIL}\" --role=\"${SA_USER_ROLE}\" --condition=None"
+run_command "${CMD}"
+CMD="gcloud iam service-accounts add-iam-policy-binding \"${WORKER_NODE_SA}\" --project=\"${GOOGLE_PROJECT_ID}\" --member=\"serviceAccount:${SERVICE_ACCOUNT_EMAIL}\" --role=\"${SA_USER_ROLE}\" --condition=None"
+run_command "${CMD}"


We did not introduce run_command func in this doc, can we use it directly?

I do not know. I got infor for this procedure from this script provided by @bscott-rh.

In turn, I found this script via @dobsonj 's comment on the storage epic: https://issues.redhat.com/browse/STOR-2531

openshift-ci · 2026-01-16T19:28:06Z

@lpettyjo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

lpettyjo added the branch/enterprise-4.21 label Jan 14, 2026

lpettyjo added this to the Planned for 4.21 GA milestone Jan 14, 2026

openshift-ci bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 14, 2026

bscott-rh reviewed Jan 14, 2026

View reviewed changes

installing/installing_gcp/installing-gcp-account.adoc Outdated Show resolved Hide resolved