Epic Goal

• Remove the requirement for a separate Service Account and minimize permissions required during the Bootstrap process in GCP.

Background

The GCP bootstrap process creates a service account with the role roles/storage.admin . The role is required so that the service account can create a bucket to hold the bootstrap ignition file contents. As a security request from a customer, the service account created during this process can be removed. These details mean that the not only will the service account, private key, and role not be created, but the bucket containing the bootstrap ignition file contents will not be created in terraform.

Why is this important?

• Reduce number of permissions required to complete bootstrapping process.
• Reduce unnecessary resources 

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• No additional service accounts should be created to complete an installation

Open questions::

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>