Make suffix optional to SA

[lokeshjawane]

We are creating the GCP service account & SA keys dynamically. But some we are looking for an option, where we can make prefix(vault) & suffix(intSuffix) optional while creating SA, which currently doesn't exist.

Would be great if we can have one boolean to enable and disable SA prefix & suffix.

[emilymye]

I'm hesitant to remove all randomness (int suffix) since an GCP IAM policy doesn't actually check that the accounts under its bindings exists, so you could run into unexpected permissions result from name collision if Vault fails before revoking old permissions. It's not foolproof but it is a small safety measure.

Would it make sense for us to instead add a preferred "name" or "name-prefix" field that you can specify for the roleset?

[karlkfi]

We have a similar problem:

When you change a roleset it generates a new service account, which makes it a PITA to apply any role bindings to the service account outside of Vault.

Option A:
Make it possible for users to create the service account outside of Vault and specify that specific pre-existing service account to use for a roleset.

Option B:
Dont change the service account after creation.

Option C:
Remove the random suffix so the account name doesn’t change.

[dustin-decker]

I think having both option A (bring your own SA) and option C (remove suffix) as an optional boolean in the roleset (default false) would be ideal.

[julianvmodesto]

@emilymye do you have a preference for one or more implementation options above? If you'd accept both option A and option C, then would you prefer that option A (preferred name prefix) is implemented first?