SAD¶
Table of Content:
Overview¶
Inno Auth Internal is a serverless auth service serving both authentication and authortication for Data Platform
SAD - System architechture design¶
Techstack¶
[+] Programing Language: Python, Bash
[+] Deployment notification service:
-
Serverless: Cloud Run
-
CICD: CloudBuild, GitHub Actions
-
Secret: Secret Manager
-
Development: docker, docker-compose
Logical View¶
The logical view method of notification service
flowchart TB
%% Component
subgraph client[Internal Client]
direction LR
subgraph onprem[On premises Server]
client_outside[Outside Cloud Client]
end
subgraph gcp1[Google Cloud Platform]
client_inside[Cloud Client Client]
end
end
subgraph gcp[Google Cloud Platform]
subgraph auth[Auth Internal]
auth-service[Notification Service]
end
subgraph service[Cloud Services]
database
dot[...]
compute_engine[Compute Engine]
end
end
%% Flow
client -- request --> service -- redirect --> auth -- authentication & authorization --> servicePhysical View¶
Following is the deployed services that matching on notification service
flowchart LR
%% Service in Cloud Platform
subgraph Google Cloud Platform
cbuild[Cloud Build]
lb[Load Balancing]
iap[Cloud IAP]
secret[Cloud Secret Manager]
logging[Cloud Logging]
iam[Cloud IAM]
artifact[Cloud Artifact]
subgraph auth[Auth Service]
run[Cloud Run]
end
subgraph keycloak[KeyCloak Mother Plane]
keycloak_service[KeyCloak]
end
run <-- interactive --> keycloak
end
subgraph gh[GitHub]
repository[Repository]
end
%% Flow
lb -- navigate --> iap -- handle authentication --> run
gh <-- sync/trigger --> cbuild -- deploy --> run
secret <-. mount .-> run
iam -- control access --> cbuild
cbuild -- store images --> artifact
run -- yield logs --> loggingDeployment¶
There are 3 deployment environments: development, staging, production
Security¶
Service Accounts Permission¶
For the deployment of builder related to inno-auth-internal will in charge by:
sa-mars: Project builder:
Service account: sa-mars@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-mars
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/cloudbuild.builds.builder | Cloud Build | Cloudbuild builder |
roles/cloudbuild.workerPoolUser | Cloud Build | Using private workers pool of Build |
roles/iam.serviceAccountUser | IAM | Impersion service account on a targeted service |
roles/iam.serviceAccountTokenCreator | To impersonate a service account | |
roles/secretmanager.secretAccessor | Secret | Access secrets |
roles/compute.instanceAdmin.v1 | Compute Engine | Deploy to CE |
roles/errorreporting.writer | Cloud Error Reporting | Create entries into Cloud Errror Reporting |
roles/monitoring.metricWriter | Cloud Monitoring | Writing monitoring data to a metrics scope |
roles/logging.logWriter | Cloud Logging | Write log entries |
sa-timbersaw: Runner of Cloud Run:
Service account: sa-timbersaw@$PROJECT_ID.iam.gserviceaccount.com
Alias: sa-timbersaw
| Permissions | Identifiers | Performtion |
|---|---|---|
roles/secretmanager.secretAccessor | Secret Manager | Allows accessing the payload of secrets. |
roles/serviceusage.serviceUsageConsumer | Service Usage | Inspect service states and operations. |
roles/serviceusage.serviceUsageViewer | Service Usage | Inspect service states and operations. |
roles/run.invoker | Cloud Run | Invoke Cloud Run Service |
roles/errorreporting.writer | Cloud Error Reporting | Create entries into Cloud Errror Reporting |
roles/monitoring.metricWriter | Cloud Monitoring | Writing monitoring data to a metrics scope |
roles/logging.logWriter | Cloud Logging | Write log entries |
Appendix¶
Appendix A: Record of Changes¶
Table: Record of changes
| Version | Date | Author | Description of Change |
|---|---|---|---|
| 0.1.0 | 06/04/2024 | Bao Truong | Initation documentation |
| 0.2.8 | 06/14/2024 | Bao Truong | Updated the SAD, permission of service account |