IAM & Service Accounts¶
GCP identity and access management configuration across all Sartiq projects.
GCP Projects¶
| Project | Purpose |
|---|---|
sartiq-ops |
Shared infrastructure — Terraform state bucket |
sartiq-dev |
Development environment (note: currently uses sartiq-staging project) |
sartiq-staging |
Staging environment |
sartiq-prod |
Production environment |
labs-442110 |
Vertex AI / AI Platform (shared across all environments) |
Service Accounts¶
Each environment creates two service accounts — one per VM. Both follow the same role pattern.
Backend VM¶
Account ID: {environment}-backend@{project}.iam.gserviceaccount.com
| Role | Project | Purpose |
|---|---|---|
roles/aiplatform.user |
labs-442110 |
Vertex AI model access |
roles/logging.logWriter |
Environment project | Cloud Logging |
roles/monitoring.metricWriter |
Environment project | Cloud Monitoring |
Compute VM¶
Account ID: {environment}-compute@{project}.iam.gserviceaccount.com
| Role | Project | Purpose |
|---|---|---|
roles/aiplatform.user |
labs-442110 |
Vertex AI model access |
roles/logging.logWriter |
Environment project | Cloud Logging |
roles/monitoring.metricWriter |
Environment project | Cloud Monitoring |
Both service accounts are scoped with cloud-platform at the VM level.
Terraform Service Account¶
Account: terraform@sartiq-ops.iam.gserviceaccount.com
| Role | Project | Purpose |
|---|---|---|
| Storage Admin | sartiq-ops |
Terraform state bucket management |
| Compute Admin | sartiq-staging |
VM and network management |
| Service Account User | sartiq-staging |
Attach service accounts to VMs |
| Compute Admin | sartiq-prod |
VM and network management |
| Service Account User | sartiq-prod |
Attach service accounts to VMs |
No key is created for this account — authentication uses gcloud auth locally and Workload Identity Federation for CI/CD.
Enabled GCP APIs¶
The following APIs are enabled in each environment project via Terraform:
| API | Purpose |
|---|---|
compute.googleapis.com |
Compute Engine (VMs, disks, networking) |
iam.googleapis.com |
IAM (service accounts, role bindings) |
aiplatform.googleapis.com |
Vertex AI |
logging.googleapis.com |
Cloud Logging |
monitoring.googleapis.com |
Cloud Monitoring |
Cross-Project Access¶
flowchart LR
subgraph sartiq-prod
ProdBE[production-backend SA]
ProdCS[production-compute SA]
end
subgraph sartiq-staging
StagBE[staging-backend SA]
StagCS[staging-compute SA]
DevBE[dev-backend SA]
DevCS[dev-compute SA]
end
subgraph labs-442110
VertexAI[Vertex AI]
end
ProdBE -- aiplatform.user --> VertexAI
ProdCS -- aiplatform.user --> VertexAI
StagBE -- aiplatform.user --> VertexAI
StagCS -- aiplatform.user --> VertexAI
DevBE -- aiplatform.user --> VertexAI
DevCS -- aiplatform.user --> VertexAIAll environment service accounts have roles/aiplatform.user on labs-442110, allowing them to call Vertex AI models from any environment.
SSH Access¶
SSH keys are managed via VM instance metadata in Terraform (not OS Login). All environments share the same key set.
Authorized users:
| User | Key Type |
|---|---|
cicd |
ed25519 |
gabriele_schincaglia |
ed25519 |
emanuele_giordano |
ed25519 |
felipe_cardoso |
ed25519, ecdsa-nistp521 |
luca_pasini |
ed25519, ecdsa-nistp521 |
Keys are defined in each environment's terragrunt.hcl inputs and applied to all VMs in that environment.
Related Documentation¶
- Infrastructure Overview — Cloud providers and architecture
- Networking — VPCs, firewall rules, DNS
- Server Fleet — Per-machine details and SSH access