Glean on-call executing debug operations

⁠

Screen Shot 2023-03-20 at 3.12.25 PM.png

⁠

Request temporary permissions (limited to an hour by default), with required justification, from the Glean security team to invoke the operation

If your request is approved, then the debug operations store in scio-apps will be updated to grant you temporary permission to invoke the specific debug operation

Check to see if you have access to the

Vault⁠

where the key is store

Authenticate using Google auth (via

GCP IAP⁠

) to scio-apps

The scio-apps debug operation client is checking the permission store to verify that you have non-expired permissiosn to invoke the debug operation

if permissions check out, the debug operation client makes a signed API call over https to the debug operation server that runs in the customer’s GCP project.

The API call is signed using a private key that’s stored in the

GCP KMS⁠

in scio-apps. Using GCP roles for KMS, the key is then restricted so that only the scio-apps service account has the ability to sign using the private key, and the customer GCP’s service account has the ability to verify the signature of the API call

Call the debug operation API with the query you want

NOTE: If you don’t have access check to see if they have their

permissions⁠

set up correctly

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.