Glean Collaboration Exercise

icon picker
Glean on-call executing debug operations


Screen Shot 2023-03-20 at 3.12.25 PM.png
Request temporary permissions (limited to an hour by default), with required justification, from the Glean security team to invoke the operation
If your request is approved, then the debug operations store in scio-apps will be updated to grant you temporary permission to invoke the specific debug operation
Check to see if you have access to the where the key is store
Authenticate using Google auth (via ) to scio-apps
The scio-apps debug operation client is checking the permission store to verify that you have non-expired permissiosn to invoke the debug operation
if permissions check out, the debug operation client makes a signed API call over https to the debug operation server that runs in the customer’s GCP project.
The API call is signed using a private key that’s stored in the in scio-apps. Using GCP roles for KMS, the key is then restricted so that only the scio-apps service account has the ability to sign using the private key, and the customer GCP’s service account has the ability to verify the signature of the API call
Call the debug operation API with the query you want

NOTE: If you don’t have access check to see if they have their set up correctly


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.