openshift-docs/modules/wif-removing-stale-deployer-permissions.adoc

// Module included in the following assemblies:
//
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc

:_mod-docs-content-type: PROCEDURE

[id="wif-removing-stale-deployer-permissions_{context}"]
= Removing stale deployer permissions from service accounts managed by a WIF configuration

[role="_abstract"]
To remove the stale deployer permissions from service accounts managed by a WIF configuration, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.

.Procedure

. Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
+
[source,terminal]
----
$ gcloud iam roles describe \
  osd_deployer_v4.18 \
  --project $PROJECT_ID \
  --format=yaml > /tmp/role.yaml
----
+
. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
+
[source,terminal]
----
$ cat /tmp/role.yaml | \
grep -v "resourcemanager.projects.setIamPolicy" | \
grep -v "iam.serviceAccounts.signBlob" | \
grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml
----
+
. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
+
[source,terminal]
----
$ diff /tmp/role.yaml /tmp/updated_role.yaml
----
+
. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
+
[source,terminal]
----
$ gcloud iam roles update \
  osd_deployer_v4.18 \
  --project=$PROJECT_ID \
  --file=/tmp/updated_role.yaml
----