blob: 210c740ef8483917e317d618bcc2f8936157f7d4 [file] [log] [blame]
#/bin/bash
# Creates the service account used by Gold running in K8s and export a key for
# it into the kubernetes cluster as a secret.
set -e -x
source ../kube/corp-config.sh
source ../bash/ramdisk.sh
# New service account we will create.
SA_NAME="skia-gold"
SA_EMAIL="${SA_NAME}@${PROJECT_SUBDOMAIN}.iam.gserviceaccount.com"
# Not only do we need to give permission to this gold service account to access
# pubsub, we need to grant access to
# service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com
# https://cloud.google.com/storage/docs/projects#service-accounts
# This service account has been created for us by Cloud Storage and
# will be used when interacting with GCS bucket pubsub events.
# By default, this service account lacks the permissions to interact with
# PubSub, leading to errors like:
# The service account 'service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com'
# does not have permission to publish messages to to the Cloud Pub/Sub topic
# '//pubsub.googleapis.com/projects/[PROJECT_ID]/topics/gold-flutter-eventbus',
# or that topic does not exist.\"
PROJECT_NUMBER=`gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)'`
GS_SA_EMAIL="service-${PROJECT_NUMBER}@gs-project-accounts.iam.gserviceaccount.com"
cd /tmp/ramdisk
gcloud --project=${PROJECT_ID} iam service-accounts create "${SA_NAME}" \
--display-name="Service account for Skia Gold in skia-corp"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/bigtable.user
# datastore and firestore share the same roles
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/datastore.user
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/pubsub.admin
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/storage.admin
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${GS_SA_EMAIL} --role roles/pubsub.editor
gcloud projects add-iam-policy-binding --project ${PROJECT} \
--member serviceAccount:${SA_EMAIL} --role roles/cloudtrace.agent
gcloud beta iam service-accounts keys create ${SA_NAME}.json \
--iam-account="${SA_EMAIL}"
set +e
kubectl delete secret "${SA_NAME}"
set -e
kubectl create secret generic "${SA_NAME}" --from-file=service-account.json=${SA_NAME}.json
cd -