blob: c07f82590a43329fa6120e5178f3d46c927a0004 [file] [log] [blame]
# Creates the service account for switch-pod.
set -e -x
source ../kube/
# New service account we will create.
# Create service account
gcloud iam service-accounts create "${SA_NAME}" --display-name="switch-pod service account"
# Allow k8s service account to impersonate the GCP service account.
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${PROJECT_SUBDOMAIN}[default/${SA_NAME}]" \
# Allow access to FireStore, which uses the datastore.user role.
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member "serviceAccount:${SA_NAME}@${PROJECT_SUBDOMAIN}" \
--role roles/datastore.user