copy_service_account_key
Copy the service account key to the chrome-bot home directory.
Does this safely by extracting the files from berglas to temp files, copying them over, and then deleting the temp files.
Loads the common key.json file from berglas and copies them over to the target machine. See //kube/secrets for more details on berglas and Skia secrets.
The key is stored as a kubernetes secret in berglas secrets for the cluster etc and the secret name is passed in via the copy_service_account_key_name variable.
You can see all secrets for the etc cluster by running:
$ ../../kube/secrets/list-secrets-by-cluster.sh etc
skolo-service-accounts
skolo-bot-service-account
skia-rpi-adb-key
authorized_keys
ansible-secret-vars
The file is copied into $HOME/.config/gcloud/application_default_credentials.json so that client libraries can find and use this by default.
This role uses the skolo_account variable defined in hosts.ini.
The copy_service_account_key__name is the name of the berglas secret that contains the service account key to use.
The secrets.yml is only put in a temp file long enough to be copied to the target machine, then the temp file is removed by the clean_up_tempfile handler.
- hosts: rpis
roles:
- copy_service_account_key