blob: 54254b106a7b783fb081bec5537c2affbacc780d [file] [log] [blame]
set -e
set -o pipefail
# Add a service account to berglas.
# The stdin stream should be a base64 encoded kubernetes secret file formatted
# as YAML.
# The script echos the full service account email to stdout.
set -x
if [ $# -le 3 ]; then
echo "$0 <project id> <cluster-name> <service-account-name> <description> [<roles>*]"
exit 1
PROJECT="$1"; shift
CLUSTER="$1"; shift
SECRET_NAME="$1"; shift
DESCRIPTION="$1"; shift
# Create the service account.
gcloud iam service-accounts create "${SECRET_NAME}" --project=${PROJECT} --display-name="${DESCRIPTION}"
# Convert PROJECT to PROJET_SUBDOMAIN, i.e. convert "" to
# "", but leave "skia-public" alone.
PROJECT_SUBDOMAIN=$(echo ${PROJECT} | sed 's#^\(.*\):\(.*\)$#\2.\1#g')
# Add the roles to service account.
for role in $@; do
gcloud projects add-iam-policy-binding "${PROJECT}" \
--member "serviceAccount:$EMAIL" \
--role ${role} \
REL=$(dirname "$0")
source ${REL}/
gcloud beta iam service-accounts keys create /dev/stdout --iam-account="${EMAIL}" \
| ${REL}/ ${CLUSTER} ${SECRET_NAME} 1>&2
echo ${EMAIL}