golden/create-gold-corp-sa.sh - buildbot - Git at Google

 #/bin/bash

 # Creates the service account used by Gold running in K8s and export a key for
 # it into the kubernetes cluster as a secret.

 set -e -x
 source ../kube/corp-config.sh
 source ../bash/ramdisk.sh

 # New service account we will create.
 SA_NAME="skia-gold"
 SA_EMAIL="${SA_NAME}@${PROJECT_SUBDOMAIN}.iam.gserviceaccount.com"

 # Not only do we need to give permission to this gold service account to access
 # pubsub, we need to grant access to
 # service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com
 # https://cloud.google.com/storage/docs/projects#service-accounts
 # This service account has been created for us by Cloud Storage and
 # will be used when interacting with GCS bucket pubsub events.
 # By default, this service account lacks the permissions to interact with
 # PubSub, leading to errors like:
 # The service account 'service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com'
 # does not have permission to publish messages to to the Cloud Pub/Sub topic
 # '//pubsub.googleapis.com/projects/[PROJECT_ID]/topics/gold-flutter-eventbus',
 # or that topic does not exist.\"
 PROJECT_NUMBER=`gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)'`
 GS_SA_EMAIL="service-${PROJECT_NUMBER}@gs-project-accounts.iam.gserviceaccount.com"

 cd /tmp/ramdisk

 gcloud --project=${PROJECT_ID} iam service-accounts create "${SA_NAME}" \
     --display-name="Service account for Skia Gold in skia-corp"

 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member serviceAccount:${SA_EMAIL} --role roles/bigtable.user

 # datastore and firestore share the same roles
 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member serviceAccount:${SA_EMAIL} --role roles/datastore.user

 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member serviceAccount:${SA_EMAIL} --role roles/pubsub.admin

 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member serviceAccount:${SA_EMAIL} --role roles/storage.admin

 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member serviceAccount:${GS_SA_EMAIL} --role roles/pubsub.editor

 gcloud projects add-iam-policy-binding --project ${PROJECT} \
   --member serviceAccount:${SA_EMAIL} --role roles/cloudtrace.agent

 gcloud beta iam service-accounts keys create ${SA_NAME}.json \
     --iam-account="${SA_EMAIL}"

 set +e
 kubectl delete secret "${SA_NAME}"
 set -e

 kubectl create secret generic "${SA_NAME}" --from-file=service-account.json=${SA_NAME}.json

 cd -
	#/bin/bash

	# Creates the service account used by Gold running in K8s and export a key for
	# it into the kubernetes cluster as a secret.

	set -e -x
	source ../kube/corp-config.sh
	source ../bash/ramdisk.sh

	# New service account we will create.
	SA_NAME="skia-gold"
	SA_EMAIL="${SA_NAME}@${PROJECT_SUBDOMAIN}.iam.gserviceaccount.com"

	# Not only do we need to give permission to this gold service account to access
	# pubsub, we need to grant access to
	# service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com
	# https://cloud.google.com/storage/docs/projects#service-accounts
	# This service account has been created for us by Cloud Storage and
	# will be used when interacting with GCS bucket pubsub events.
	# By default, this service account lacks the permissions to interact with
	# PubSub, leading to errors like:
	# The service account 'service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com'
	# does not have permission to publish messages to to the Cloud Pub/Sub topic
	# '//pubsub.googleapis.com/projects/[PROJECT_ID]/topics/gold-flutter-eventbus',
	# or that topic does not exist.\"
	PROJECT_NUMBER=`gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)'`
	GS_SA_EMAIL="service-${PROJECT_NUMBER}@gs-project-accounts.iam.gserviceaccount.com"

	cd /tmp/ramdisk

	gcloud --project=${PROJECT_ID} iam service-accounts create "${SA_NAME}" \
	--display-name="Service account for Skia Gold in skia-corp"

	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member serviceAccount:${SA_EMAIL} --role roles/bigtable.user

	# datastore and firestore share the same roles
	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member serviceAccount:${SA_EMAIL} --role roles/datastore.user

	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member serviceAccount:${SA_EMAIL} --role roles/pubsub.admin

	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member serviceAccount:${SA_EMAIL} --role roles/storage.admin

	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member serviceAccount:${GS_SA_EMAIL} --role roles/pubsub.editor

	gcloud projects add-iam-policy-binding --project ${PROJECT} \
	--member serviceAccount:${SA_EMAIL} --role roles/cloudtrace.agent

	gcloud beta iam service-accounts keys create ${SA_NAME}.json \
	--iam-account="${SA_EMAIL}"

	set +e
	kubectl delete secret "${SA_NAME}"
	set -e

	kubectl create secret generic "${SA_NAME}" --from-file=service-account.json=${SA_NAME}.json

	cd -