blob: bf01a41d9ccf3de3f8974ee9999a2521000889f1 [file] [log] [blame]
set -e -x
source ../kube/
# New service account we will create.
# Create service account.
gcloud --project=${PROJECT_ID} iam service-accounts create "${SA_NAME}" \
--display-name="Service account for in skia-public"
# Allow the new service account to impersonate the Google Cloud service account. See
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "[default/skia-codesize]" \
# Grant full control over the contents of the skia-codesize GCS bucket.
gsutil iam ch "serviceAccount:${SA_EMAIL}:objectAdmin" gs://skia-codesize
# Necessary in order create PubSub subscriptions to the skia-codesize-files topic. GCS will notify
# us of changes to the gs://skia-codesize bucket via this topic.
# Unlike most other apps in our repo, replicas do not share a set of pre-existing subscriptions.
# Instead, Each replica creates its own unique subscription (using its hostname as a suffix for the
# subscription name) in order to prevent PubSub from load-balancing messages across replicas. This
# guarantees that all replicas will be notified when a new file is uploaded to the GCS bucket. The
# pubsub.editor role is thus needed because less permissive roles such as pubsub.subscriber or
# pubsub.viewer do not allow creating new subscriptions.
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/pubsub.editor