blob: e93c65484cb583779c8a49c4228b1a481e24281e [file] [log] [blame] [edit]
# Creates the service account used by Gold running in K8s and export a key for
# it into the kubernetes cluster as a secret.
set -e -x
source ../kube/
# New service account we will create.
# Not only do we need to give permission to this gold service account to access
# pubsub, we need to grant access to
# service-[PROJECT_NUMBER]
# This service account has been created for us by Cloud Storage and
# will be used when interacting with GCS bucket pubsub events.
# By default, this service account lacks the permissions to interact with
# PubSub, leading to errors like:
# The service account 'service-[PROJECT_NUMBER]'
# does not have permission to publish messages to to the Cloud Pub/Sub topic
# '//[PROJECT_ID]/topics/gold-flutter-eventbus',
# or that topic does not exist.\"
PROJECT_NUMBER=`gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)'`
gcloud --project=${PROJECT_ID} iam service-accounts create "${SA_NAME}" \
--display-name="Service account for Skia Gold in skia-public"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/bigtable.user
# datastore and firestore share the same roles
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/datastore.user
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/pubsub.admin
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${SA_EMAIL} --role roles/storage.admin
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:${GS_SA_EMAIL} --role roles/pubsub.editor
gcloud projects add-iam-policy-binding --project ${PROJECT} \
--member serviceAccount:${SA_EMAIL} --role roles/cloudtrace.agent