From 9d5ae3bc34771ea3181501a50d6922e1262f4596 Mon Sep 17 00:00:00 2001
From: adam <athornton@lsst.org>
Date: Tue, 16 Apr 2024 09:40:15 -0700
Subject: [PATCH] Go back to GOOGLE_CREDENTIALS for resource creations

---
 .github/workflows/rsp-demo-gke-tf.yaml  |  2 +-
 .github/workflows/rsp-demo-proj-tf.yaml |  2 +-
 NEW_ENVIRONMENT.md                      | 25 ++++++++++++++++++-------
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/rsp-demo-gke-tf.yaml b/.github/workflows/rsp-demo-gke-tf.yaml
index 162a357e..cc76b304 100644
--- a/.github/workflows/rsp-demo-gke-tf.yaml
+++ b/.github/workflows/rsp-demo-gke-tf.yaml
@@ -32,7 +32,7 @@ jobs:
       uses: google-github-actions/setup-gcloud@v0
       with:
         version: '379.0.0'
-        service_account_key: ${{ secrets.PIPELINE_RSP_DEMO_GKE }}
+        service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
         project_id: ${{ secrets.GCP_PROJECT_ID }}
         export_default_credentials: true
 
diff --git a/.github/workflows/rsp-demo-proj-tf.yaml b/.github/workflows/rsp-demo-proj-tf.yaml
index 35bddff8..9e15b318 100644
--- a/.github/workflows/rsp-demo-proj-tf.yaml
+++ b/.github/workflows/rsp-demo-proj-tf.yaml
@@ -32,7 +32,7 @@ jobs:
       uses: google-github-actions/setup-gcloud@v0
       with:
         version: '379.0.0'
-        service_account_key: ${{ secrets.PIPELINE_RSP_DEMO_PROJECT }}
+        service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
         project_id: ${{ secrets.GCP_PROJECT_ID }}
         export_default_credentials: true
 
diff --git a/NEW_ENVIRONMENT.md b/NEW_ENVIRONMENT.md
index 69f82b6e..5a639b9b 100644
--- a/NEW_ENVIRONMENT.md
+++ b/NEW_ENVIRONMENT.md
@@ -143,13 +143,6 @@ This is not the pattern we ultimately want.  A future set of
 improvements to [idf_deploy](.) will replace this with [keyless
 authentication](https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions).
 
-## Descope GitHub Action accounts
-
-Go back to the [Workflows](.github/workflows) and update the `proj` and
-`gke` workflows to use the new keys just created, rather than
-`GOOGLE_CREDENTIALS`.
-
-Merge this PR.
 
 ## Add additional resources
 
@@ -173,5 +166,23 @@ files in an analogous manner.
 Again, create a PR, examine the Terraform output, and when happy, merge
 the PR.
 
+## Descope GitHub Action accounts
+
+Go back to the [Workflows](.github/workflows) and update the `proj` and
+`gke` workflows to use the new keys just created, rather than
+`GOOGLE_CREDENTIALS`.
+
+Merge this PR.  (If you do this earlier, the resource creation will not
+happen as it should, because the SAs don't have correct permissions.)
+
+## Issues
 
+Looks like the reduced-scope tokens lack some permissions.  The base env
+is having permission errors creating a cluster-scoped SA, and cloudsql
+fails with "Identity Pool does not exist" which I believe to come from
+the failures in the base, because we saw them earlier...but that was
+when we didn't have a cluster.
 
+That's because the service account needs the Service Account Admin
+permissions.  For the moment, modify it manually, and it goes on the
+backlog of stuff we need to fix.