Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go back to GOOGLE_CREDENTIALS for resource creations #506

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Go back to GOOGLE_CREDENTIALS for resource creations #506

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/rsp-demo-gke-tf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
uses: google-github-actions/setup-gcloud@v0
with:
version: '379.0.0'
service_account_key: ${{ secrets.PIPELINE_RSP_DEMO_GKE }}
service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
project_id: ${{ secrets.GCP_PROJECT_ID }}
export_default_credentials: true

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rsp-demo-proj-tf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
uses: google-github-actions/setup-gcloud@v0
with:
version: '379.0.0'
service_account_key: ${{ secrets.PIPELINE_RSP_DEMO_PROJECT }}
service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
project_id: ${{ secrets.GCP_PROJECT_ID }}
export_default_credentials: true

Expand Down
25 changes: 18 additions & 7 deletions NEW_ENVIRONMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,13 +143,6 @@ This is not the pattern we ultimately want. A future set of
improvements to [idf_deploy](.) will replace this with [keyless
authentication](https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions).

## Descope GitHub Action accounts

Go back to the [Workflows](.github/workflows) and update the `proj` and
`gke` workflows to use the new keys just created, rather than
`GOOGLE_CREDENTIALS`.

Merge this PR.

## Add additional resources

Expand All @@ -173,5 +166,23 @@ files in an analogous manner.
Again, create a PR, examine the Terraform output, and when happy, merge
the PR.

## Descope GitHub Action accounts

Go back to the [Workflows](.github/workflows) and update the `proj` and
`gke` workflows to use the new keys just created, rather than
`GOOGLE_CREDENTIALS`.

Merge this PR. (If you do this earlier, the resource creation will not
happen as it should, because the SAs don't have correct permissions.)

## Issues

Looks like the reduced-scope tokens lack some permissions. The base env
is having permission errors creating a cluster-scoped SA, and cloudsql
fails with "Identity Pool does not exist" which I believe to come from
the failures in the base, because we saw them earlier...but that was
when we didn't have a cluster.

That's because the service account needs the Service Account Admin
permissions. For the moment, modify it manually, and it goes on the
backlog of stuff we need to fix.
Loading