Skip to content

Commit

Permalink
Allow robot-service@ to read from GCR explicitly. (#243)
Browse files Browse the repository at this point in the history
This is a step towards removing the blanket objectAdmin ACL.
(b/299475780) It's a second attempt after the rollback in #237.

As far as I can tell, robot-service@ does not need to read other files
from CRC buckets (config.sh, crc_version.txt, etc) in the general case,
although integration tests might need more privilege.
  • Loading branch information
drigz authored Nov 3, 2023
1 parent 416f5a2 commit 28d80e3
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,16 @@ function terraform_post {
gcloud container clusters update "${cluster[@]}" --quiet \
--enable-vertical-pod-autoscaling
fi

# I couldn't work out how to identify exactly which buckets back GCR in a
# given project: some have just "artifacts", some have just "eu.artifacts",
# and some have both. Since GCR will be turned down in favor of GAR in 2024,
# it seems simplest just to apply the ACLs with gcloud until then.
for bucket in $(gcloud storage buckets list --project "${GCP_PROJECT_ID}" --format "value(name)" | grep "artifacts.*appspot.com") ; do
gcloud storage buckets add-iam-policy-binding "gs://${bucket}" \
--member "serviceAccount:robot-service@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/storage.objectViewer"
done
}

function terraform_delete {
Expand Down

0 comments on commit 28d80e3

Please sign in to comment.