[Automation] GCS Permission check and fix

linamy85 · linamy85 · commit e7e10f9c5350 · 2026-02-02T02:40:23.000Z
diff --git a/Ironwood/guides/automation/README.md b/Ironwood/guides/automation/README.md
@@ -52,7 +52,7 @@ You can configure the behavior using the following environment variable:
 
 | Variable | Description | Required | Default |
 | :--- | :--- | :--- | :--- |
-| `GCS_BUCKET_ROOT_DIR` | The root GCS path where results will be stored. Must start with `gs://`. | **Yes** | `gs://amylin-microbenchmark` (Change this!) |
+| `GCS_BUCKET_ROOT_DIR` | The root GCS path where results will be stored. Must start with `gs://`. | **Yes** | `gs://example-microbenchmark` (Change this!) |
 
 ## Usage Guide
 
diff --git a/Ironwood/guides/automation/automation_launch.sh b/Ironwood/guides/automation/automation_launch.sh
@@ -6,6 +6,7 @@
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
 export GCS_BUCKET_ROOT_DIR=""
 export GCS_SA_NAME="gcs-writer"  # Service account with write access to GCS_BUCKET_ROOT_DIR
+export PROJECT_ID=$(gcloud config get-value project 2>/dev/null)
 
 MAX_RETRIES=3
 TIMEOUT_SECOND=3600
@@ -45,6 +46,19 @@ for topology in "${required_topologies[@]}"; do
     envsubst '${TOPOLOGY} ${TPUS}' < ${SCRIPT_DIR}/job-queue.yaml | kubectl apply -f -
 done
 
+######################################################################
+#                  GCS PERMISSION CHECK
+######################################################################
+
+# Run the GCS permission check
+export SA_NAME="${GCS_SA_NAME}"
+export PROJECT_ID="${PROJECT_ID}"
+if ! bash "${SCRIPT_DIR}/check_gcs_permissions.sh"; then
+    echo "GCS Permission Check Failed. Exiting."
+    exit 1
+fi
+
+
 ######################################################################
 #                 LAUNCH JOBS & WAIT FOR COMPLETION
 ######################################################################
diff --git a/Ironwood/guides/automation/check_gcs_permissions.sh b/Ironwood/guides/automation/check_gcs_permissions.sh
@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+# This script checks if the configured Service Account has write permissions to the specified GCS bucket.
+# If permissions are missing, it attempts to fix them by creating the SA and granting roles/storage.admin.
+#
+# Expected Environment Variables:
+#   GCS_BUCKET_ROOT_DIR: The GCS path (must start with gs://)
+#   SA_NAME: The Service Account name (default: gcs-writer)
+#   PROJECT_ID: The GCP Project ID (optional, will try to detect if not set)
+
+SCRIPT_DIR="$(dirname "$(realpath "$0")")"
+SA_NAME="${SA_NAME:-gcs-writer}"
+PROJECT_ID="${PROJECT_ID:-$(gcloud config get-value project 2>/dev/null)}"
+
+if [[ -z "${GCS_BUCKET_ROOT_DIR}" || "${GCS_BUCKET_ROOT_DIR}" != "gs://"* ]]; then
+  echo "Error: GCS_BUCKET_ROOT_DIR must be set and start with gs://"
+  exit 1
+fi
+
+fix_gcs_permissions() {
+    # See more context in https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
+    echo "Attempting to fix GCS permissions..."
+    
+    if [[ -z "${PROJECT_ID}" ]]; then
+        echo "Error: PROJECT_ID is not set and could not be detected."
+        echo "Please export PROJECT_ID=<your-project-id> and rerun."
+        exit 1
+    fi
+    
+    local bucket_name=$(echo "${GCS_BUCKET_ROOT_DIR}" | sed 's|^gs://||' | cut -d/ -f1)
+    local ns_name="default"
+    
+    echo "Ensuring ServiceAccount ${SA_NAME} exists in namespace ${ns_name}..."
+    kubectl create serviceaccount "${SA_NAME}" --namespace "${ns_name}" --dry-run=client -o yaml | kubectl apply -f -
+    
+    local project_number=$(gcloud projects describe "${PROJECT_ID}" --format="value(projectNumber)")
+    
+    echo "Granting roles/storage.admin to ${SA_NAME} on gs://${bucket_name}..."
+    gcloud storage buckets add-iam-policy-binding "gs://${bucket_name}" \
+        --role=roles/storage.admin \
+        --member="principal://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${PROJECT_ID}.svc.id.goog/subject/ns/${ns_name}/sa/${SA_NAME}"
+        
+    echo "Permission fix command executed."
+}
+
+check_gcs_permission() {
+    echo "Checking GCS write permissions..."
+    export GCS_CHECK_PATH="${GCS_BUCKET_ROOT_DIR}/permission-check-$(date +%s).txt"
+    export SA_NAME="${SA_NAME}"
+
+    # Check if ServiceAccount exists first to fail fast
+    if ! kubectl get serviceaccount "${SA_NAME}" &> /dev/null; then
+        echo "ServiceAccount '${SA_NAME}' not found."
+        return 1
+    fi
+    
+    # Launch check pod
+    # We capture the pod name from the output of kubectl create
+    local apply_output=$(envsubst '${SA_NAME} ${GCS_CHECK_PATH}' < "${SCRIPT_DIR}/gcs-write.yaml" | kubectl create -f -)
+    # output example: pod/gcs-writer-test-abcde created
+    local pod_name=$(echo "${apply_output}" | awk -F'/' '{print $2}' | awk '{print $1}')
+    
+    echo "Launched GCS check pod: ${pod_name}"
+    
+    # Wait for completion
+    local check_status="FAILED"
+    for i in {1..20}; do
+        sleep 5
+        if kubectl get pod "${pod_name}" -o jsonpath='{.status.phase}' 2>/dev/null | grep -q "Succeeded"; then
+            check_status="SUCCESS"
+            break
+        fi
+        if kubectl get pod "${pod_name}" -o jsonpath='{.status.phase}' 2>/dev/null | grep -q "Failed"; then
+            check_status="FAILED"
+            break
+        fi
+    done
+
+    # Check logs
+    if kubectl logs "${pod_name}" 2>/dev/null | grep -q "GCS test complete!"; then
+         echo "GCS permission check PASSED."
+         check_status="SUCCESS"
+    else
+         echo "GCS permission check FAILED."
+         check_status="FAILED"
+         echo "Logs from ${pod_name}:"
+         kubectl logs "${pod_name}" 2>/dev/null | tail -n 10
+    fi
+    
+    # Cleanup
+    kubectl delete pod "${pod_name}" --grace-period=0 --force &> /dev/null
+    
+    if [[ "${check_status}" != "SUCCESS" ]]; then
+        return 1
+    fi
+    return 0
+}
+
+# Main Logic
+echo "======================================================================"
+echo "Starting GCS Permission Check (SA: ${SA_NAME}, Bucket: ${GCS_BUCKET_ROOT_DIR})"
+echo "======================================================================"
+
+if ! check_gcs_permission; then
+    echo "GCS check failed. Attempting to fix..."
+    fix_gcs_permissions
+    
+    echo "Retrying GCS check..."
+    if ! check_gcs_permission; then
+        echo "GCS permissions check failed even after attempted fix."
+        echo "Please verify your Service Account '${SA_NAME}' has proper permissions on ${GCS_BUCKET_ROOT_DIR}"
+        exit 1
+    fi
+fi
+
+echo "GCS Check Verified Successfully."
diff --git a/Ironwood/guides/automation/gcs-write.yaml b/Ironwood/guides/automation/gcs-write.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  generateName: gcs-writer-test-
+  namespace: default
+spec:
+  serviceAccountName: ${SA_NAME}
+  containers:
+  - name: gcs-test-container
+    image: google/cloud-sdk:slim
+    command:
+    - bash
+    - -c
+    - |
+      set -ex
+      TIMESTAMP=$(date +%s)
+      LOCAL_FILE="/tmp/test-file-${TIMESTAMP}.txt"
+      
+      # GCS_CHECK_PATH is substituted by envsubst
+      echo "Using GCS Path: ${GCS_CHECK_PATH}"
+
+      echo "Testing GCS write from pod at $(date)" > "${LOCAL_FILE}"
+
+      echo "--- Configuration ---"
+      gcloud auth list
+      gcloud config list
+      # Try to get service account email, but don't fail if metadata server is slow/unreachable (though it should be reachable)
+      curl -s -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" || echo "Could not fetch SA email"
+      echo
+
+      echo "--- Writing to GCS ---"
+      gsutil cp "${LOCAL_FILE}" "${GCS_CHECK_PATH}"
+
+      echo "--- Verifying from GCS ---"
+      gsutil cat "${GCS_CHECK_PATH}"
+
+      echo "--- Cleaning up GCS object ---"
+      gsutil rm "${GCS_CHECK_PATH}"
+
+      echo "GCS test complete!"
+  restartPolicy: Never
