Add setup-gcp.sh to provision WIF + service account in one step

Author: promominali

README.md

@@ -21,6 +21,7 @@ A minimal FastAPI "Hello, World!" service, managed with [uv](https://docs.astral
 ├── .python-version     # pins Python 3.13 for uv
 ├── Dockerfile          # uv-based container build
 ├── .dockerignore
+├── setup-gcp.sh        # one-time GCP setup (WIF + service account)
 └── .github/workflows/
     └── deploy.yml      # GitHub Actions → Cloud Run
 ```
@@ -78,55 +79,28 @@ A push to the `deploy-github` branch triggers [.github/workflows/deploy.yml](.gi
 
 ### One-time GCP setup
 
-You only need to do this once per project. Replace `PROJECT_ID` and `GITHUB_REPO` (e.g. `your-org/your-repo`) with your values.
+Run [setup-gcp.sh](setup-gcp.sh) once per project. It enables APIs, creates the deployer service account, sets up a Workload Identity Pool + GitHub OIDC provider scoped to your repo, and prints the two secrets you need.
+
+Requires `gcloud` installed and authenticated (`gcloud auth login`).
 
 ```bash
-PROJECT_ID="fullstackpro-python"
-GITHUB_REPO="OWNER/REPO"
-SA_NAME="github-deployer"
-POOL="github-pool"
-PROVIDER="github-provider"
-
-gcloud config set project "$PROJECT_ID"
-PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
-
-# 1. Enable APIs
-gcloud services enable \
-  run.googleapis.com \
-  cloudbuild.googleapis.com \
-  artifactregistry.googleapis.com \
-  iamcredentials.googleapis.com
-
-# 2. Create deployer service account
-gcloud iam service-accounts create "$SA_NAME" \
-  --display-name="GitHub Actions Cloud Run deployer"
-SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
-
-# 3. Grant it the roles it needs
-for role in roles/run.admin roles/iam.serviceAccountUser roles/cloudbuild.builds.editor roles/artifactregistry.writer roles/storage.admin; do
-  gcloud projects add-iam-policy-binding "$PROJECT_ID" \
-    --member="serviceAccount:${SA_EMAIL}" --role="$role"
-done
-
-# 4. Create a Workload Identity Pool + GitHub OIDC provider
-gcloud iam workload-identity-pools create "$POOL" \
-  --location=global --display-name="GitHub Pool"
-
-gcloud iam workload-identity-pools providers create-oidc "$PROVIDER" \
-  --location=global --workload-identity-pool="$POOL" \
-  --display-name="GitHub OIDC" \
-  --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \
-  --attribute-condition="assertion.repository=='${GITHUB_REPO}'" \
-  --issuer-uri="https://token.actions.githubusercontent.com"
-
-# 5. Let the GitHub repo impersonate the service account
-gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \
-  --role=roles/iam.workloadIdentityUser \
-  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/attribute.repository/${GITHUB_REPO}"
-
-# 6. Print the values to put in GitHub secrets
-echo "GCP_WIF_PROVIDER = projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/providers/${PROVIDER}"
-echo "GCP_SERVICE_ACCOUNT = ${SA_EMAIL}"
+# Required: your GitHub repo in owner/repo form
+GITHUB_REPO=OWNER/REPO ./setup-gcp.sh
+
+# Or override the defaults too:
+GITHUB_REPO=OWNER/REPO \
+PROJECT_ID=fullstackpro-python \
+SA_NAME=github-deployer \
+POOL=github-pool \
+PROVIDER=github-provider \
+./setup-gcp.sh
+```
+
+The script is idempotent — safe to re-run if you need to re-bind a new repo or re-print the secret values. At the end it prints:
+
+```
+GCP_WIF_PROVIDER     = projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider
+GCP_SERVICE_ACCOUNT  = github-deployer@PROJECT_ID.iam.gserviceaccount.com
 ```
 
 ### Add GitHub repo secrets

setup-gcp.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+#
+# One-time GCP setup for GitHub Actions → Cloud Run deploys via
+# Workload Identity Federation (keyless auth).
+#
+# Re-running is safe — every step is idempotent.
+#
+# Required:
+#   GITHUB_REPO   GitHub repo in OWNER/REPO form, e.g. mominali/fastapi_basic
+#
+# Optional (with defaults):
+#   PROJECT_ID    GCP project (default: fullstackpro-python)
+#   SA_NAME       Service account name (default: github-deployer)
+#   POOL          Workload Identity Pool ID (default: github-pool)
+#   PROVIDER      OIDC provider ID (default: github-provider)
+#
+# Usage:
+#   GITHUB_REPO=mominali/fastapi_basic ./setup-gcp.sh
+
+set -euo pipefail
+
+PROJECT_ID="${PROJECT_ID:-fullstackpro-python}"
+SA_NAME="${SA_NAME:-github-deployer}"
+POOL="${POOL:-github-pool}"
+PROVIDER="${PROVIDER:-github-provider}"
+
+if [[ -z "${GITHUB_REPO:-}" ]]; then
+  echo "ERROR: GITHUB_REPO must be set (e.g. GITHUB_REPO=owner/repo $0)" >&2
+  exit 1
+fi
+
+echo ">>> Project:       ${PROJECT_ID}"
+echo ">>> GitHub repo:   ${GITHUB_REPO}"
+echo ">>> Service acct:  ${SA_NAME}"
+echo ">>> WIF pool:      ${POOL}"
+echo ">>> OIDC provider: ${PROVIDER}"
+echo
+
+gcloud config set project "${PROJECT_ID}" >/dev/null
+PROJECT_NUMBER=$(gcloud projects describe "${PROJECT_ID}" --format="value(projectNumber)")
+SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
+
+echo ">>> [1/5] Enabling required APIs..."
+gcloud services enable \
+  run.googleapis.com \
+  cloudbuild.googleapis.com \
+  artifactregistry.googleapis.com \
+  iamcredentials.googleapis.com \
+  iam.googleapis.com \
+  sts.googleapis.com
+
+echo ">>> [2/5] Ensuring service account exists..."
+if ! gcloud iam service-accounts describe "${SA_EMAIL}" >/dev/null 2>&1; then
+  gcloud iam service-accounts create "${SA_NAME}" \
+    --display-name="GitHub Actions Cloud Run deployer"
+else
+  echo "    already exists: ${SA_EMAIL}"
+fi
+
+echo ">>> [3/5] Granting roles to ${SA_EMAIL}..."
+for role in \
+  roles/run.admin \
+  roles/iam.serviceAccountUser \
+  roles/cloudbuild.builds.editor \
+  roles/artifactregistry.writer \
+  roles/storage.admin
+do
+  gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+    --member="serviceAccount:${SA_EMAIL}" \
+    --role="${role}" \
+    --condition=None \
+    --quiet >/dev/null
+  echo "    + ${role}"
+done
+
+echo ">>> [4/5] Ensuring Workload Identity Pool + OIDC provider..."
+if ! gcloud iam workload-identity-pools describe "${POOL}" \
+      --location=global >/dev/null 2>&1; then
+  gcloud iam workload-identity-pools create "${POOL}" \
+    --location=global \
+    --display-name="GitHub Pool"
+else
+  echo "    pool already exists: ${POOL}"
+fi
+
+if ! gcloud iam workload-identity-pools providers describe "${PROVIDER}" \
+      --location=global --workload-identity-pool="${POOL}" >/dev/null 2>&1; then
+  gcloud iam workload-identity-pools providers create-oidc "${PROVIDER}" \
+    --location=global \
+    --workload-identity-pool="${POOL}" \
+    --display-name="GitHub OIDC" \
+    --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \
+    --attribute-condition="assertion.repository=='${GITHUB_REPO}'" \
+    --issuer-uri="https://token.actions.githubusercontent.com"
+else
+  echo "    provider already exists: ${PROVIDER}"
+fi
+
+echo ">>> [5/5] Binding GitHub repo to service account..."
+PRINCIPAL="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/attribute.repository/${GITHUB_REPO}"
+gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
+  --role=roles/iam.workloadIdentityUser \
+  --member="${PRINCIPAL}" \
+  --quiet >/dev/null
+echo "    + ${PRINCIPAL}"
+
+WIF_PROVIDER="projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/providers/${PROVIDER}"
+
+cat <<EOF
+
+✓ Setup complete.
+
+Add these two secrets to your GitHub repo
+(Settings → Secrets and variables → Actions → New repository secret):
+
+  GCP_WIF_PROVIDER     = ${WIF_PROVIDER}
+  GCP_SERVICE_ACCOUNT  = ${SA_EMAIL}
+
+Then push to the deploy-github branch to trigger a Cloud Run deploy.
+EOF