Skip to content

Commit a1ec42c

Browse files
glasntglasnt
committed
create a dedicated service account with token creator permissions
token required for django-storages blob signing
1 parent 5fe35c2 commit a1ec42c

1 file changed

Lines changed: 16 additions & 3 deletions

File tree

run/django/e2e_test_setup.yaml

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,14 +58,23 @@ steps:
5858
GS_BUCKET_NAME=${_STORAGE_BUCKET}
5959
SECRET_KEY=$(cat /dev/urandom | LC_ALL=C tr -dc '[:alpha:]' | fold -w 30 | head -n1)" > ${_SECRET_SETTINGS_NAME}
6060
61-
sa_email=$(gcloud projects list --filter "name=${PROJECT_ID}" --format "value(projectNumber)")-compute@developer.gserviceaccount.com
61+
./retry.sh "gcloud iam service-accounts create ${_SERVICE_ACCOUNT_NAME}"
62+
63+
./retry.sh "gcloud projects add-iam-policy-binding ${PROJECT_ID} \
64+
--member="serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
65+
--role=rroles/iam.serviceAccountTokenCreator"
66+
67+
./retry.sh "gcloud iam add-iam-policy-binding ${_SECRET_SETTINGS_NAME} \
68+
--member serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
69+
--role roles/secretmanager.secretAccessor \
70+
--project ${PROJECT_ID}"
6271
6372
./retry.sh "gcloud secrets create ${_SECRET_SETTINGS_NAME} \
6473
--project $PROJECT_ID \
6574
--data-file=${_SECRET_SETTINGS_NAME}"
6675
6776
./retry.sh "gcloud secrets add-iam-policy-binding ${_SECRET_SETTINGS_NAME} \
68-
--member serviceAccount:${sa_email} \
77+
--member serviceAccount:${_SERVICE_ACCOUNT_EMAIL} \
6978
--role roles/secretmanager.secretAccessor \
7079
--project ${PROJECT_ID}"
7180
@@ -94,6 +103,7 @@ steps:
94103
--set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
95104
--set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME} \
96105
--command migrate \
106+
--service-account=${_SERVICE_ACCOUNT_EMAIL} \
97107
--execute-now --wait"
98108
99109
- id: "Create Superuser"
@@ -110,6 +120,7 @@ steps:
110120
--set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME} \
111121
--set-env-vars DJANGO_SUPERUSER_PASSWORD=${_ADMIN_PASSWORD} \
112122
--set-env-vars DJANGO_SUPERUSER_EMAIL=${_ADMIN_EMAIL} \
123+
--service-account=${_SERVICE_ACCOUNT_EMAIL} \
113124
--execute-now --wait"
114125
115126
- id: "Deploy to Cloud Run"
@@ -124,6 +135,7 @@ steps:
124135
--no-allow-unauthenticated \
125136
--region ${_REGION} \
126137
--set-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
138+
--service-account=${_SERVICE_ACCOUNT_EMAIL} \
127139
--set-env-vars SETTINGS_NAME=${_SECRET_SETTINGS_NAME}"
128140
129141
images:
@@ -149,4 +161,5 @@ substitutions:
149161
_DB_PASS: password1234
150162
_ADMIN_PASSWORD: superpass
151163
_ADMIN_EMAIL: example@noop.com
152-
164+
_SERVICE_ACCOUNT_NAME: django-sa-${_VERSION}
165+
_SERVICE_ACCOUNT_EMAIL: ${_SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com

0 commit comments

Comments
 (0)