-
Notifications
You must be signed in to change notification settings - Fork 4
/
create_workload_service_account.sh
executable file
·38 lines (29 loc) · 1.73 KB
/
create_workload_service_account.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
#
# Creates workload service-account.
set -uo pipefail
source config_env.sh
source common.sh
set_gcp_project "${PRIMUS_PROJECT_ID}"
echo "Creating workload service-account "${WORKLOAD_SERVICEACCOUNT}""
create_service_account "${WORKLOAD_SERVICEACCOUNT}"
echo "Granting roles/iam.serviceAccountUser role workload operator ..."
gcloud iam service-accounts add-iam-policy-binding "${WORKLOAD_SERVICEACCOUNT}"@"${PRIMUS_PROJECT_ID}".iam.gserviceaccount.com \
--member="user:$(gcloud config get-value account)" \
--role="roles/iam.serviceAccountUser"
echo "Granting roles/confidentialcomputing.workloadUser to service-account "${WORKLOAD_SERVICEACCOUNT}" ..."
gcloud projects add-iam-policy-binding "${PRIMUS_PROJECT_ID}" \
--member="serviceAccount:"${WORKLOAD_SERVICEACCOUNT}"@"${PRIMUS_PROJECT_ID}".iam.gserviceaccount.com" \
--role="roles/confidentialcomputing.workloadUser"
echo "Granting roles/logging.logWriter to service-account "${WORKLOAD_SERVICEACCOUNT}" ..."
gcloud projects add-iam-policy-binding "${PRIMUS_PROJECT_ID}" \
--member="serviceAccount:"${WORKLOAD_SERVICEACCOUNT}"@"${PRIMUS_PROJECT_ID}".iam.gserviceaccount.com" \
--role="roles/logging.logWriter"
echo "Granting objectViewer role for "${PRIMUS_INPUT_STORAGE_BUCKET}" to service-account "${WORKLOAD_SERVICEACCOUNT}" ..."
gsutil iam ch \
serviceAccount:"${WORKLOAD_SERVICEACCOUNT}"@"${PRIMUS_PROJECT_ID}".iam.gserviceaccount.com:objectViewer \
gs://"${PRIMUS_INPUT_STORAGE_BUCKET}"
echo "Granting objectAdmin role for "${PRIMUS_RESULT_STORAGE_BUCKET}" to service-account "${WORKLOAD_SERVICEACCOUNT}" ..."
gsutil iam ch \
serviceAccount:"${WORKLOAD_SERVICEACCOUNT}"@"${PRIMUS_PROJECT_ID}".iam.gserviceaccount.com:objectAdmin \
gs://"${PRIMUS_RESULT_STORAGE_BUCKET}"