fix(strr-api): use cloud run service account for gcs uploads#1505
fix(strr-api): use cloud run service account for gcs uploads#1505Jacky-Pham merged 9 commits intomainfrom
Conversation
bolyachevets
left a comment
bolyachevets
left a comment
There was a problem hiding this comment.
if you are not going to use the key in cloudrun, might as well not load it from 1password into the build, i.e. remove it from:
STRR/strr-api/devops/vaults.gcp.env
Line 27 in 4e3093b
| auth_key = current_app.config.get("GCP_AUTH_KEY") | ||
|
|
||
| if current_app.config.get("DEPLOYMENT_PLATFORM") == "GCP" or not auth_key: | ||
| storage_client = storage.Client(project=project_id) |
There was a problem hiding this comment.
won't devs still require aDevs can copy the key from here for access to dev bucket.GCP_AUTH_KEYfor local development?sanity check: Is the permission on the bucket setup such that the Cloud Run SA can access it for this to work?Confirmed with @Jacky-Pham offline that theGCP_AUTH_KEYwas created from the Cloud Run role of thestrr-api-*service so permission should already be set up.
|
@Jacky-Pham Do we need this PR in next release? There are some unresolved comments. |
|
@dimak1 No this is not necessary for the next release. I can fix these up for next release |
| JWT_OIDC_ISSUER="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_ISSUER" | ||
| JWT_OIDC_CACHING_ENABLED="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_CACHING_ENABLED" | ||
| JWT_OIDC_ALGORITHMS="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_ALGORITHMS" | ||
| GCP_AUTH_KEY="op://buckets/$APP_ENV/strr/GCP_AUTH_KEY" |
There was a problem hiding this comment.
also need to remove this from config.py:
STRR/strr-api/src/strr_api/config.py
Line 121 in 6066551
There was a problem hiding this comment.
made appropriate changes please confirm
There was a problem hiding this comment.
i dont see any changes in config.py
|
6 participants
Issue: Long term fix for bad gateway issues regarding document upload
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the BC Registry and Digital Services BSD 3-Clause License