We've used terraform in concourse to create the required service accounts, keys
and permissions. Alternatively, manually terraform apply in the ci/terraform
directory after creating the items below.
The pre-requisite is to create a dependachore-deployer service account, which
is used by terraform. This must have the following permissions:
- Cloud Functions Developer
- Cloud KMS Admin
- Service Account Admin
- Service Account Key Admin
- Service Account User
Terraform also requires a GCS bucket called dependachore, and the
dependachore-deployer service account must have the Storage Object Admin role
on the bucket.