chore: log out, and de-impersonalize after commands

.buildkite/scripts/common/activate_service_account.sh

@@ -5,19 +5,22 @@ set -euo pipefail
 source "$(dirname "${BASH_SOURCE[0]}")/vault_fns.sh"
 
 BUCKET_OR_EMAIL="${1:-}"
+GCLOUD_EMAIL_POSTFIX="elastic-kibana-ci.iam.gserviceaccount.com"
+GCLOUD_SA_PROXY_EMAIL="kibana-ci-sa-proxy@$GCLOUD_EMAIL_POSTFIX"
 
 if [[ -z "$BUCKET_OR_EMAIL" ]]; then
   echo "Usage: $0 <bucket_name|email>"
   exit 1
-elif [[ "$BUCKET_OR_EMAIL" == "-" ]]; then
+elif [[ "$BUCKET_OR_EMAIL" == "--unset-impersonation" ]]; then
   echo "Unsetting impersonation"
   gcloud config unset auth/impersonate_service_account
   exit 0
+elif [[ "$BUCKET_OR_EMAIL" == "--logout-gcloud" ]]; then
+  echo "Logging out of gcloud"
+  gcloud auth revoke $GCLOUD_SA_PROXY_EMAIL
+  exit 0
 fi
 
-GCLOUD_EMAIL_POSTFIX="elastic-kibana-ci.iam.gserviceaccount.com"
-GCLOUD_SA_PROXY_EMAIL="kibana-ci-sa-proxy@$GCLOUD_EMAIL_POSTFIX"
-
 CURRENT_GCLOUD_USER=$(gcloud auth list --filter="status=ACTIVE" --format="value(account)")
 
 # Verify that the service account proxy is activated

.buildkite/scripts/lifecycle/post_command.sh

@@ -2,6 +2,10 @@
 
 set -euo pipefail
 
+echo '--- Log out of gcloud'
+./.buildkite/scripts/common/activate_service_account.sh --unset-impersonation || echo "Failed to unset impersonation"
+./.buildkite/scripts/common/activate_service_account.sh --logout-gcloud || echo "Failed to log out of gcloud"
+
 echo '--- Agent Debug Info'
 ts-node .buildkite/scripts/lifecycle/print_agent_links.ts || true