Add serviceaccount to prod GCS buckets

The serviceaccount can be used for automation purposes, for example in GitHub actions when publishing releases. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
kubernetes · Oct 19, 2023 · f04c914 · f04c914
1 parent 9bf9931
commit f04c914
Showing 1 changed file with 41 additions and 3 deletions.
diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh
@@ -63,7 +63,8 @@ readonly ALL_PROD_PROJECTS
 # This is a list of all prod GCS buckets, but only their trailing "name".  Each
 # name will get a GCS bucket called "k8s-artifacts-${name}", and write access
 # will be granted to the group "k8s-infra-push-${name}@kubernetes.io", which
-# must already exist.
+# must already exist. Additionally, a service account "k8s-infra-push-bot" will
+# be created which can be used for automation purposes.
 #
 ALL_PROD_BUCKETS=(
     "csi"
@@ -250,13 +251,50 @@ function ensure_all_prod_projects() {
 
 # Create all prod GCS buckets.
 function ensure_all_prod_buckets() {
+    local sa_name="k8s-infra-push-bot"
+    local sa_email="${sa_name}@${PROD_PROJECT}.iam.gserviceaccount.com"
+    local principal="serviceAccount:${sa_email}"
+    local pool="k8s-infra-push-pool"
+    local provider="k8s-infra-push-provider"
+
+    color 6 "Ensuring ${sa_email} exists and can write to prod buckets in project: ${PROD_PROJECT}"
+    ensure_service_account \
+      "${PROD_PROJECT}" \
+      "${sa_name}" \
+      "used by automation to push artifacts to prod buckets in ${PROD_PROJECT}"
+
+    gcloud iam workload-identity-pools create "${pool}" \
+        --project="${PROD_PROJECT}" \
+        --location="global" \
+        --display-name="${pool}"
+
+    gcloud iam workload-identity-pools providers create-oidc "${provider}" \
+        --project="${PROD_PROJECT}" \
+        --location="global" \
+        --workload-identity-pool="${pool}" \
+        --display-name="${provider}" \
+        --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
+        --issuer-uri="https://token.actions.githubusercontent.com"
+
+    pool_id=$(gcloud iam workload-identity-pools describe "${pool}" --project="${PROD_PROJECT}" --location="global" --format="value(name)")
+
+    gcloud iam service-accounts add-iam-policy-binding "${sa_email}" \
+        --project="${PROD_PROJECT}" \
+        --role="roles/iam.workloadIdentityUser" \
+        --member="principalSet://iam.googleapis.com/${pool_id}"
+
     for sfx in "${ALL_PROD_BUCKETS[@]}"; do
-        color 6 "Ensuring the GCS bucket: gs://k8s-artifacts-${sfx}"
+        bucket="gs://k8s-artifacts-${sfx}"
+
+        color 6 "Ensuring the GCS bucket: ${bucket}"
         ensure_prod_gcs_bucket \
             "${PROD_PROJECT}" \
-            "gs://k8s-artifacts-${sfx}" \
+            "${bucket}" \
             "k8s-infra-push-${sfx}@kubernetes.io" \
             | indent
+
+        ensure_gcs_role_binding "${bucket}" "${principal}" "objectCreator"
+        ensure_gcs_role_binding "${bucket}" "${principal}" "objectViewer"
     done
 }