Skip to content

Grant deployer serviceAccountTokenCreator for Pub/Sub SA impersonation #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
luis5tb wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −0
Open

Grant deployer serviceAccountTokenCreator for Pub/Sub SA impersonation #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions deploy/cloudrun/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ The deployment uses **two separate service accounts** following the principle of

Both are created automatically by `setup.sh`. The Pub/Sub Invoker SA is only created when `ENABLE_MARKETPLACE=true` (the default).

**Impersonation:** When the Pub/Sub topic is a cross-project reference (fully-qualified `projects/.../topics/...` path), `deploy.sh` uses `--impersonate-service-account` to create the subscription as the Pub/Sub Invoker SA. This requires the deployer to have `roles/iam.serviceAccountTokenCreator` on the Pub/Sub Invoker SA. `setup.sh` grants this automatically to the active `gcloud` account. Note that IAM changes can take up to 7-10 minutes to propagate — if `deploy.sh` fails with `PERMISSION_DENIED` on impersonation right after running `setup.sh`, wait a few minutes and retry.

## Prerequisites

- [Google Cloud CLI](https://cloud.google.com/sdk/docs/install) installed and authenticated
Expand Down
16 changes: 16 additions & 0 deletions deploy/cloudrun/setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,22 @@ if [[ "$ENABLE_MARKETPLACE" == "true" ]]; then
--project="$PROJECT_ID" \
--quiet || true

# Grant the deployer permission to impersonate the Pub/Sub Invoker SA.
# Required so that deploy.sh can use --impersonate-service-account when
# creating push subscriptions on cross-project marketplace topics.
DEPLOYER_ACCOUNT=$(gcloud config get-value account 2>/dev/null)
if [[ -n "$DEPLOYER_ACCOUNT" ]]; then
log_info "Granting roles/iam.serviceAccountTokenCreator to $DEPLOYER_ACCOUNT on Pub/Sub Invoker SA..."
gcloud iam service-accounts add-iam-policy-binding "$PUBSUB_INVOKER_SA" \
--member="user:$DEPLOYER_ACCOUNT" \
--role="roles/iam.serviceAccountTokenCreator" \
--project="$PROJECT_ID" \
--quiet || true
else
log_warn "Could not determine deployer account. You may need to manually grant"
log_warn "roles/iam.serviceAccountTokenCreator on $PUBSUB_INVOKER_SA to run deploy.sh."
fi

# Grant the Pub/Sub Invoker SA the Pub/Sub Editor role in the project.
# Required so that deploy.sh can impersonate this SA to create a push
# subscription attached to the marketplace topic (which is typically in a
Expand Down
Loading