xref: /aosp_15_r20/external/google-cloud-java/.cloud/helpers/gcloud-create-service-account.sh (revision 55e87721aa1bc457b326496a7ca40f3ea1a63287) 
1*55e87721SMatt Gilbride#
2*55e87721SMatt Gilbride# Copyright 2022 Google LLC
3*55e87721SMatt Gilbride#
4*55e87721SMatt Gilbride# Licensed under the Apache License, Version 2.0 (the "License");
5*55e87721SMatt Gilbride# you may not use this file except in compliance with the License.
6*55e87721SMatt Gilbride# You may obtain a copy of the License at
7*55e87721SMatt Gilbride#
8*55e87721SMatt Gilbride#      https://www.apache.org/licenses/LICENSE-2.0
9*55e87721SMatt Gilbride#
10*55e87721SMatt Gilbride# Unless required by applicable law or agreed to in writing, software
11*55e87721SMatt Gilbride# distributed under the License is distributed on an "AS IS" BASIS,
12*55e87721SMatt Gilbride# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*55e87721SMatt Gilbride# See the License for the specific language governing permissions and
14*55e87721SMatt Gilbride# limitations under the License.
15*55e87721SMatt Gilbride#
16*55e87721SMatt Gilbrideset -eo pipefail
17*55e87721SMatt Gilbride
18*55e87721SMatt Gilbride# Use the project ID in gcloud set-quota-project. Clear the existing quota project directly from
19*55e87721SMatt Gilbride# the configuration, and re-set.
20*55e87721SMatt Gilbridegcloud config set project "$GOOGLE_CLOUD_PROJECT"
21*55e87721SMatt Gilbridesed -i.bak '/quota_project_id/d' ~/.config/gcloud/application_default_credentials.json
22*55e87721SMatt Gilbridegcloud auth application-default set-quota-project "$GOOGLE_CLOUD_PROJECT"
23*55e87721SMatt Gilbride
24*55e87721SMatt Gilbride# Assign permission for current gcloud account to impersonate a service account.
25*55e87721SMatt Gilbridegcloud_account=$(gcloud config get account)
26*55e87721SMatt Gilbridegcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
27*55e87721SMatt Gilbride  --member="user:$gcloud_account" \
28*55e87721SMatt Gilbride  --role="roles/iam.serviceAccountTokenCreator" >/dev/null
29*55e87721SMatt Gilbride
30*55e87721SMatt Gilbride# Set up service account for impersonation
31*55e87721SMatt Gilbridesource ./helpers/common.sh
32*55e87721SMatt Gilbrideservice_account_name=$(getTerraformServiceAccountName)
33*55e87721SMatt Gilbrideservice_account_email=$(getTerraformServiceAccountEmail)
34*55e87721SMatt Gilbride# If it doesn't already exist, create the service account.
35*55e87721SMatt Gilbrideset +e
36*55e87721SMatt Gilbridegcloud iam service-accounts describe "$service_account_email" &>/dev/null
37*55e87721SMatt Gilbrideif [[ $? -ne 0 ]]; then
38*55e87721SMatt Gilbride  gcloud iam service-accounts create "$service_account_name"
39*55e87721SMatt Gilbride  createdServiceAccount=true
40*55e87721SMatt Gilbrideelse
41*55e87721SMatt Gilbride  createdServiceAccount=false
42*55e87721SMatt Gilbridefi
43*55e87721SMatt Gilbrideset -e
44*55e87721SMatt Gilbride
45*55e87721SMatt Gilbride# Assign permissions to the service account.
46*55e87721SMatt Gilbridegcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
47*55e87721SMatt Gilbride  --member="serviceAccount:$service_account_email" \
48*55e87721SMatt Gilbride  --role="roles/owner" >/dev/null
49*55e87721SMatt Gilbridegcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
50*55e87721SMatt Gilbride  --member="serviceAccount:$service_account_email" \
51*55e87721SMatt Gilbride  --role="roles/resourcemanager.projectIamAdmin" >/dev/null
52*55e87721SMatt Gilbride
53*55e87721SMatt Gilbride# See https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
54*55e87721SMatt Gilbrideexport GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$service_account_email
55*55e87721SMatt Gilbride
56*55e87721SMatt Gilbrideif $createdServiceAccount; then
57*55e87721SMatt Gilbride  echo "Waiting 2m for service account permissions to take effect... [0s elapsed]"
58*55e87721SMatt Gilbride  sleep 30
59*55e87721SMatt Gilbride  echo "Waiting 2m for service account permissions to take effect... [30s elapsed]"
60*55e87721SMatt Gilbride  sleep 30
61*55e87721SMatt Gilbride  echo "Waiting 2m for service account permissions to take effect... [1m0s elapsed]"
62*55e87721SMatt Gilbride  sleep 30
63*55e87721SMatt Gilbride  echo "Waiting 2m for service account permissions to take effect... [1m30s elapsed]"
64*55e87721SMatt Gilbride  sleep 30
65*55e87721SMatt Gilbridefi
66