github.com/GoogleCloudPlatform/testgrid@v0.0.174/cluster/bind-service-accounts.sh (about) 1 #!/usr/bin/env bash 2 # Copyright 2022 The TestGrid Authors. 3 # 4 # Licensed under the Apache License, Version 2.0 (the "License"); 5 # you may not use this file except in compliance with the License. 6 # You may obtain a copy of the License at 7 # 8 # http://www.apache.org/licenses/LICENSE-2.0 9 # 10 # Unless required by applicable law or agreed to in writing, software 11 # distributed under the License is distributed on an "AS IS" BASIS, 12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 # See the License for the specific language governing permissions and 14 # limitations under the License. 15 16 17 set -o errexit 18 set -o nounset 19 set -o pipefail 20 21 22 gcloud=$(command -v gcloud) 23 24 role=roles/iam.workloadIdentityUser 25 26 bind-service-accounts() { 27 gsa=$1 28 gsa_project=$(extract-project "$gsa") 29 k8s_project=k8s-testgrid 30 k8s_ns=$2 31 shift 2 32 members=($(existing-members "$gsa" "$role")) 33 rolemsg=${role#*iam.} 34 for k8s_sa in "$@"; do 35 member="serviceAccount:$k8s_project.svc.id.goog[$k8s_ns/$k8s_sa]" 36 membermsg=$k8s_ns/$k8s_sa 37 add=y 38 for m in "${members[@]}"; do 39 if [[ "$m" == "$member" ]]; then 40 add= 41 break 42 fi 43 done 44 if [[ "$add" == y ]]; then 45 echo "${members[@]} in $member" 46 read -p "Grant $member $role access to $gsa? [y/N] " add 47 else 48 echo "NOOP: $membermsg has $rolemsg access to $gsa" 49 continue 50 fi 51 52 case "$add" in 53 y*|Y*) 54 ( 55 set -o xtrace 56 "$gcloud" iam service-accounts \ 57 --project "$gsa_project" \ 58 add-iam-policy-binding "$gsa" \ 59 --role "$role" \ 60 --member "$member" 61 ) 62 ;; 63 esac 64 echo "DONE: gave $membermsg $rolemsg access to $gsa" 65 done 66 } 67 68 extract-project() { 69 gp=${1#*@} # someone@proj.svc.id.goog[whatever] => proj.svc.id.goog[whatever] 70 gp=${gp%.iam*} # proj.svc.id.goog[whatever] => proj 71 echo $gp 72 } 73 74 existing-members() { 75 local gsa=$1 76 local proj=$(extract-project "$1") 77 local role=$2 78 gcloud iam service-accounts \ 79 --project "$proj" \ 80 get-iam-policy "$gsa" \ 81 --filter="bindings.role=$role" \ 82 --flatten=bindings --format='value[delimiter=" "](bindings.members)' 83 } 84 85 86 87 dir=$(dirname "$0") 88 89 echo "Service accounts:" 90 grep -R -E "iam.gke.io/gcp-service-account|serviceAccountName:|namespace:" "$dir" | grep -v grep | sort -u 91 92 93 canary=( 94 config-merger 95 summarizer 96 tabulator 97 updater 98 ) 99 bind-service-accounts testgrid-canary@k8s-testgrid.iam.gserviceaccount.com testgrid-canary "${canary[@]}" 100 101 # API has a separate access account from the rest of the backend 102 bind-service-accounts testgrid-canary-api@k8s-testgrid.iam.gserviceaccount.com testgrid-canary api 103 104 knative=( 105 summarizer 106 tabulator 107 updater 108 ) 109 bind-service-accounts testgrid-updater@knative-tests.iam.gserviceaccount.com knative "${knative[@]}" 110 111 prod=( 112 config-merger 113 summarizer 114 tabulator 115 updater 116 ) 117 bind-service-accounts updater@k8s-testgrid.iam.gserviceaccount.com testgrid "${prod[@]}" 118 119 bind-service-accounts testgrid-api@k8s-testgrid.iam.gserviceaccount.com testgrid api