github.com/munnerz/test-infra@v0.0.0-20190108210205-ce3d181dc989/testgrid/conformance/creating-a-bucket.md

github.com/munnerz/test-infra@v0.0.0-20190108210205-ce3d181dc989/testgrid/conformance/creating-a-bucket.md (about)

     1  # Creating Federated Conformance Test GCS Buckets
     2  
     3  This guide is aimed primarily at members of the Google GKE EngProd team for 
     4  creating Google provided GCS buckets to be used by other providers for hosting
     5  conformance results on TestGrid, but the general steps should be good practice
     6  for anyone setting up a GCS bucket for automated uploads.
     7  
     8  1) Use a separate dedicated [GCP project](https://cloud.google.com/storage/docs/projects), to further limit access to unrelated resources. We use [k8s-federated-conformance](http://console.cloud.google.com/home/dashboard?project=k8s-federated-conformance).
     9  
    10  2) Create a new bucket in the GCP project. See the official [Creating Storage Buckets](https://cloud.google.com/storage/docs/creating-buckets) guide. Buckets should be used one to a provider. We use the naming scheme `k8s-conformance-$PROVIDER` eg `gs://k8s-conformance-openstack`.
    11  
    12  3) Follow [Making Data Public](https://cloud.google.com/storage/docs/access-control/making-data-public) (specifically the "Making groups of objects publicly readable" section) to make the bucket readable by TestGrid.
    13    - This essentially involves adding `allUsers` to the bucket with `Storage Object Viewer` permission.
    14  
    15  4) Create a matching service account, something like `$PROVIDER-logs` which will ultimately create an account like `openstack-logs@k8s-federated-conformance.iam.gserviceaccount.com`. See [Creating and Managing Service Accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts) for more details.
    16  
    17  5) Add [`Storage Object Create`](https://cloud.google.com/storage/docs/access-control/iam-roles) permissions (`storage.objects.create`) to the service account created in 4). This allows the service account to create new entries. See also [Identity and Access Management](https://cloud.google.com/storage/docs/access-control/iam).
    18  
    19  6) [Generate a service account credential](https://cloud.google.com/storage/docs/authentication#generating-a-private-key) file. Per the [gcloud auth activate-service-account](https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account) docs the JSON format is preferred. This file must be provided to the CI uploading the test results. It can be used with the `--key-file` flag in [`upload_e2e.py`](./upload_e2e.py).
    20  
    21