Skip to content

fix: remove unused service and redundant IAM bindings in workload identity setup script #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anguillanneuf wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: remove unused service and redundant IAM bindings in workload identity setup script #481

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 7 additions & 35 deletions scripts/setup_workload_identity.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,12 @@
# limitations under the License.

# Universal Direct Workload Identity Federation Setup Script for GitHub Actions
# This script sets up Google Cloud Direct Workload Identity Federation for any GitHub repository
# to work with the google-github-actions/auth action.
# The original script sets up Google Cloud Direct Workload Identity Federation for
# any GitHub repositorty to work with the google-github-actions/auth action.
#
# Uses Direct WIF (preferred): No intermediate service accounts, direct authentication to GCP resources.
# It has been modified for Gemini CLI, which requires a special WIF setup
# setup through a Service Account.


set -e

Expand Down Expand Up @@ -221,9 +223,7 @@ required_apis=(
)
# Separately enable the internal-only Cloud Code API, ignoring errors
# for public users who may not have access.
gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
gcloud services enable "${required_apis[@]}" --project="${GOOGLE_CLOUD_PROJECT}"
gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
print_success "APIs enabled successfully."

# Step 2: Create Workload Identity Pool
Expand Down Expand Up @@ -319,38 +319,10 @@ else
fi

# Step 4: Grant required permissions to the Workload Identity Pool
print_header "Step 4: Granting required permissions to Workload Identity Pool"
print_header "(Skipped) Step 4: Granting required permissions to Workload Identity Pool"
PRINCIPAL_SET="principalSet://iam.googleapis.com/${WIF_POOL_ID}/attribute.repository/${GITHUB_REPO}"

print_info "Granting required permissions directly to the Workload Identity Pool..."

# Observability permissions
print_info "Granting logging permissions..."
gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
--role="roles/logging.logWriter" \
--member="${PRINCIPAL_SET}" \
--condition=None

print_info "Granting monitoring permissions..."
gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
--role="roles/monitoring.metricWriter" \
--member="${PRINCIPAL_SET}" \
--condition=None

print_info "Granting tracing permissions..."
gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
--role="roles/cloudtrace.agent" \
--member="${PRINCIPAL_SET}" \
--condition=None

# Model inference permissions
print_info "Granting vertex permissions..."
gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
--role="roles/aiplatform.user" \
--member="${PRINCIPAL_SET}" \
--condition=None

print_success "Required permissions granted to Workload Identity Pool"
print_info "(Skipped) Granting required permissions directly to the Workload Identity Pool..."

# Step 5: Create and Configure Service Account for Gemini CLI
print_header "Step 5: Create and Configure Service Account for Gemini CLI"
Expand Down