Comments (3)
TODO from @grayside:
- split up the cloud-run-manager service account into
website-identity
andapi-identity
(see #197 and #198) - attach the necessary permissions
- revise the deploy instructions/process
from emblem.
Per @engelke - we should try to create four service accounts.
The first two are separate accounts for the API
and website
(i.e. what we've done already)
The latter two are used to create ID tokens - one as an Approver
, the other as a User
.
from emblem.
I did a quick audit of our Terraform IAM definitions; here are some issues I found.
Pub/Sub access (for automated rollouts)
pubsub_publisher_iam_member
grants Pub/Sub publisher access to every Pub/Sub topic. We should explore usinggoogle_pubsub_topic_iam_member
instead to limit this access to a specific topic.
✨ See #329
Cloud Run Admin (for Cloud Build)
We currently use the
roles/run.admin
role for the Cloud Build Service Account. I wonder if we can "get away with" a more tightly-scoped role likeroles/run.developer
. 🤔
🚫 This is not worth implementing.
I'll go ahead and make PRs to fix these. @grayside is there anything else required to land this?
from emblem.
Related Issues (20)
- Update setup.sh to update breaking change introduced in `hashicorp/terraform-provider-google` v5 HOT 1
- api-unit-tests failing
- Resolve periodic `testing-web-e2e-trigger` failures due to kaniko cache
- break up `web-e2e.cloudbuild.yaml` into multiple steps HOT 1
- Bug: data ref `data.google_cloud_run_service.content_api` causing `setup.sh` build failure HOT 1
- Use built-in Cloud Build vars in e2e-testing module HOT 1
- Move `run.googleapis.com` service provisioning to bootstrap script HOT 1
- e2e-runner build in set up fails HOT 2
- Add smoke tests for the Content API
- Clean up Client app setup script and README instructions
- Modernize Cloud Build YAML with 'script' property HOT 1
- "argument named region not expected here" HOT 1
- Error creating Trigger: googleapi: Error 400: Repository mapping does not exist. HOT 6
- Make it easy for people to modify the content API to their own needs HOT 1
- Playwright dependency always fail testing
- in setup.sh, setting env vars via --update-env-vars is not always idempotent, it fails if a variable doesn't exist HOT 2
- Playwright dependency versions not all available on Renovate schedule HOT 1
- API Unit Tests are silently failing: Permission to write Cloud Trace telemetry HOT 4
- `ops/e2e-runner-build.cloudbuild.yaml` does not exist HOT 1
- Resolve persistent `api-unit-test` trigger failures blocking renovate-bot PRs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emblem.