Merge pull request #43 from CedrickArmel/feat/etl

fix: sa impersonnation by wi
CedrickArmel · Oct 12, 2024 · 51a7004 · 51a7004
2 parents 5a758e4 + 7fad25d
commit 51a7004
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 16 deletions.
diff --git a/.github/workflows/etl.yml b/.github/workflows/etl.yml
@@ -43,7 +43,8 @@ jobs:
             chmod +x scripts/trigger.sh
             ./scripts/trigger.sh -p ${{ secrets.PROJECT_ID }} \
                 -r ${{ secrets.REGION }} \
-                -t build-beam-image
+                -t build-beam-image \
+                -i ${{ secrets.SERVICE_ACCOUNT }}
       -
         name: Install Poetry
         run: |

diff --git a/main.tf b/main.tf
@@ -204,9 +204,8 @@ resource "google_iam_workload_identity_pool_provider" "gcp_gha_oidc_provider" {
   attribute_mapping = {
     "google.subject"  = "assertion.sub"
     "attribute.aud"   = "assertion.aud"
-    "attribute.actor" = "assertion.actor"
   }
-  attribute_condition = "assertion.sub=='${var.gha_assertion_sub}' && assertion.aud=='${var.gha_assertion_aud}' && assertion.actor=='${var.gha_assertion_actor}'"
+  attribute_condition = "assertion.sub=='${var.gha_assertion_sub}' && assertion.aud=='${var.gha_assertion_aud}'"
   oidc {
     issuer_uri = "https://token.actions.githubusercontent.com"
   }

diff --git a/scripts/trigger.sh b/scripts/trigger.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 usage() {
-    echo "Usage: $0 -p <project> -r <region> -t <trigger> [-b <branch>] [-s <substitutions>]"
+    echo "Usage: $0 -p <project> -r <region> -t <trigger> [-b <branch>] [-s <substitutions>] [-i <impersonate-service-account>]"
     exit 1
 }
 
@@ -11,6 +11,7 @@ while getopts "p:r:t:b:s:" opt; do
         t) trigger="$OPTARG";;
         b) branch="$OPTARG";;
         s) substitutions="$OPTARG";;
+        i) impersonate="$OPTARG";;
         *) usage;;
     esac
 done
@@ -25,18 +26,23 @@ export CLOUDSDK_CORE_DISABLE_PROMPTS=1
 # Set the project
 gcloud config set project "$project"
 
+IMPERSONATE_FLAG=""
+if [ -n "$impersonate" ]; then
+    IMPERSONATE_FLAG="--impersonate-service-account=$impersonate"
+fi
+
 # Run the gcloud command based on whether the branch and substitutions are provided
 if [ -z "$substitutions" ]; then
     if [ -z "$branch" ]; then
-        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --quiet --format="value(metadata.build.id)")
+        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" $IMPERSONATE_FLAG --quiet --format="value(metadata.build.id)")
     else
-        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --branch="$branch" --quiet --format="value(metadata.build.id)")
+        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --branch="$branch" $IMPERSONATE_FLAG --quiet --format="value(metadata.build.id)")
     fi
 else
     if [ -z "$branch" ]; then
-        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --substitutions="$substitutions" --quiet --format="value(metadata.build.id)")
+        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --substitutions="$substitutions" $IMPERSONATE_FLAG --quiet --format="value(metadata.build.id)")
     else
-        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --substitutions="$substitutions" --branch="$branch" --quiet --format="value(metadata.build.id)")
+        BUILD_ID=$(gcloud beta builds triggers run "$trigger" --region="$region" --substitutions="$substitutions" $IMPERSONATE_FLAG --branch="$branch" --quiet --format="value(metadata.build.id)")
     fi
 fi
 

diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,7 @@ variable "gcp_enabled_services" {
     "dataform.googleapis.com",
     "datapipelines.googleapis.com",
     "cloudscheduler.googleapis.com",
+    "iamcredentials.googleapis.com",
     "iam.googleapis.com",
     "iap.googleapis.com",
     "ml.googleapis.com",
@@ -68,6 +69,7 @@ variable "gcp_service_accounts" {
         "roles/logging.logWriter",
         "roles/ml.developer",
         "roles/secretmanager.secretAccessor",
+        "roles/iam.serviceAccountTokenCreator",
         "roles/storage.admin",
       ]
       sa_id = "neurips-ml-sa"
@@ -86,16 +88,9 @@ variable "gha_assertion_aud" {
 variable "gha_assertion_sub" {
   description = "GHA workload identity JWk token sub attribute"
   type        = string
-  default     = "CedrickArmel/neurips_adc:ref:refs/heads/main"
+  default     = "repo:CedrickArmel/neurips_adc:ref:refs/heads/main"
 }
 
-variable "gha_assertion_actor" {
-  description = "GHA workload identity JWk token actor attribute"
-  type        = string
-  default     = "CedrickArmel"
-}
-
-
 #########
 # Secrets
 variable "gcp_iam_infra_sa_account_id" {