https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
google-cloud
  • g

    green-school-95910

    05/06/2020, 10:12 PM
    If it was in a organization the admin can control the IAM and regain control over it
  • q

    quiet-wolf-18467

    05/06/2020, 10:12 PM
    But even when I got my permissions back, all the GCloud service agents were gone. Nothing worked
  • g

    green-school-95910

    05/06/2020, 10:12 PM
    Yeah, you'll have to create them back manually
  • g

    green-school-95910

    05/06/2020, 10:13 PM
    If you really want the project back it can be done
  • g

    green-school-95910

    05/06/2020, 10:13 PM
    It's just a lot of work
  • q

    quiet-wolf-18467

    05/06/2020, 10:13 PM
    I'll take 24 hours downtime and rebuild. It's not mission critical
  • q

    quiet-wolf-18467

    05/06/2020, 10:24 PM
    Why didn't the preview show me this change, out of curiosity?
    g
    • 2
    • 2
  • q

    quiet-wolf-18467

    05/08/2020, 3:57 PM
    const kamusKmsAdminPerms = new gcp.projects.IAMMember("kamus-kms-admin", {
            member: serviceAccount.email,
            role: "roles/cloudkms.admin", // May also need roles/cloudkms.cryptoKeyEncrypterDecrypter
            project: serviceAccount.project,
        });
  • q

    quiet-wolf-18467

    05/08/2020, 3:58 PM
    This won't destroy my project again, will it? CC @green-school-95910 🙂
  • q

    quiet-wolf-18467

    05/08/2020, 3:58 PM
    Sorry for the tag, but I don't want to ruin my weekend
  • h

    hallowed-rain-9096

    05/08/2020, 4:03 PM
    isn't deploying on Fridays against the rules anyway? 😉
  • q

    quiet-wolf-18467

    05/08/2020, 4:06 PM
    It worked 😮
  • g

    green-school-95910

    05/08/2020, 4:11 PM
    Yes, that is the way to do it.
  • g

    green-school-95910

    05/08/2020, 4:13 PM
    It links one member in one of the role bindings From my experience, in all IaaS that I have used, managing full bindings directly never ends well
  • g

    green-school-95910

    05/08/2020, 4:15 PM
    It is not even limited to destroy, you create a IAMBinding for the same role on more than one place and they would replace each other on every change.
  • q

    quiet-wolf-18467

    05/08/2020, 4:17 PM
    I don't know why
    IAMPolicy
    and
    IAMBinding
    exist, those are wild
  • g

    green-school-95910

    05/08/2020, 4:18 PM
    They make sense on some very edge cases when you want to completely sync your permissions from somewhere else
  • h

    hallowed-rain-9096

    05/08/2020, 4:18 PM
    i use IAMPolicy scoped to a cloud run service, because I know exactly who should have any kind of access to that service. At a global level...yikes... 😱
  • g

    green-school-95910

    05/08/2020, 4:18 PM
    I believe the permission sync from LDAP uses them
  • g

    green-school-95910

    05/08/2020, 4:20 PM
    Yeah as @hallowed-rain-9096 said, at resource level they make more sense, even if they are still dangerous. If you do that on AppEngine you can make a lot of its internals stop working
  • h

    hallowed-rain-9096

    05/08/2020, 4:24 PM
    AppEngine is a weird beast anyway, especially with IAP
  • e

    enough-engineer-49169

    05/14/2020, 12:33 PM
    message has been deleted
    b
    f
    h
    • 4
    • 8
  • e

    eager-table-17755

    05/16/2020, 11:30 AM
    Hello 👋 I'm not sure, whether this is the right channel... I'm using Pulumi (❤️ I love it so far) to deploy a Cloud Run service. During the new version release, I'd like to perform DB migrations, but I haven't found the right place to do it. It could happen on every container start, but that introduces a significant startup overhead 😞 Is there something like a hook, to execute, when a new service version is being deployed?
  • l

    limited-rainbow-51650

    05/18/2020, 10:47 AM
    On Gitlab, I can create a CI secret variable that will be created as a file. In my case, this worked perfectly for the
    GOOGLE_APPLICATION_CREDENTIALS
    . But how should I do it on Github Actions? Setting the secret to the content of the file doesn’t work. Should I create the file myself, passing the content of the secret and then setting an
    env
    variable in the workflow yaml script?
  • l

    limited-rainbow-51650

    05/18/2020, 10:48 AM
    For completeness, yes I found this: https://github.com/marketplace/actions/setup-gcloud-environment But adding this to my setup adds to my total Github Actions run time just to have the env variable set….
  • l

    limited-rainbow-51650

    05/18/2020, 10:49 AM
    @broad-dog-22463 any idea here?
  • b

    broad-dog-22463

    05/18/2020, 10:51 AM
    When using GHA, I created a secret
    GCP_CREDENTIALS
    and the GCP provider read that
  • b

    broad-dog-22463

    05/18/2020, 10:51 AM
    https://github.com/pulumi/examples/blob/master/.github/workflows/ci.yml#L28
  • b

    broad-dog-22463

    05/18/2020, 10:52 AM
    FWIW, I also add the login
  • b

    broad-dog-22463

    05/18/2020, 10:52 AM
    https://github.com/pulumi/examples/blob/master/.github/workflows/ci.yml#L77
Powered by Linen
Title
b

broad-dog-22463

05/18/2020, 10:52 AM
https://github.com/pulumi/examples/blob/master/.github/workflows/ci.yml#L77
View count: 1