adamant-cricket-25794
04/07/2021, 3:08 PMserviceAccounts = [
("droneci", "droneci", "Drone Service Account", ["roles/storage.admin"]),
(
"spinnaker",
"spinnaker",
"Spinnaker Service Account",
[
"roles/container.admin",
"roles/container.clusterAdmin",
"roles/container.developer",
"roles/storage.admin",
],
)
]
def bindToRole(name: str, sa: Account, args: Optional[dict] = None):
"""Given a GCP IAM Service Account and a list of roles, create a IAMBinginh between them."""
for i, role in enumerate(args["roles"]):
IAMBinding(
f"{name}-{i}",
members=[sa.email.apply(lambda email: f"serviceAccount:{email}")],
project=args["project"],
role=role,
)
for saName, saId, saDesc, saRoles in serviceAccounts:
sa = Account(
saName, project=conf.get("project"), account_id=saId, display_name=saDesc
)
bindToRole(
f"{saName}-roleBinding", sa, {"project": conf.get("project"), "roles": saRoles}
)
saKey = util.createServiceAccountKey(f"{saName}-key", sa)
export(name=f"{saName}-serviceAccount-key", value=saKey)
export(name=f"{saName}-serviceAccount-secret", value=util.clientSecret(saKey))
export(name=f"{saName}-serviceAccount-email", value=sa.email)
and this is an example of the changes it trys to make every time I run this:
~ gcp:projects/iAMBinding:IAMBinding: (refresh)
[id=my-project/roles/storage.admin]
[urn=urn:pulumi:dev::my-stack::gcp:projects/iAMBinding:IAMBinding::spinnaker-roleBinding-3]
[provider=urn:pulumi:dev::my stack::pulumi:providers:gcp::default_4_17_0::620feff3-c68d-4f3f-b35d-715c080f8b7d]
--outputs:--
~ etag : "BwW/YsjdngI=" => "BwW/YucGdm0="
~ members : [
~ [0]: "serviceAccount:spinnaker@my-project.iam.gserviceaccount.com" => "serviceAccount:droneci@my-project.iam.gserviceaccount.com"
]
any idea why this might be happening ?some-elephant-30417
04/20/2021, 12:29 PM