sparse-intern-71089
02/28/2023, 7:18 PMbest-summer-38252
03/01/2023, 4:40 AM"roles/iam.serviceAccountUser"
is works just fine but "roles/workflows.invoker"
is not allowed, what is needed so the service account can invoke a workflow?
if (!IAM_DEV_FLAG) {
const getIAMPolicy = ({ roles, member }: { roles: string[]; member: string }) =>
gcp.organizations.getIAMPolicy({
bindings: roles.map((role) => ({
members: [member],
role,
})),
});
const appIAM = appSA.member.apply((member) =>
getIAMPolicy({
member,
roles: [
//"roles/run.invoker", // workflow to invoke dispatch in cloud run via HTTP
//"roles/workflows.invoker", // cloud scheduler to invoke the workflow
"roles/iam.serviceAccountUser", // a role that actually works from the pulumi docs
],
}).then(
(policy) =>
new gcp.serviceaccount.IAMPolicy(kebabcase(APP_NAME + "-authz"), {
serviceAccountId: appSA.name,
policyData: policy.policyData,
})
)
);
}
eager-keyboard-30823
03/01/2023, 8:21 AMeager-keyboard-30823
03/01/2023, 8:24 AMgcp.projects.IAMMember
(or `IAMPolicy`/`IAMBinding`). For the role on workflows, I’m actually not seeing anything in the gcp.workflows
module, so not sure. That’s typically how it works though, e.g. if you want to grant roles directly on a storage bucket, you’ll be looking for IAM objects in gcp.storage
, etc.best-summer-38252
03/01/2023, 4:59 PMconst invoker = new gcp.cloudrun.IamMember("invoke-by-workflow-authz", {
location: REGION,
project: GCP_PROJECT.name,
service: appService.name,
role: "roles/run.invoker",
member: "allUsers",
});
But that does not exist on the Workflow - apparently its a bug (half baked product, this is just the latest shortcoming).
• https://issuetracker.google.com/issues/221402255?pli=1
• https://github.com/hashicorp/terraform-provider-google/issues/12914
I think Ill just let cloud scheduler have the default service account for the project to invoke the workflow until WF has better IAM support.