Skip to content

Commit 2eb056c

Browse files
hernandezc1hernandezc1
committed
grant IAM roles to use dead-letter topics
1 parent b717ffc commit 2eb056c

File tree

4 files changed

+18
-3
lines changed

4 files changed

+18
-3
lines changed

broker/cloud_run/lsst/classify_snn/deploy.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,9 @@ teardown="${2:-False}"
1111
survey="${3:-lsst}"
1212
region="${4:-us-central1}"
1313
# get the environment variable
14-
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
1514
BASE_DIR=$(pwd)
15+
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
16+
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
1617

1718
MODULE_NAME="supernnova" # lower case required by cloud run
1819
ROUTE_RUN="/" # url route that will trigger main.run()
@@ -37,6 +38,7 @@ ps_input_subscrip=$(define_GCP_resources "${survey}-SuperNNova") # pub/sub subsc
3738
ps_output_topic=$(define_GCP_resources "${survey}-SuperNNova")
3839
ps_trigger_topic=$(define_GCP_resources "${survey}-lite")
3940
runinvoker_svcact="cloud-run-invoker@${PROJECT_ID}.iam.gserviceaccount.com"
41+
service_account="service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com"
4042
# topics and subscriptions involved in writing data to BigQuery
4143
ps_bigquery_subscription=$(define_GCP_resources "${survey}-${MODULE_NAME}-bigquery-import")
4244
ps_deadletter_topic=$(define_GCP_resources "${survey}-deadletter")
@@ -69,6 +71,7 @@ else
6971
user="allUsers"
7072
roleid="roles/pubsub.subscriber"
7173
gcloud pubsub topics add-iam-policy-binding "${ps_output_topic}" --member="${user}" --role="${roleid}"
74+
gcloud pubsub subscriptions add-iam-policy-binding "${ps_bigquery_subscription}" --member="serviceAccount:${service_account}" --role="${roleid}"
7275
fi
7376

7477
#--- Deploy Cloud Run service

broker/cloud_run/lsst/classify_upsilon/deploy.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,9 @@ teardown="${2:-False}"
1111
survey="${3:-lsst}"
1212
region="${4:-us-central1}"
1313
# get the environment variable
14-
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
1514
BASE_DIR=$(pwd)
15+
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
16+
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
1617

1718
MODULE_NAME="upsilon" # lower case required by cloud run
1819
ROUTE_RUN="/" # url route that will trigger main.run()
@@ -37,6 +38,7 @@ ps_input_subscrip=$(define_GCP_resources "${survey}-upsilon") # pub/sub subscrip
3738
ps_output_topic=$(define_GCP_resources "${survey}-upsilon")
3839
ps_trigger_topic=$(define_GCP_resources "${survey}-lite")
3940
runinvoker_svcact="cloud-run-invoker@${PROJECT_ID}.iam.gserviceaccount.com"
41+
service_account="service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com"
4042
# topics and subscriptions involved in writing data to BigQuery
4143
ps_bigquery_subscription=$(define_GCP_resources "${survey}-${MODULE_NAME}-bigquery-import")
4244
ps_deadletter_topic=$(define_GCP_resources "${survey}-deadletter")
@@ -70,6 +72,7 @@ else
7072
user="allUsers"
7173
roleid="roles/pubsub.subscriber"
7274
gcloud pubsub topics add-iam-policy-binding "${ps_output_topic}" --member="${user}" --role="${roleid}"
75+
gcloud pubsub subscriptions add-iam-policy-binding "${ps_bigquery_subscription}" --member="serviceAccount:${service_account}" --role="${roleid}"
7376
fi
7477

7578
#--- Deploy Cloud Run

broker/cloud_run/lsst/variability/deploy.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,9 @@ teardown="${2:-False}"
1111
survey="${3:-lsst}"
1212
region="${4:-us-central1}"
1313
# get the environment variable
14-
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
1514
BASE_DIR=$(pwd)
15+
PROJECT_ID=$GOOGLE_CLOUD_PROJECT
16+
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
1617

1718
MODULE_NAME="variability" # lower case required by cloud run
1819
ROUTE_RUN="/" # url route that will trigger main.run()
@@ -37,6 +38,7 @@ ps_input_subscrip=$(define_GCP_resources "${survey}-${MODULE_NAME}") # pub/sub s
3738
ps_output_topic=$(define_GCP_resources "${survey}-${MODULE_NAME}")
3839
ps_trigger_topic=$(define_GCP_resources "${survey}-lite")
3940
runinvoker_svcact="cloud-run-invoker@${PROJECT_ID}.iam.gserviceaccount.com"
41+
service_account="service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com"
4042
# topics and subscriptions involved in writing data to BigQuery
4143
ps_bigquery_subscription=$(define_GCP_resources "${survey}-${MODULE_NAME}-bigquery-import")
4244
ps_deadletter_topic=$(define_GCP_resources "${survey}-deadletter")
@@ -69,6 +71,7 @@ else
6971
user="allUsers"
7072
roleid="roles/pubsub.subscriber"
7173
gcloud pubsub topics add-iam-policy-binding "${ps_output_topic}" --member="${user}" --role="${roleid}"
74+
gcloud pubsub subscriptions add-iam-policy-binding "${ps_bigquery_subscription}" --member="serviceAccount:${service_account}" --role="${roleid}"
7275
fi
7376

7477
#--- Deploy Cloud Run service

broker/setup_broker/lsst/setup_broker.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,12 @@ manage_resources() {
152152
gcloud pubsub topics add-iam-policy-binding "${ps_topic_alerts}" --member="${user}" --role="${roleid}"
153153
gcloud pubsub topics add-iam-policy-binding "${ps_topic_alerts_json}" --member="${user}" --role="${roleid}"
154154
gcloud pubsub topics add-iam-policy-binding "${ps_topic_alerts_lite}" --member="${user}" --role="${roleid}"
155+
gcloud pubsub topics add-iam-policy-binding "${ps_deadletter_topic}" \
156+
--member="serviceAccount:${service_account}" \
157+
--role="roles/pubsub.publisher"
158+
gcloud pubsub subscriptions add-iam-policy-binding "${ps_bigquery_subscription}" \
159+
--member="serviceAccount:${service_account}" \
160+
--role="roles/pubsub.subscriber"
155161
fi
156162

157163
#--- Create Artifact Registry Repository

0 commit comments

Comments
 (0)