Skip to content

Instantly share code, notes, and snippets.

@grant
Created May 16, 2021 16:40
Show Gist options
  • Save grant/96c491caed6147b09ec4ceab59d37733 to your computer and use it in GitHub Desktop.
Save grant/96c491caed6147b09ec4ceab59d37733 to your computer and use it in GitHub Desktop.
A script that sets up Workflows IAM for a GitHub Action
# Add secret for project
PROJECT=$(gcloud config get-value project)
gh secret set GCP_PROJECT_ID -b $PROJECT
# Create service account
SERVICE_ACCOUNT=my-wf-service-account
gcloud iam service-accounts create $SERVICE_ACCOUNT
gcloud projects add-iam-policy-binding $PROJECT \
--member "serviceAccount:$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com" \
--role "roles/workflows.editor"
gcloud projects add-iam-policy-binding $PROJECT \
--member "serviceAccount:$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com" \
--role "roles/iam.serviceAccountUser"
# Create service account key, upload it to GitHub, then delete it locally
gcloud iam service-accounts keys create sa.json \
--iam-account=$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com
gh secret set GCP_SA_KEY < sa.json
rm sa.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment