-
-
Save kevinmcalear/030cb0d61a295a2dada7a40ccdc6ed91 to your computer and use it in GitHub Desktop.
Cloud Build decrypt roles (Photo Album on Google Cloud Run)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# set an env variable to make things more readable | |
CB_SVC_ACCOUNT=xxx...xxx@cloudbuild.gserviceaccount.com | |
# Grant Cloud Build the right to decrypt Rails master key | |
$ gcloud kms keys add-iam-policy-binding rails_master_key --location=us-central1 \ | |
--keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
--role=roles/cloudkms.cryptoKeyDecrypter | |
# Grant Cloud Build the right to decrypt Rails the production database password | |
$ gcloud kms keys add-iam-policy-binding db_pwd_key --location=us-central1 \ | |
--keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
--role=roles/cloudkms.cryptoKeyDecrypter | |
# Grant Cloud Build the right to decrypt the cloud runner service account credentials | |
$ gcloud kms keys add-iam-policy-binding photo_album_runner_key --location=us-central1 \ | |
--keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
--role=roles/cloudkms.cryptoKeyDecrypter | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment