Last active
March 27, 2020 11:10
-
-
Save ljulliar/a9fb8f95f487e023d0de9c62d796de6a to your computer and use it in GitHub Desktop.
Cloud Build decrypt roles (Photo Album on Google Cloud Run)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # set an env variable to make things more readable | |
| CB_SVC_ACCOUNT=xxx...xxx@cloudbuild.gserviceaccount.com | |
| # Grant Cloud Build the right to decrypt Rails master key | |
| $ gcloud kms keys add-iam-policy-binding rails_master_key --location=us-central1 \ | |
| --keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
| --role=roles/cloudkms.cryptoKeyDecrypter | |
| # Grant Cloud Build the right to decrypt Rails the production database password | |
| $ gcloud kms keys add-iam-policy-binding db_pwd_key --location=us-central1 \ | |
| --keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
| --role=roles/cloudkms.cryptoKeyDecrypter | |
| # Grant Cloud Build the right to decrypt the cloud runner service account credentials | |
| $ gcloud kms keys add-iam-policy-binding photo_album_runner_key --location=us-central1 \ | |
| --keyring=photo-album --member=serviceAccount:$CB_SVC_ACCOUNT \ | |
| --role=roles/cloudkms.cryptoKeyDecrypter | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
$can be removed from L5 L10 L15