Skip to content

Move Cloud Build deploy trigger to the purpose-built build_system service account #366

Description

@glassBead-tc

From Greptile review of #365: the mcp_deploy Cloud Build trigger runs as the default Compute Engine SA (broad permissions). iam.tf already provisions build_system_sa described as the CI/CD identity, but it is unused by this trigger.

Unit of work (least-privilege rollout, needs testing — not a drive-by):

  1. Grant build_system_sa: roles/artifactregistry.writer on cloud-run-source-deploy, roles/run.developer on thoughtbox-mcp, roles/iam.serviceAccountUser on agent-runner-sa (runtime SA), roles/logging.logWriter.
  2. Switch google_cloudbuild_trigger.mcp_deploy.service_account to google_service_account.build_system.id.
  3. Verify a push-to-main build deploys end-to-end, then confirm no residual grants needed.

Context: infra/gcp/mcp-service.tf (SPEC-V1-INITIATIVE Phase 1.1); the trigger config notes this with a comment.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions