Skip to content

Commit

Permalink
Merge pull request #77 from kevinsunny1996/build/add_job_creator_role
Browse files Browse the repository at this point in the history 
added job creator role and remove secrets manager role
  • Loading branch information
@kevinsunny1996
kevinsunny1996 authored Apr 2, 2024
2 parents 50fea3d + 5c96b89 commit 99b27bf
Showing 1 changed file with 2 additions and 28 deletions.
30 changes: 2 additions & 28 deletions terraform/service_accounts.tf
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,3 @@
# #####################################################################################################################
# # The following resource blocks does the following:
# # - Create a custom service account for Cloud Composer
# # - Bind the custom SA to worker role
# # - Add the Service Agent account as a new principal to workspace account and grant it the Service Agent role
# # - Read more on : https://cloud.google.com/composer/docs/composer-2/terraform-create-environments
# #####################################################################################################################
# resource "google_service_account" "custom_composer_account" {
# account_id = "composer-sa"
# display_name = "Custom Service Account for Cloud Composer V2"
# }

# resource "google_project_iam_member" "composer_worker" {
# project = local.id
# member = format("serviceAccount:%s", google_service_account.custom_composer_account.email)
# # Roles for Public IP environments
# role = "roles/composer.worker"
# }

# resource "google_service_account_iam_member" "composer_agent" {
# service_account_id = google_service_account.custom_composer_account.name
# role = "roles/composer.ServiceAgentV2Ext"
# member = "serviceAccount:service-${local.number}@cloudcomposer-accounts.iam.gserviceaccount.com"
# }


resource "google_service_account" "airflow_user_sa" {
account_id = "airflow-user-sa"
display_name = "Custom Service Account for Astro Airflow User"
Expand All @@ -42,8 +16,8 @@ resource "google_project_iam_binding" "bq_access" {
members = ["serviceAccount:${google_service_account.airflow_user_sa.email}"]
}

resource "google_project_iam_binding" "gsm_access" {
resource "google_project_iam_binding" "bq_job_creator" {
project = local.id
role = "roles/secretmanager.secretAccessor"
role = "roles/bigquery.jobUser"
members = ["serviceAccount:${google_service_account.airflow_user_sa.email}"]
}

0 comments on commit 99b27bf

Please sign in to comment.