godev/cmd: add service account to cloud deployments

jamalc · jamalc · commit d440a241e134 · 2023-09-11T18:11:07.000Z
To increase the security of our Cloud Run services we use a dedicated service account and switch the cloud tasks service account to one with a limited set of permissions. Change-Id: Ia2730d9cabc79d1f3d134ea8eb3ffcf0b50ec125 Reviewed-on: https://go-review.googlesource.com/c/telemetry/+/524815 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jamal Carvalho <jamal@golang.org> Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
diff --git a/godev/cmd/telemetrygodev/cloudbuild.yaml b/godev/cmd/telemetrygodev/cloudbuild.yaml
@@ -36,6 +36,8 @@ steps:
       - "gcr.io/$PROJECT_ID/telemetrygodev:$COMMIT_SHA"
       - "--region"
       - "us-central1"
+      - "--service-account"
+      - "$_RUN_SERVICE_ACCOUNT"
       - "--set-env-vars"
       - "GO_TELEMETRY_PROJECT_ID=$PROJECT_ID,GO_TELEMETRY_ENV=$_ENV"
 images:
diff --git a/godev/cmd/worker/cloudbuild.yaml b/godev/cmd/worker/cloudbuild.yaml
@@ -36,12 +36,14 @@ steps:
       - "gcr.io/$PROJECT_ID/worker:$COMMIT_SHA"
       - "--region"
       - "us-central1"
+      - "--service-account"
+      - "$_RUN_SERVICE_ACCOUNT"
       - "--set-env-vars"
       - "GO_TELEMETRY_PROJECT_ID=$PROJECT_ID"
       - "--set-env-vars"
       - "GO_TELEMETRY_ENV=$_ENV"
       - "--set-env-vars"
-      - "GO_TELEMETRY_SERVICE_ACCOUNT=$_SERVICE_ACCOUNT"
+      - "GO_TELEMETRY_IAP_SERVICE_ACCOUNT=$_IAP_SERVICE_ACCOUNT"
       - "--set-env-vars"
       - "GO_TELEMETRY_CLIENT_ID=$_CLIENT_ID"
       - "--set-env-vars"
diff --git a/godev/cmd/worker/main.go b/godev/cmd/worker/main.go
@@ -112,7 +112,7 @@ func createHTTPTask(cfg *config.Config, url string) (*taskspb.Task, error) {
 					Url:        url,
 					AuthorizationHeader: &taskspb.HttpRequest_OidcToken{
 						OidcToken: &taskspb.OidcToken{
-							ServiceAccountEmail: cfg.ServiceAccount,
+							ServiceAccountEmail: cfg.IAPServiceAccount,
 							Audience:            cfg.ClientID,
 						},
 					},
diff --git a/godev/internal/config/config.go b/godev/internal/config/config.go
@@ -31,8 +31,8 @@ type Config struct {
 	// QueueID is the name of the queue for worker tasks.
 	QueueID string
 
-	// ServiceAccount is the service account used when queueing worker tasks.
-	ServiceAccount string
+	// IAPServiceAccount is the service account used when queueing worker tasks.
+	IAPServiceAccount string
 
 	// ClientID is the OAuth client used in authentication for queue tasks.
 	ClientID string
@@ -88,7 +88,7 @@ func NewConfig() *Config {
 		ProjectID:           env("GO_TELEMETRY_PROJECT_ID", ""),
 		LocationID:          env("GO_TELEMETRY_LOCATION_ID", ""),
 		QueueID:             environment + "-worker-tasks",
-		ServiceAccount:      env("GO_TELEMETRY_SERVICE_ACCOUNT", ""),
+		IAPServiceAccount:   env("GO_TELEMETRY_IAP_SERVICE_ACCOUNT", ""),
 		ClientID:            env("GO_TELEMETRY_CLIENT_ID", ""),
 		StorageEmulatorHost: env("GO_TELEMETRY_STORAGE_EMULATOR_HOST", "localhost:8081"),
 		LocalStorage:        env("GO_TELEMETRY_LOCAL_STORAGE", ".localstorage"),
