Try to use credentials rather than service account

SkyTruth · Oct 16, 2023 · 14cb662 · 14cb662
1 parent 3630572
commit 14cb662
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/cerulean_cloud/cloud_function_ais_analysis/utils/ais.py b/cerulean_cloud/cloud_function_ais_analysis/utils/ais.py
@@ -25,7 +25,7 @@
 )
 
 credentials = Credentials.from_service_account_info(
-    json.loads(os.environ.get("AIS_CREDENTIALS"))
+    json.loads(os.environ.get("GOOGLE_APPLICATION_CREDENTIALS"))
 )
 
 

diff --git a/stack/cloud_function_ais_analysis.py b/stack/cloud_function_ais_analysis.py
@@ -3,7 +3,14 @@
 
 import database
 import pulumi
-from pulumi_gcp import cloudfunctions, cloudtasks, secretmanager, storage
+from pulumi_gcp import (
+    cloudfunctions,
+    cloudtasks,
+    projects,
+    secretmanager,
+    serviceaccount,
+    storage,
+)
 from utils import construct_name
 
 stack = pulumi.get_stack()
@@ -48,7 +55,7 @@
     "API_KEY": pulumi.Config("cerulean-cloud").require("apikey"),
     "IS_DRY_RUN": pulumi.Config("cerulean-cloud").require("dryrun_ais"),
     "BQ_PROJECT_ID": pulumi.Config("ais").require("project"),
-    "AIS_CREDENTIALS": service_account_secret.secret_data,
+    "GOOGLE_APPLICATION_CREDENTIALS": service_account_secret.secret_data,
 }
 
 # The Cloud Function source code itself needs to be zipped up into an
@@ -65,6 +72,22 @@
     source=archive,
 )
 
+# Assign access to cloud SQL
+cloud_function_service_account = serviceaccount.Account(
+    construct_name("cloud-function-ais"),
+    account_id=f"{stack}-cloud-function-ais",
+    display_name="Service Account for cloud function.",
+)
+
+cloud_function_service_account_iam = projects.IAMMember(
+    construct_name("cloud-function-ais-iam"),
+    project=pulumi.Config("gcp").require("project"),
+    role="projects/cerulean-338116/roles/cloudfunctionaisanalysisrole",
+    member=cloud_function_service_account.email.apply(
+        lambda email: f"serviceAccount:{email}"
+    ),
+)
+
 fxn = cloudfunctions.Function(
     function_name,
     name=function_name,
@@ -75,7 +98,7 @@
     source_archive_bucket=bucket.name,
     source_archive_object=source_archive_object.name,
     trigger_http=True,
-    service_account_email=pulumi.Config("ais").require("service-account"),
+    service_account_email=cloud_function_service_account.email,
     available_memory_mb=512,
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,7 +25,7 @@ @@
     )
     credentials = Credentials.from_service_account_info(
-        json.loads(os.environ.get("AIS_CREDENTIALS"))
+        json.loads(os.environ.get("GOOGLE_APPLICATION_CREDENTIALS"))
     )
@@ Expand Down @@