Notes on running the API every day

Besides the changes made in Run api-tools daily on google cloud by TyHil · Pull Request #54 · UTDNebula/api-tools and creating the service accounts, the artifact registry repo, and maybe something else, here’s all the Google Cloud Console pages I used and the commands I ran.

Pages

Maybe change authuser=2 for these to work right for you

Jobs: https://console.cloud.google.com/run/jobs?project=api-tools-451421&authuser=2

Service Accounts: https://console.cloud.google.com/iam-admin/serviceaccounts?authuser=2&project=api-tools-451421

Workload Identity: https://console.cloud.google.com/iam-admin/workload-identity-pools?authuser=2&orgonly=true&project=api-tools-451421&supportedpurview=organizationId

Artifact registry: https://console.cloud.google.com/artifacts/docker/api-tools-451421/us-central1/runners?authuser=2&project=api-tools-451421

Secrets: https://console.cloud.google.com/security/secret-manager?authuser=2&project=api-tools-451421

Commands

In api-tools dir

Put built image in jobs

gcloud run jobs deploy daily-update-events-prod --image us-central1-docker.pkg.dev/api-tools-451421/runners/daily-update-events --tasks 1 --max-retries 5 --region us-central1 --project=api-tools-451421

gcloud run jobs deploy daily-update-events-dev --image us-central1-docker.pkg.dev/api-tools-451421/runners/daily-update-events --tasks 1 --max-retries 5 --region us-central1 --project=api-tools-451421

Allow env-accessor service account access to secrets

gcloud secrets add-iam-policy-binding env-prod --member=serviceAccount:env-accessor@api-tools-451421.iam.gserviceaccount.com --role=roles/secretmanager.secretAccessor

gcloud secrets add-iam-policy-binding env-dev --member=serviceAccount:env-accessor@api-tools-451421.iam.gserviceaccount.com --role=roles/secretmanager.secretAccessor

Allow default compute account access to env-accessor service account

gcloud secrets add-iam-policy-binding env-accessor --member=serviceAccount:762526944259-compute@developer.gserviceaccount.com --role=roles/secretmanager.secretAccessor

Set up WIF pool to authenticate GitHub action

gcloud iam workload-identity-pools create "pool" --project="api-tools-451421" --location="global" --display-name="Pool"

gcloud iam workload-identity-pools providers create-oidc "github-deploy" --project="api-tools-451421" --location="global" --workload-identity-pool="pool" --display-name="GitHub deploy provider" --attribute-mapping="google.subject=assertion.sub,attribute.repository_owner=assertion.repository_owner,attribute.repository=assertion.repository,attribute.ref=assertion.ref" --attribute-condition="assertion.repository_owner == 'UTDNebula' && assertion.repository == 'UTDNebula/api-tools' && assertion.ref== 'refs/heads/develop'" --issuer-uri="https://token.actions.githubusercontent.com"

Allow GitHub action to impersonate github-deploy service account and github-deploy service account to impersonate the default cloud run account

gcloud iam service-accounts add-iam-policy-binding "github-deploy@api-tools-451421.iam.gserviceaccount.com" --project="api-tools-451421" --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/762526944259/locations/global/workloadIdentityPools/pool/attribute.repository/UTDNebula/api-tools"

gcloud iam service-accounts add-iam-policy-binding 762526944259-compute@developer.gserviceaccount.com --member="serviceAccount:github-deploy@api-tools-451421.iam.gserviceaccount.com" --role="roles/iam.serviceAccountUser"