Attach Service Account
Attach custom service account to GCE runners to give them default access
Prerequisites
Configure gcloud
This doc contains gcloud commands to help you setup the resources. Login to google cloud using and follow the gcloud steps.
Configure gcloud with the GCP project ID
Service Account
Create a service account to attach directly to GCE if you haven't already.
Set the service account as SA_EMAIL
in your current terminal. We'll refer the above
created service account as SA_EMAIL
at all further points.
WarpBuild must have permissions to pass this service account to the runners that we spin up. For this you must establish a policy.
The CREATOR_SA
here is the service account we use to spin up the runners.
You can find this in your BYOC page.
Attach additional service account policies
Right now our service account doesn't have any permissions which can be used to go keyless in the GCE instance. To do so, you must add some polices.
For example, if you want to access the buckets and artifact registry you can do
Attach Service Account to the runners
Use the Service Account
field in the runner edit page to configure your runners
to run with this service account.
To validate, check the console page of your GCP project > Compute Engine
'runner-instance' > Under 'API and identity management' > Check 'Service account'. This should have the same value as the service account that you created.
Last updated on