WarpBuild LogoWarpBuild Docs

Attach Service Account

Attach custom service account to GCE runners to give them default access

Prerequisites

Configure gcloud

This doc contains gcloud commands to help you setup the resources. Login to google cloud using and follow the gcloud steps.

gcloud login

Configure gcloud with the GCP project ID

gcloud config set project <your-project-id>

Service Account

Create a service account to attach directly to GCE if you haven't already.

  gcloud iam service-accounts create "instance-sa" \
    --display-name="Instance Service Account" \

Set the service account as SA_EMAIL in your current terminal. We'll refer the above created service account as SA_EMAIL at all further points.

export SA_EMAIL=<sa-email>

WarpBuild must have permissions to pass this service account to the runners that we spin up. For this you must establish a policy.

gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
  --member="serviceAccount:${CREATOR_SA}" \
  --role="roles/iam.serviceAccountUser"

The CREATOR_SA here is the service account we use to spin up the runners. You can find this in your BYOC page.

Attach additional service account policies

Right now our service account doesn't have any permissions which can be used to go keyless in the GCE instance. To do so, you must add some polices.

For example, if you want to access the buckets and artifact registry you can do

echo "🔐 Granting Storage Admin to ${SA_EMAIL} at project level..."
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/storage.admin"

echo "📦 Granting Artifact Registry Admin to ${SA_EMAIL} at project level..."
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/artifactregistry.admin"

Attach Service Account to the runners

Use the Service Account field in the runner edit page to configure your runners to run with this service account.

To validate, check the console page of your GCP project > Compute Engine

'runner-instance' > Under 'API and identity management' > Check 'Service account'. This should have the same value as the service account that you created.

Last updated on

On this page