Update docs about role automatically granted to dataform SA

2024-03-02 13:24:51 +00:00 · 2024-03-02 13:24:51 +00:00 · ef19524b0b
parent 4aa08f63d3
commit ef19524b0b
2 changed files with 14 additions and 13 deletions
--- a/modules/project/README.md
+++ b/modules/project/README.md
@ -213,19 +213,20 @@ module "project" {

 This table lists all affected services and roles that you need to grant to service identities

-| service | service identity | role |
-|---|---|---|
-| apigee.googleapis.com | apigee | roles/apigee.serviceAgent |
-| artifactregistry.googleapis.com | artifactregistry | roles/artifactregistry.serviceAgent |
-| cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent |
-| cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder |
-| dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent |
-| dlp.googleapis.com | dlp | roles/dlp.serviceAgent |
-| gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent |
-| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent |
+| service                            | service identity     | role                                   |
+|------------------------------------|----------------------|----------------------------------------|
+| apigee.googleapis.com              | apigee               | roles/apigee.serviceAgent              |
+| artifactregistry.googleapis.com    | artifactregistry     | roles/artifactregistry.serviceAgent    |
+| cloudasset.googleapis.com          | cloudasset           | roles/cloudasset.serviceAgent          |
+| cloudbuild.googleapis.com          | cloudbuild           | roles/cloudbuild.builds.builder        |
+| dataform.googleapis.com            | dataform             | roles/dataform.serviceAgent            |
+| dataplex.googleapis.com            | dataplex             | roles/dataplex.serviceAgent            |
+| dlp.googleapis.com                 | dlp                  | roles/dlp.serviceAgent                 |
+| gkehub.googleapis.com              | fleet                | roles/gkehub.serviceAgent              |
+| meshconfig.googleapis.com          | servicemesh          | roles/anthosservicemesh.serviceAgent   |
 | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent |
-| pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent |
-| sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent |
+| pubsub.googleapis.com              | pubsub               | roles/pubsub.serviceAgent              |
+| sqladmin.googleapis.com            | sqladmin             | roles/cloudsql.serviceAgent            |

 ## Shared VPC

--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@ -146,7 +146,7 @@
  service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com"
 - name: "dataform"
  service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com"
-  jit: true
+  jit: true  # roles/dataform.serviceAgent
 - name: "datafusion"
  service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com"
 - name: "datalabeling"