From ef19524b0bb7fd307eb3878d1e872bfddd9ef659 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Sat, 2 Mar 2024 13:24:51 +0000 Subject: [PATCH] Update docs about role automatically granted to dataform SA --- modules/project/README.md | 25 +++++++++++++------------ modules/project/service-agents.yaml | 2 +- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index d566445d..fd3f35bc 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -213,19 +213,20 @@ module "project" { This table lists all affected services and roles that you need to grant to service identities -| service | service identity | role | -|---|---|---| -| apigee.googleapis.com | apigee | roles/apigee.serviceAgent | -| artifactregistry.googleapis.com | artifactregistry | roles/artifactregistry.serviceAgent | -| cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent | -| cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder | -| dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent | -| dlp.googleapis.com | dlp | roles/dlp.serviceAgent | -| gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent | -| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent | +| service | service identity | role | +|------------------------------------|----------------------|----------------------------------------| +| apigee.googleapis.com | apigee | roles/apigee.serviceAgent | +| artifactregistry.googleapis.com | artifactregistry | roles/artifactregistry.serviceAgent | +| cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent | +| cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder | +| dataform.googleapis.com | dataform | roles/dataform.serviceAgent | +| dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent | +| dlp.googleapis.com | dlp | roles/dlp.serviceAgent | +| gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent | +| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent | | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent | -| pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent | -| sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent | +| pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent | +| sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent | ## Shared VPC diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml index c7da1c80..66c95a46 100644 --- a/modules/project/service-agents.yaml +++ b/modules/project/service-agents.yaml @@ -146,7 +146,7 @@ service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com" - name: "dataform" service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com" - jit: true + jit: true # roles/dataform.serviceAgent - name: "datafusion" service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com" - name: "datalabeling"