fix: Use service account impersonation in command line calls to cloud…

… build (#197)

* Use service account impersonation in command line calls to cloud build

* add iam.serviceAccountTokenCreator role to the cloud build service account on the terraform SA

build/int.cloudbuild.yaml

@@ -22,6 +22,7 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
+  - 'TF_VAR_build_project_number=$PROJECT_NUMBER'
 
 - id: ensure-access-policy
   waitFor:

examples/tutorial-standalone/README.md

@@ -198,13 +198,14 @@ The following APIs must be enabled in the project where the service account was
 
 - Access Context Manager API: `accesscontextmanager.googleapis.com`
 - App Engine Admin API: `appengine.googleapis.com`
-- Cloud Billing API:`cloudbilling.googleapis.com`
-- Cloud Key Management Service (KMS) API:`cloudkms.googleapis.com`
+- Cloud Billing API: `cloudbilling.googleapis.com`
+- Cloud Build API: `cloudbuild.googleapis.com`
+- Cloud Key Management Service (KMS) API: `cloudkms.googleapis.com`
 - Cloud Pub/Sub API: `pubsub.googleapis.com`
-- Cloud Resource Manager API:`cloudresourcemanager.googleapis.com`
-- Compute Engine API:`compute.googleapis.com`
-- Dataflow API:`dataflow.googleapis.com`
-- Identity and Access Management (IAM) API:`iam.googleapis.com`
+- Cloud Resource Manager API: `cloudresourcemanager.googleapis.com`
+- Compute Engine API: `compute.googleapis.com`
+- Dataflow API: `dataflow.googleapis.com`
+- Identity and Access Management (IAM) API: `iam.googleapis.com`
 - BigQuery API: `bigquery.googleapis.com`
 
 You can run the gcloud command to enable these APIs in the service account project
@@ -217,6 +218,7 @@ accesscontextmanager.googleapis.com \
 appengine.googleapis.com \
 bigquery.googleapis.com \
 cloudbilling.googleapis.com \
+cloudbuild.googleapis.com \
 cloudkms.googleapis.com \
 pubsub.googleapis.com \
 cloudresourcemanager.googleapis.com \

test/setup/main.tf

@@ -88,6 +88,12 @@ resource "google_service_account" "int_ci_service_account" {
   display_name = "ci-account"
 }
 
+resource "google_service_account_iam_member" "cloud_build_iam" {
+  service_account_id = google_service_account.int_ci_service_account.name
+  role               = "roles/iam.serviceAccountTokenCreator"
+  member             = "serviceAccount:${var.build_project_number}@cloudbuild.gserviceaccount.com"
+}
+
 resource "google_organization_iam_member" "org_admins_group" {
   for_each = toset(local.int_org_required_roles)
   org_id   = var.org_id

test/setup/template-project/main.tf

@@ -108,6 +108,7 @@ resource "null_resource" "java_de_identification_flex_template" {
        --project=${local.project_id} \
        --config ${local.templates_path}/java/regional_dlp_de_identification/cloudbuild.yaml \
        ${local.templates_path}/java/regional_dlp_de_identification \
+       --impersonate-service-account=${var.service_account_email} \
        --substitutions="_PROJECT=${local.project_id},_FLEX_TEMPLATE_IMAGE_TAG=${local.java_de_identify_flex_template_image_tag},_TEMPLATE_GS_PATH=${local.java_de_identify_template_gs_path}"
 EOF
 
@@ -134,6 +135,7 @@ resource "null_resource" "java_re_identification_flex_template" {
        --project=${local.project_id} \
        --config ${local.templates_path}/java/regional_dlp_re_identification/cloudbuild.yaml \
        ${local.templates_path}/java/regional_dlp_re_identification \
+       --impersonate-service-account=${var.service_account_email} \
        --substitutions="_PROJECT=${local.project_id},_FLEX_TEMPLATE_IMAGE_TAG=${local.java_re_identify_flex_template_image_tag},_TEMPLATE_GS_PATH=${local.java_re_identify_template_gs_path}"
 EOF
 
@@ -160,6 +162,7 @@ resource "null_resource" "python_de_identification_flex_template" {
        --project=${local.project_id} \
        --config ${local.templates_path}/python/regional_dlp_de_identification/cloudbuild.yaml \
        ${local.templates_path}/python/regional_dlp_de_identification \
+       --impersonate-service-account=${var.service_account_email} \
        --substitutions="_PROJECT=${local.project_id},_FLEX_TEMPLATE_IMAGE_TAG=${local.python_de_identify_flex_template_image_tag},_PIP_INDEX_URL=${local.pip_index_url},_TEMPLATE_GS_PATH=${local.python_de_identify_template_gs_path}"
 EOF
 
@@ -186,6 +189,7 @@ resource "null_resource" "python_re_identification_flex_template" {
        --project=${local.project_id} \
        --config ${local.templates_path}/python/regional_dlp_re_identification/cloudbuild.yaml \
        ${local.templates_path}/python/regional_dlp_re_identification \
+       --impersonate-service-account=${var.service_account_email} \
        --substitutions="_PROJECT=${local.project_id},_FLEX_TEMPLATE_IMAGE_TAG=${local.python_re_identify_flex_template_image_tag},_PIP_INDEX_URL=${local.pip_index_url},_TEMPLATE_GS_PATH=${local.python_re_identify_template_gs_path}"
 EOF
 
@@ -211,6 +215,7 @@ resource "null_resource" "upload_modules" {
      gcloud builds submit --project=${local.project_id} \
      --config ${local.templates_path}/python/modules/cloudbuild.yaml \
      ${local.templates_path}/python/modules \
+     --impersonate-service-account=${var.service_account_email} \
      --substitutions=_REPOSITORY_ID=${local.python_repository_id},_DEFAULT_REGION=${local.location}
 EOF
 

test/setup/variables.tf

@@ -25,3 +25,7 @@ variable "folder_id" {
 variable "billing_account" {
   description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ"
 }
+
+variable "build_project_number" {
+  description = "The project number of the build project"
+}