#220 - service account permissions

GoogleCloudPlatform · Dec 21, 2022 · 9b572a5 · 9b572a5
1 parent 1cc1e32
commit 9b572a5
Showing 1 changed file with 29 additions and 2 deletions.
diff --git a/solutions/document-processing/gcloud/deployment.sh b/solutions/document-processing/gcloud/deployment.sh
@@ -34,7 +34,7 @@ EOF
 
 # set for michael@cloudshell:~/dev/pdt-oldev/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (kcc-lz-8597)$ ./deployment.sh -b pdt-oldev -u pdtoldev -c false -l true -d false -p kcc-lz-8597
 
-# for eash of override - key/value pairs for constants - shared by all scripts
+# for ease of override - key/value pairs for constants - shared by all scripts
 source ./vars.sh
 
 
@@ -120,8 +120,35 @@ gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL
 gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/ml.admin --quiet > /dev/null 1>&1
 gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/aiplatform.admin --quiet > /dev/null 1>&1
 gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/billing.projectManager --quiet > /dev/null 1>&1
+# for SA impersonation
 gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/iam.serviceAccountTokenCreator --quiet > /dev/null 1>&1
 
+# Service Account permissions - switch from member=user to serviceAccount
+# https://gcp.permissions.cloud/predefinedroles
+# AutoML Editor
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/automl.editor --quiet > /dev/null 1>&1
+
+# BigQuery Data Editor
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/bigquery.dataEditor --quiet > /dev/null 1>&1
+
+# BigQuery Job User
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/bigquery.dataEditor --quiet > /dev/null 1>&1
+
+# BigQuery User
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=bigquery.user --quiet > /dev/null 1>&1
+
+# Document AI Administrator
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/documentai.admin --quiet > /dev/null 1>&1
+
+# Document AI Editor (not required)
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/documentai.editor --quiet > /dev/null 1>&1
+
+# Storage Admin
+gcloud projects add-iam-policy-binding $CC_PROJECT_ID  --member=user:$USER_EMAIL --role=roles/storage.admin --quiet > /dev/null 1>&1
+
+# Vertex AI Custom Code Service Agent
+
+
 
   # enable apis
   echo "API's before"
@@ -399,4 +426,4 @@ if [[ -z $UNIQUE ]]; then
 fi
 
 deployment $BOOT_PROJECT_ID $UNIQUE $CREATE_KCC $DEPLOY_LZ $DELETE_KCC $USER_EMAIL $KCC_PROJECT_ID
-printf "**** Done ****\n"
+printf "**** Done ****\n"