mantle/platform/api/gcloud: attach service account to instances

In order to test authenticated GCS fetches from instances, we need to attach some service account with GCS read access to each instance. Use the project's default service account unless the command line specifies otherwise. Note that this requires kola's service account to have Service Account User permission for the instance service account. Otherwise, the GCP SDK will fail with a helpful error message.
coreos · May 16, 2022 · 0b3b301 · 0b3b301
1 parent 5a809d6
commit 0b3b301
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/mantle/cmd/kola/options.go b/mantle/cmd/kola/options.go
@@ -113,6 +113,7 @@ func init() {
 	sv(&kola.GCEOptions.MachineType, "gce-machinetype", "n1-standard-1", "GCE machine type")
 	sv(&kola.GCEOptions.DiskType, "gce-disktype", "pd-ssd", "GCE disk type")
 	sv(&kola.GCEOptions.Network, "gce-network", "default", "GCE network")
+	sv(&kola.GCEOptions.ServiceAcct, "gce-service-account", "", "GCE service account to attach to instance (default project default)")
 	bv(&kola.GCEOptions.ServiceAuth, "gce-service-auth", false, "for non-interactive auth when running within GCE")
 	sv(&kola.GCEOptions.JSONKeyFile, "gce-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCEConfigPath+"\")")
 

diff --git a/mantle/platform/api/gcloud/api.go b/mantle/platform/api/gcloud/api.go
@@ -39,6 +39,7 @@ type Options struct {
 	MachineType string
 	DiskType    string
 	Network     string
+	ServiceAcct string
 	JSONKeyFile string
 	ServiceAuth bool
 	*platform.Options
@@ -81,6 +82,14 @@ func New(opts *Options) (*API, error) {
 		return nil, err
 	}
 
+	if opts.ServiceAcct == "" {
+		proj, err := computeService.Projects.Get(opts.Project).Do()
+		if err != nil {
+			return nil, err
+		}
+		opts.ServiceAcct = proj.DefaultServiceAccount
+	}
+
 	api := &API{
 		client:  client,
 		compute: computeService,

diff --git a/mantle/platform/api/gcloud/compute.go b/mantle/platform/api/gcloud/compute.go
@@ -94,6 +94,13 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key) *compute.Inst
 				Network: instancePrefix + "/global/networks/" + a.options.Network,
 			},
 		},
+		// allow the instance to perform authenticated GCS fetches
+		ServiceAccounts: []*compute.ServiceAccount{
+			&compute.ServiceAccount{
+				Email:  a.options.ServiceAcct,
+				Scopes: []string{"https://www.googleapis.com/auth/devstorage.read_only"},
+			},
+		},
 	}
 	// add cloud config
 	if userdata != "" {