1apiVersion: storage.cnrm.cloud.google.com/v1beta1
2kind: StorageBucket
3metadata:
4 name: edge-argo-logs
5 annotations:
6 cnrm.cloud.google.com/state-into-spec: merge
7spec:
8 lifecycleRule:
9 - action:
10 type: Delete
11 condition:
12 age: 60
13 withState: ANY
14 location: us-east1
15 uniformBucketLevelAccess: true
16---
17apiVersion: iam.cnrm.cloud.google.com/v1beta1
18kind: IAMPolicyMember
19metadata:
20 name: edge-test-logs-bucket-admin
21spec:
22 member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com
23 resourceRef:
24 name: edge-argo-logs
25 apiVersion: storage.cnrm.cloud.google.com/v1beta1
26 kind: StorageBucket
27 # because we are scoping this to a specific bucket, this role is safe to give
28 role: roles/storage.admin
29---
30apiVersion: iam.cnrm.cloud.google.com/v1beta1
31kind: IAMPolicyMember
32metadata:
33 name: edge-test-logs-viewer
34spec:
35 member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com
36 resourceRef:
37 name: edge-argo-logs
38 apiVersion: storage.cnrm.cloud.google.com/v1beta1
39 kind: StorageBucket
40 role: roles/storage.objectViewer
41---
42apiVersion: iam.cnrm.cloud.google.com/v1beta1
43kind: IAMPolicyMember
44metadata:
45 name: argo-server-logs-viewer
46spec:
47 member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com
48 resourceRef:
49 name: edge-argo-logs
50 apiVersion: storage.cnrm.cloud.google.com/v1beta1
51 kind: StorageBucket
52 role: roles/storage.objectViewer
53---
54apiVersion: iam.cnrm.cloud.google.com/v1beta1
55kind: IAMPolicyMember
56metadata:
57 name: argo-server-logs-bucket-admin
58spec:
59 member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com
60 resourceRef:
61 apiVersion: storage.cnrm.cloud.google.com/v1beta1
62 kind: StorageBucket
63 external: edge-argo-logs
64 # because we are scoping this to a specific bucket, this role is safe to give
65 role: roles/storage.admin
View as plain text