apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: edge-argo-logs annotations: cnrm.cloud.google.com/state-into-spec: merge spec: lifecycleRule: - action: type: Delete condition: age: 60 withState: ANY location: us-east1 uniformBucketLevelAccess: true --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: edge-test-logs-bucket-admin spec: member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com resourceRef: name: edge-argo-logs apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket # because we are scoping this to a specific bucket, this role is safe to give role: roles/storage.admin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: edge-test-logs-viewer spec: member: serviceAccount:edge-test@${gcp_project_id}.iam.gserviceaccount.com resourceRef: name: edge-argo-logs apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket role: roles/storage.objectViewer --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: argo-server-logs-viewer spec: member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com resourceRef: name: edge-argo-logs apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket role: roles/storage.objectViewer --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: argo-server-logs-bucket-admin spec: member: serviceAccount:argo-server@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket external: edge-argo-logs # because we are scoping this to a specific bucket, this role is safe to give role: roles/storage.admin