...
1apiVersion: storage.cnrm.cloud.google.com/v1beta1
2kind: StorageBucket
3metadata:
4 name: edge-test-jobs
5spec:
6 bucketPolicyOnly: true
7 location: us-east1
8---
9apiVersion: iam.cnrm.cloud.google.com/v1beta1
10kind: IAMPolicyMember
11metadata:
12 name: edge-jobs-${cluster_hash}-ci-publish
13spec:
14 member: serviceAccount:github-actions-runner@ret-edge-pltf-infra.iam.gserviceaccount.com
15 resourceRef:
16 name: edge-test-jobs
17 apiVersion: storage.cnrm.cloud.google.com/v1beta1
18 kind: StorageBucket
19 # because we are scoping this to a specific bucket, this role is safe to give
20 role: roles/storage.admin
21---
22apiVersion: iam.cnrm.cloud.google.com/v1beta1
23kind: IAMPolicyMember
24metadata:
25 name: edge-jobs-${cluster_hash}-runner-writer
26spec:
27 member: serviceAccount:github-actions-runner@ret-edge-pltf-infra.iam.gserviceaccount.com
28 resourceRef:
29 name: edge-test-jobs
30 apiVersion: storage.cnrm.cloud.google.com/v1beta1
31 kind: StorageBucket
32 role: roles/storage.admin
33---
34apiVersion: iam.cnrm.cloud.google.com/v1beta1
35kind: IAMPolicyMember
36metadata:
37 name: ncr-${cluster_hash}-read-edge-jobs
38spec:
39 member: domain:ncr.com
40 resourceRef:
41 name: edge-test-jobs
42 apiVersion: storage.cnrm.cloud.google.com/v1beta1
43 kind: StorageBucket
44 role: roles/storage.objectViewer
View as plain text