From f3d33e022f5fef7ac6b37f9d27a33f7388349f79 Mon Sep 17 00:00:00 2001 From: David Pierce Date: Mon, 29 Jun 2026 17:42:07 -0400 Subject: [PATCH] Update setup_workload_identity.sh shift IAM Grant from project level to service account level Signed-off-by: David Pierce --- scripts/setup_workload_identity.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh index 813c941eb..a060814de 100755 --- a/scripts/setup_workload_identity.sh +++ b/scripts/setup_workload_identity.sh @@ -347,13 +347,13 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \ --condition=None -# Allow the service account to generate an access tokens -print_info "Granting 'Service Account Token Creator' role to Service Account..." +# Allow the service account to generate an access tokens (self-impersonation only) +print_info "Granting 'Service Account Token Creator' role to Service Account (self-impersonation)..." -gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ +gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT_EMAIL}" \ + --project="${GOOGLE_CLOUD_PROJECT}" \ --role="roles/iam.serviceAccountTokenCreator" \ - --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \ - --condition=None + --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" # Grant logging permissions to the service account print_info "Granting 'Logging Writer' role to Service Account..."