{% set SUFFIX = '-account' %} {% set BASE_NAME = properties['baseName'][:30-SUFFIX|length] + SUFFIX %} resources: - name: {{ BASE_NAME }} type: iam.v1.serviceAccount properties: accountId: {{ BASE_NAME }} displayName: TeamCity service account - name: get-iam-policy-to-set-roles action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy metadata: dependsOn: - {{ BASE_NAME }} runtimePolicy: - UPDATE_ALWAYS properties: resource: {{ env['project'] }} - name: set-account-roles action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy metadata: runtimePolicy: - CREATE properties: resource: {{ env['project'] }} policy: $(ref.get-iam-policy-to-set-roles) gcpIamPolicyPatch: add: - role: "roles/cloudsql.client" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - role: "roles/viewer" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - role: "roles/compute.instanceAdmin.v1" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - role: "roles/storage.objectAdmin" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - role: "roles/iam.serviceAccountTokenCreator" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - role: "roles/owner" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) - name: get-iam-policy-to-delete-role action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy metadata: dependsOn: - {{ properties['baseName'] }}-waiter-software runtimePolicy: - UPDATE_ALWAYS properties: resource: {{ env['project'] }} - name: delete-account-role action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy metadata: runtimePolicy: - CREATE properties: resource: {{ env['project'] }} policy: $(ref.get-iam-policy-to-delete-role) gcpIamPolicyPatch: remove: - role: "roles/owner" members: - serviceAccount:$(ref.{{ BASE_NAME }}.email) outputs: - name: email value: $(ref.{{ BASE_NAME }}.email)