Skip to content

Commit

Permalink
main.star: permit makemac to list security bots
Browse files Browse the repository at this point in the history 
It needs read-only access to list bots in chrome-swarming, so it
can know whether to launch or renew or destroy MacService leases.

For golang/go#67073.

Change-Id: Ida562721f4931b2309508e01b320605343fe90e9
Reviewed-on: https://go-review.googlesource.com/c/build/+/582558
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
  • Loading branch information
@dmitshur @gopherbot
dmitshur authored and gopherbot committed May 1, 2024
1 parent a1b760d commit 4d6c7ca
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
4 changes: 4 additions & 0 deletions generated/realms.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,7 @@ realms {
role: "role/swarming.poolViewer"
principals: "group:mdb/golang-release-eng-policy"
principals: "group:mdb/golang-security-policy"
principals: "user:makemac@symbolic-datum-552.iam.gserviceaccount.com"
}
bindings {
role: "role/swarming.taskServiceAccount"
Expand Down Expand Up @@ -299,6 +300,7 @@ realms {
role: "role/swarming.poolViewer"
principals: "group:mdb/golang-release-eng-policy"
principals: "group:mdb/golang-security-policy"
principals: "user:makemac@symbolic-datum-552.iam.gserviceaccount.com"
}
bindings {
role: "role/swarming.taskServiceAccount"
Expand Down Expand Up @@ -438,6 +440,7 @@ realms {
role: "role/swarming.poolViewer"
principals: "group:mdb/golang-release-eng-policy"
principals: "group:mdb/golang-security-policy"
principals: "user:makemac@symbolic-datum-552.iam.gserviceaccount.com"
}
bindings {
role: "role/swarming.taskServiceAccount"
Expand Down Expand Up @@ -473,6 +476,7 @@ realms {
role: "role/swarming.poolViewer"
principals: "group:mdb/golang-release-eng-policy"
principals: "group:mdb/golang-security-policy"
principals: "user:makemac@symbolic-datum-552.iam.gserviceaccount.com"
}
bindings {
role: "role/swarming.taskServiceAccount"
Expand Down
7 changes: 7 additions & 0 deletions main.star
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,13 @@ luci.binding(
groups = ["mdb/golang-security-policy", "mdb/golang-release-eng-policy"],
)

# Allow x/build/cmd/makemac to list security bots.
luci.binding(
roles = "role/swarming.poolViewer",
realm = SECURITY_REALMS,
users = "makemac@symbolic-datum-552.iam.gserviceaccount.com",
)

# Allow users with the taskTriggerer role to impersonate the service accounts.
luci.binding(
roles = "role/swarming.taskServiceAccount",
Expand Down

0 comments on commit 4d6c7ca

Please sign in to comment.