Update function deploy to add necessary Genkit monitoring permissions when deploying Genkit function #8636
Conversation
github-project-automation
bot
moved this to Approved [PR]
in [Cloud] Extensions + Functions
bryanatkinson
force-pushed
the
ba-genkit-function-permissions
branch
2 times, most recently
from
cd747d4 to
df10513
Compare
There was a problem hiding this comment.
-
We only do IAM stuff on new function creation because it requires an OWNER permission rather than an editor permission and we want large teams to be able to have finer grained ACLs
-
I'm concerned that this is granting the binding to the default compute service account, rather than the accounts that the actual functions run as (which defaults to the compute SA but is not guaranteed to be so).
For 2, it's not clear that this is technically correct. @taeold do you know why obtainDefaultComputeServiceAgentBindings is here? Is this part of the bug/feature request that we don't allow configuring Eventarc to use custom service accounts yet?
I would consider a new dedicated function that
- Finds all new endpoints that are Genkit callable endpoints
- Finds the set of service accounts they run as (defaulting to the default compute SA)
- Adds those role bindings for the SA to the project.
github-project-automation
bot
moved this from Approved [PR]
to Changes Requested [PR]
in [Cloud] Extensions + Functions
I have updated to move this into a separate function called in the prepare step, and to find all service accounts for new Genkit endpoints only. Let me know if this doesn't match what you were thinking. |
| expect(getIamStub).to.have.been.calledWith(projectNumber); | ||
| expect(setIamStub).to.have.been.calledOnce; | ||
| }); | ||
| it("should not update policy if it already has necessary bindings", async () => { |
src/deploy/functions/checkIam.ts
Outdated
| const wantEndpoints = backend.allEndpoints(want).filter(isGenkitEndpoint); | ||
| const haveEndpoints = backend.allEndpoints(have).filter(isGenkitEndpoint); | ||
| const newEndpoints = wantEndpoints.filter( | ||
| (wantE) => !haveEndpoints.find((haveE) => haveE.id === wantE.id), |
There was a problem hiding this comment.
Technically you should compare the region too. There's a helper here:
wantEndopints.filter(backend.missingEndpoint(haveEndpoints))
There was a problem hiding this comment.
Nice! Updated.
src/deploy/functions/checkIam.ts
Outdated
| return; | ||
| } | ||
|
|
||
| const defaultComputeServiceAgent = await gce.getDefaultServiceAccount(projectNumber); |
There was a problem hiding this comment.
It'd be ideal to only calculate this if necessary. I'm not sure what this code would do on a project that has disabled the default SA.
There was a problem hiding this comment.
Updated to only make this call if the default is needed.
src/deploy/functions/checkIam.ts
Outdated
| @@ -215,8 +288,8 @@ export async function ensureServiceAgentRoles( | |||
| iam.printManualIamConfig(requiredBindings, projectId, "functions"); | |||
| utils.logLabeledBullet( | |||
| "functions", | |||
| "Could not verify the necessary IAM configuration for the following newly-integrated services: " + | |||
| `${newServices.map((service) => service.api).join(", ")}` + | |||
| "Could not verify the necessary IAM configuration for the following newly-integrated services or endpoints: " + | |||
There was a problem hiding this comment.
endpoints is an internal term because we were experimenting with code that would eventually become App Hosting. It is meaningless to users.
There was a problem hiding this comment.
Reverted this back to just say "services"
github-project-automation
bot
moved this from Changes Requested [PR]
to Approved [PR]
in [Cloud] Extensions + Functions
bryanatkinson
force-pushed
the
ba-genkit-function-permissions
branch
from
27729cb to
ebe05b7
Compare
…d use convenience method to filter down to new endpoints
bryanatkinson
force-pushed
the
ba-genkit-function-permissions
branch
from
ebe05b7 to
5f567a9
Compare
github-project-automation
bot
moved this from Approved [PR]
to Done
in [Cloud] Extensions + Functions
Description
Genkit Monitoring requires that the service account running the Genkit code has permission to write metrics, traces and logs. This change adds those permissions to the default service account when deploying as a Firebase Function.
Scenarios Tested