From 65d2b4cca49310cf2340892ca66a98c9af3b3a32 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@gmail.com>
Date: Fri, 10 Sep 2021 13:15:25 -0700
Subject: [PATCH] bash/main: fix cherrypick secret iam

---
 infra/gcp/bash/ensure-main-project.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/infra/gcp/bash/ensure-main-project.sh b/infra/gcp/bash/ensure-main-project.sh
index 174a410ee45..6dbbcb95d00 100755
--- a/infra/gcp/bash/ensure-main-project.sh
+++ b/infra/gcp/bash/ensure-main-project.sh
@@ -409,12 +409,14 @@ function ensure_prow_special_cases {
     color 6 "Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted"
     principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "kubernetes-external-secrets")"
     secret=$(secret_full_name "${project}" "k8s-infra-ci-robot-github-token")
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.viewer" 2>&1 | indent
     ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor" 2>&1 | indent
 
     # TODO: remove when cherrypicker is running solely on k8s-infra-prow.k8s.io
     color 6 "Special case: ensuring k8s-infra-cherrypicker-github-token accessible by k8s-prow"
-    principal="kubernetes-external-secrets-sa@k8s-prow.iam.gserviceaccount.com"
+    principal="serviceAccount:kubernetes-external-secrets-sa@k8s-prow.iam.gserviceaccount.com"
     secret=$(secret_full_name "${project}" "k8s-infra-cherrypick-robot-github-token")
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.viewer" 2>&1 | indent
     ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor" 2>&1 | indent
 }