forked from mweisel/gcp-gns3server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gcp_service_account_create.yml
62 lines (54 loc) · 1.92 KB
/
gcp_service_account_create.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
- name: create gcp service account and key file
hosts: localhost
gather_facts: no
vars_files:
- vars.yml
tasks:
- name: create directory for service account key file
file:
path: "{{ gcp_cred_file_dir }}"
mode: 0700
state: directory
- name: check for service account
command: >
gcloud iam service-accounts describe
{{ gcp_svc_acct_id }}@{{ gcp_project_id }}.iam.gserviceaccount.com
--project {{ gcp_project_id }}
ignore_errors: yes
changed_when: no
register: svc_acct
- name: create service account
command: >
gcloud iam service-accounts create {{ gcp_svc_acct_id }}
--display-name 'Ansible service account'
--project {{ gcp_project_id }}
when: svc_acct.rc != 0
- name: check for service account key file
stat:
path: "{{ gcp_cred_file_dir }}/{{ gcp_cred_file }}"
register: key_file
- name: create service account key file
command: >
gcloud iam service-accounts keys create
{{ gcp_cred_file_dir }}/{{ gcp_cred_file }}
--iam-account
{{ gcp_svc_acct_id }}@{{ gcp_project_id }}.iam.gserviceaccount.com
--project {{ gcp_project_id }}
when: not key_file.stat.exists
- name: check for role attached to service account
command: >
gcloud projects get-iam-policy {{ gcp_project_id }}
--flatten="bindings[].members"
--filter="bindings.members:serviceAccount:
{{ gcp_svc_acct_id }}@{{ gcp_project_id }}.iam.gserviceaccount.com"
--format=text
changed_when: no
register: iam_policy
- name: add role to service account
command: >
gcloud projects add-iam-policy-binding {{ gcp_project_id }}
--member serviceAccount:{{ gcp_svc_acct_id }}@{{ gcp_project_id }}.iam.gserviceaccount.com
--role roles/{{ gcp_role }}
when: gcp_role not in iam_policy.stdout
...