Add required permission to service account

jerop · leehagoodjames · jerop · commit 6002b5c57b0c · 2025-08-01T19:11:09.000-04:00
Given that we're using service account, which is required to get
OAuth tokens needed for Code Assist, we have switched from
"Direct Workload Identity Federation" to "Workload Identity Federation through a Service Account".

For this reason, we need to add the right permissions to the
service account.

In future work, we'll remove the direct permissions in WIF.

Co-authored-by: Lee Hagood James  &lt;leehagoodjames@google.com&gt;
diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh
@@ -316,11 +316,40 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
 
 # Allow the service account to generate an access tokens
 print_info "Granting 'Service Account Token Creator' role to Service Account..."
+
 gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/iam.serviceAccountTokenCreator" \
     --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
     --condition=None
 
+# Grant logging permissions to the service account
+print_info "Granting 'Logging Writer' role to Service Account..."
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
+    --role="roles/logging.logWriter" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --condition=None
+
+# Grant monitoring permissions to the service account
+print_info "Granting 'Monitoring Editor' role to Service Account..."
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
+    --role="roles/monitoring.editor" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --condition=None
+
+# Grant tracing permissions to the service account
+print_info "Granting 'Cloud Trace Agent' role to Service Account..."
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
+    --role="roles/cloudtrace.agent" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --condition=None
+
+# Grant Vertex AI permissions to the service account
+print_info "Granting 'Vertex AI User' role to Service Account..."
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
+    --role="roles/aiplatform.user" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --condition=None
+
 # Allow the Workload Identity Pool to impersonate the Service Account
 print_info "Allowing GitHub Actions from '${GITHUB_REPO}' to impersonate the Service Account..."
 gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT_EMAIL}" \
