How do you make cloud build project history publicly readable? - google-cloud-build

I have google cloud build set up, and I'd like t away to make the builds publicly visible, to use in an open source project, a bit like how TravisCI and CircleCI offer - see an example below:
https://travis-ci.org/wagtail/Willow/pull_requests
Is this possible?
Can you make it possible to inspect a build to a non-signed in user?

A solution could be to use Google Identity and Access Management to grant the Cloud Build Viewer role to allUsers. However, this cannot be done at the moment.
The idea is to give the cloudbuild.builds.get and cloudbuild.builds.list permissions to everyone on the internet, which would allow them to call those Cloud Build API methods that require these permissions. You can grant roles to Google Accounts or Groups, Service accounts or G Suite domains, but not to everyone.
You can find detailed instructions to grant roles through the GCP console in the Cloud Build documentation.

Related

Connecting to firebase admin sdk using service account key

I am using Cloud Run Continuous Deployment to watch a github repo & build the project upon a push to the production branch. Instead of specifying a Dockerfile, I am letting Google Cloud Buildpacks do all the work, since my codebase is written in Node.js.
I haven't yet been able to run a functional deployment due to the service account running into some permissions errors, but once I get past those, I am wondering how I would be able to initialize the firebase admin SDK inside the build. In my dev code, I have a service account JSON file and initialize the admin SDK using that file, but I don't know if this possible in the cloud build. If I can't upload private files to the cloud build, am I able to use the service account that creates the build to initialize the admin sdk? Is there another way to initialize the admin app in the build, such as using env variables? For reference, I am only using the admin sdk to read and write to our firestore database.

SCP: How to get role collection (CF) and roles (NEO) through the api

I'm working with the SAP cloud platform with Neo and Cloud Foundry Applications/Organizations on it. Currently I have the task to get all role collections from the cloud foundry applications and all the roles (or better called groups) from Neo.
Currently I can access the CF SCP API through the v3 cloud controller and get for example all roles from the cloud foundry applications.
The two problems I'm facing are that:
I dont know how to get the role collections, because I couldn t find anything in the documentation (I can get the roles but they do not link with the role collection because I think role collections are a SAP thing and not a CF thing).
I dont know how to access the NEO-API (I never worked with NEO) and I dont know how to get roles/groups from it
Does anybody know how I can do these things and has documentation for me so I can read a little further?

cloud spanner IAM permission denied

When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:
spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."
The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/
I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.
my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.
Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles
Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).
You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.
Consider this scenario:
your gcloud SDK may be well credentialed with person#domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud
the VM hosting your code and SDK is running as 12345678901-compute#developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.
More information on Service Accounts here:
https://cloud.google.com/compute/docs/access/service-accounts
Probably you didn't add access to your database tododb for account in the file pointed by GOOGLE_APPLICATION_CREDENTIALS. Use, for example, Cloud Spanner Database User role for this account in Google Console.

Azure continuous deployment from different VSTS account

I'm trying to setup continuous deployment via the Aure Portal.
When doing this via the VSTS account (let's call it "VSTS Account A") which is owned by the same account owner as Azure, everything works fine.
In this case I'm trying to configure continuous deploymenet from source code held in another VSTS account (let's go with Account B).
The Azure account owner is not the Account B owner but is an admin (member of Organization Administrators) for Account B. The owner is also listed explicitly as a member of at least one project within Account B.
The problem is that when it commes to configuring "Deployment source" within the app service section, Account B is not listed as an option to choose from.
I've followed various links (e.g. part 4 of this page) about linking the VSTS account with an Azure account but still no joy. There are a couple of problems here:
The Azure classic portal has a New button within the Visual Studio Team Services section but when I choose Link To Existing, I get the following message:
Make sure you’re the account owner. If you are, maybe your account is
linked to another Azure subscription or connected to another Azure
Active Directory
Account B is not linked to another Azure Subscription or Azure AD.
The new portal doesn't even have an option to attempt to link a different account, plus the menu link says "Team Services Account Preview" so whether the Preview status has something to do with it, I don't know.
I'd have thought this would be a relatively common use case, has anyone had any joy setting up something similar?
I was finally able to choose the relevant account by making the VSTS principal a co-admin in the Azure account which contains the web app, signing in as that user and changing the directory to use from the the user dropdown menu (top-right). Note, the user account in question is already an administrator for a different Azure account, just to complicate matters further. I only had the option to change the directory once the user was a member of multiple directories.
So I finally got it configured and committing code to the specified branch was triggering a deploy. However, it transpires that setting up continuous deployment from within Azure gives you limited scope and I got constant errors which were not straightforward to fix.
I ended up getting it working properly by following these instructions:
Build: https://www.visualstudio.com/en-us/docs/build/apps/aspnet/ci/build-aspnet-4
Deploy: https://www.visualstudio.com/en-us/docs/build/apps/cd/deploy-webdeploy-webapps
Configuring it all from within VSO gives you a lot more clarity about what's actually happening.
When doing the initial setup, I had to go through an authentication step with the Azure account I was trying to deploy to and that process launches a pop-up window which was getting blocked so I missed it at first.
The initial build and deploy were fine but I was getting a build error when being triggered from a code commmit. This is because the Build Definition --> Variables --> BuildConfiguration value was set back to Release even though I set it to the correct value for my project when doing the initial configuration. Once I updated that, the next commit triggered the build which in turn created the artifact which in turn triggered the deploy which went through fine.
Googler from the future here, I had the same problem and came across a really good article called "DevOps: Connecting VSTS to Azure by Ken Muse" enter link description here
This worked like a charm for me from the first try!

Running SQL queries through web interface on Heroku

I'm having trouble finding a web interface in Heroku to write SQL queries that can be created by app collaborators. I want to be able to query from a computer that doesn't have the heroku toolbelt installed as a collaborator.
Currently, I've been using the dataclips feature to do such a task, however it only allows the query to be modified by the app owner.
I'm not sure if I'm just misunderstanding how Heroku Dataclips works or just can't find a feature that allows collaborators to do such a task?
Collaborators in your application can also modify dataclips. However data clips are intended to be a 'data clip' and not a webUI onto your database. Giving anyone the ability to update your application/data requires them to be a collaborator. Heroku provides no other security role than that.

Resources