Add IAM permissions for Cloud Build service agent and use custom service account in E2E tests

aabmass · aabmass · commit 82069cf5db78 · 2026-04-30T21:01:29.000Z
diff --git a/cloudbuild-e2e-cloud-functions-gen2.yaml b/cloudbuild-e2e-cloud-functions-gen2.yaml
@@ -75,3 +75,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/cloudbuild-e2e-cloud-run.yaml b/cloudbuild-e2e-cloud-run.yaml
@@ -51,3 +51,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/cloudbuild-e2e-gae-standard.yaml b/cloudbuild-e2e-gae-standard.yaml
@@ -74,3 +74,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/cloudbuild-e2e-gae.yaml b/cloudbuild-e2e-gae.yaml
@@ -52,3 +52,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/cloudbuild-e2e-gce.yaml b/cloudbuild-e2e-gce.yaml
@@ -51,3 +51,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/cloudbuild-e2e-gke.yaml b/cloudbuild-e2e-gke.yaml
@@ -51,3 +51,4 @@ substitutions:
 
 options:
   pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com
diff --git a/tf/persistent/repo-ci-triggers.tf b/tf/persistent/repo-ci-triggers.tf
@@ -53,7 +53,8 @@ resource "google_cloudbuild_trigger" "global_cleanup" {
     topic = google_pubsub_topic.e2e_cleanup.id
   }
 
-  filter = "(_BUILD_TAGS.contains(\"terraform-resources\") || _BUILD_TAGS.contains(\"ops-e2e-testing\")) && (_BUILD_STATUS == \"SUCCESS\" || _BUILD_STATUS == \"FAILURE\")"
+  # TODO: Add tag filter back once triggers are updated with tags in latchkey
+  filter = "_BUILD_STATUS == \"SUCCESS\" || _BUILD_STATUS == \"FAILURE\""
 
   git_file_source {
     path       = "cloudbuild-cleanup.yaml"
@@ -70,3 +71,5 @@ resource "google_cloudbuild_trigger" "global_cleanup" {
     _BUILD_STATUS      = "$(body.message.data.status)"
   }
 }
+
+# TODO: add to internal permission tooling (latchkey)

Original file line number	Diff line number	Diff line change
`@@ -75,3 +75,4 @@ substitutions:`
`75`	`75`
`76`	`76`	`options:`
`77`	`77`	`pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup`
	`78`	`+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com`
Original file line number	Diff line number	Diff line change
`@@ -51,3 +51,4 @@ substitutions:`
`51`	`51`
`52`	`52`	`options:`
`53`	`53`	`pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup`
	`54`	`+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com`
Original file line number	Diff line number	Diff line change
`@@ -74,3 +74,4 @@ substitutions:`
`74`	`74`
`75`	`75`	`options:`
`76`	`76`	`pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup`
	`77`	`+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com`
Original file line number	Diff line number	Diff line change
`@@ -52,3 +52,4 @@ substitutions:`
`52`	`52`
`53`	`53`	`options:`
`54`	`54`	`pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup`
	`55`	`+serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,8 @@ resource "google_cloudbuild_trigger" "global_cleanup" {`
`53`	`53`	`topic = google_pubsub_topic.e2e_cleanup.id`
`54`	`54`	`}`
`55`	`55`
`56`		`- filter = "(_BUILD_TAGS.contains(\"terraform-resources\") \|\| _BUILD_TAGS.contains(\"ops-e2e-testing\")) && (_BUILD_STATUS == \"SUCCESS\" \|\| _BUILD_STATUS == \"FAILURE\")"`
	`56`	`+ # TODO: Add tag filter back once triggers are updated with tags in latchkey`
	`57`	`+ filter = "_BUILD_STATUS == \"SUCCESS\" \|\| _BUILD_STATUS == \"FAILURE\""`
`57`	`58`
`58`	`59`	`git_file_source {`
`59`	`60`	`path = "cloudbuild-cleanup.yaml"`
`@@ -70,3 +71,5 @@ resource "google_cloudbuild_trigger" "global_cleanup" {`
`70`	`71`	`_BUILD_STATUS = "$(body.message.data.status)"`
`71`	`72`	`}`
`72`	`73`	`}`
	`74`	`+`
	`75`	`+# TODO: add to internal permission tooling (latchkey)`