New issue
Advanced search Search tips

Issue 873713 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 14
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Milo cannot use service accounts

Project Member Reported by athilenius@chromium.org, Aug 13

Issue description

Components: -Infra>Client>ChromeOS Infra>Client>ChromeOS>CI
Owner: dgarr...@chromium.org
Don, it looks like you're in the OWNERS file.
Note that Milo's auth is only set up to authorize at the project level:

https://github.com/luci/luci-go/blob/master/milo/common/acl.go#L49

So, while adding this service account to the top-level project access list would presumably work, it isn't ideal from an access control perspective since it would give the service account broad rights.
> #3
correct. Using buildbucket v2 will resolve the problem. It checks only ACLs specified in cr-buildbucket.cfg

--

Don, consider adding
  
  access: "the-em-drive@appspot.gserviceaccount.com"

to

https://chrome-internal.googlesource.com/chromeos/manifest-internal/+/0e5d594f284d332bcb2d36080981ae4e690d613e/project.cfg#


That's a ChromeOS repository, so the OWNERs file is not enforced in any way.
Owner: ----
Status: Available (was: Assigned)
I can add it to the top level project, but is that an acceptable solution? Or are we agreeing that 'it will do for now' until we are 100% on Swarming and the CI API can take over?

Buildbucket V2 does not support Steps for Buildbot, so cannot be used as of today for things like CQ. Hence why I need to get Milo data :)
project access is used in two places:
1) luci-config uses it to decide whether a requester is allowed to read configs of a particular project, or see the project existance
2) milo checks project access as the first step in all requests where project is available (/p/* URLs), and then it checks more fine-grained ACLs (buildbucket)

i think adding the service account to project ACLs is acceptable. Buildbucket ACLs are more sensitive than the project ACL


Owner: la...@chromium.org
Status: Assigned (was: Available)
OK I'll do this.
Status: Fixed (was: Assigned)
This worked, took a long time to propagate though. Thank you!

Sign in to add a comment